Add source tarballs to release process #2804

pull sipa wants to merge 2 commits into bitcoin:master from sipa:srcrelease changing 4 files +24 −9
  1. sipa commented at 2:32 PM on June 29, 2013: member

    As git provides a way to export a tarball given a commit, it's very easy to add the creation of source releases, IMHO. We very much like people to build from git tags, but apparently this is hard or at least inconvenient for some infrastructure out there. I hope the overhead is minimal enough for those doing the release...

    This also disables the use of git-describe in exported source archives, as it results in a spurious error otherwise.

    I hope this closes #2476.

  2. Disable git-describe in tarball builds fb36e69674
  3. sipa commented at 2:43 PM on June 29, 2013: member

    Tested that an (Ubuntu) build of the resulting tar's content works, and results in a meaningful version being reported.

  4. johndillon commented at 4:30 PM on June 29, 2013: none

    Will the resulting tarballs be generated deterministically by the gitian build process as well so we can get signatures that the tarball matches the git tag?

  5. in doc/release-process.md:None in c860f4c068 outdated 
     100 | @@ -101,6 +101,11 @@ repackage gitian builds for release as stand-alone zip/tar/installer exe
 101 |  
 102 |   Build output expected: Bitcoin-Qt.dmg
 103 |  
 104 | +**Source tarballs:**
 105 | +
 106 | +	git archive --prefix=bitcoin-${VERSION}/ v${VERSION} -o bitcoin-${VERSION}-src.tar.gz
 107 | +	gunzip <bitcoin-${VERSION}-src.tar.gz | xz >bitcoin-${VERSION}-src.tar.xz
    luke-jr commented at 4:35 PM on June 29, 2013:

    git archive --format=tar --prefix=bitcoin-${VERSION}/ v${VERSION} | xz > bitcoin-${VERSION}-src.tar.xz

    sipa commented at 5:16 PM on June 29, 2013:

    If you only want an .xz distribution, sure. I assumed a "legacy" tar.gz might be useful too.

  6. sipa commented at 5:22 PM on June 29, 2013: member

    @johndillon The tar file is generated by git, and there's no source of randomness (the owner is set to root, the timestamps are equal to that of the last commit, and files are sorted alphabetically) as far as I can see - though this can obviously change in newer git versions. So it could be done inside gitian, I suppose, as that guarantees a consistent version of git to generate it.

  7. johndillon commented at 5:55 PM on June 29, 2013: none

    @sipa Provided that is true I'll ACK this patch.

    In some ways making it easier for distribution managers to distribute Bitcoin anything bothers me in that they represent a very real risk of compromise with very high rewards, but if they are going to do so this is a reasonable thing to provide.

  8. sipa commented at 12:15 PM on June 30, 2013: member

    Ok, I've moved the construction of the tar file inside gitian, so hopefully it is deterministic now.

    A few notes:

    • Currently, the gitian build script doesn't know the "name" of the version being built, so the tarball uses a subdir bitcoin/ rather than bitcoin-$VERSION/; I don't know how much that is uncommon/unexpected.
    • I've put it inside the Windows build, as I didn't want to create a full separate gitian build for just the source, and the Linux build gets run twice (32-bit, 64-bit) so it would be double work and the result would perhaps depend on the order in which you run the builds.
  9. robbak commented at 12:38 PM on June 30, 2013: contributor

    Thanks for taking this on.

    It would be best for a number of reasons if the sourceforge download was identical to the github generated file, at least at the time of release. We can then use github as a backup to sourceforge, or vice versa. If the files are different, then we have to choose between the two. Sourceforge is faster and way more reliable, with their endless array of mirrors.

    Mind you, I am torn on this one - not having the github hash in the directory makes things a lot simpler where I am concerned - although most of that complexity is managed by someone else.

    On 30 June 2013 22:15, Pieter Wuille notifications@github.com wrote:

    Ok, I've moved the construction of the tar file inside gitian, so hopefully it is deterministic now.

    A few notes:

    • Currently, the gitian build script doesn't know the "name" of the version being built, so the tarball uses a subdir bitcoin/ rather than bitcoin-$VERSION/; I don't know how much that is uncommon/unexpected.
    • I've put it inside the Windows build, as I didn't want to create a full separate gitian build for just the source, and the Linux build gets run twice (32-bit, 64-bit) so it would be double work and the result would perhaps depend on the order in which you run the builds.

    — Reply to this email directly or view it on GitHubhttps://github.com/bitcoin/bitcoin/pull/2804#issuecomment-20246227 .

  10. sipa commented at 12:48 PM on June 30, 2013: member

    With the current pullreq, there is no way that the hash will match what github builds. They have the tag name in the directory, and their compression seems worse (even for .tar.gz). However, you do get signed hashes of the tarball from every gitian builder.

  11. luke-jr commented at 1:43 PM on June 30, 2013: member

    Currently, even our binary tarballs and ZIPs are outside the signature mechanism, so I don't know how important doing a source tarball deterministically is. The end-user can always compare with the signed git tag, after all.

    In any case, I think deterministically having gitian generate the same tar.gz as github is possible anyway.

  12. sipa commented at 3:49 PM on June 30, 2013: member

    @luke-jr But the released .zip and .tar.gz files have hashes signed by gitian. True, the entire source tree is signed as well, but being able to just compare the hash on a single .tar.xz is certainly easier.

  13. sipa commented at 5:16 PM on June 30, 2013: member

    Updated again. The created tarballs should now be identical to github's at the tar level. I'm not able to produce a binary identically .gz file, however.

  14. Add source tarballs to gitian/release process 3efa1ab0ff
  15. sipa commented at 5:23 PM on June 30, 2013: member

    Got it, added -cn to gzip, and now they match the github .tar.gz files.

  16. theuni commented at 5:53 PM on July 2, 2013: member

    Note that #2805 handles bootstrapping and tarball generation, which I believe should make this PR unnecessary. Instead, gitian would have a separate descriptor for source generation (running 'make dist') which is then fed into the other builds.

  17. sipa commented at 10:32 PM on July 2, 2013: member

    Closing in favor of #2805 or its successor, as the plan seems to be to generate a source tarball through make dist running in gitian.

  18. sipa closed this on Jul 2, 2013
  19. Bushstar referenced this in commit 4d8ef35120 on Apr 5, 2019
  20. DrahtBot locked this on Sep 8, 2021
Contributors
sipajohndillonluke-jrrobbaktheuni
Linked (view graph)
#2476 no separate source code tarball download available
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-15 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me