Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reproducible builds #906

Closed
mering opened this issue Oct 23, 2023 · 2 comments · Fixed by #1100
Closed

Reproducible builds #906

mering opened this issue Oct 23, 2023 · 2 comments · Fixed by #1100
Labels
*out-of-scope Posted issue is not in scope of VS Code

Comments

@mering
Copy link

mering commented Oct 23, 2023

Running the same build twice produces different archives as timestamps differ.

Please add an option --reproducible which would set the timestamp to a fixed value.

We are currently using the following workaround:

EXT_LOCAL_NAME=$(pwd)/my-extension.vsix
vsce package --allow-missing-repository -o ${EXT_LOCAL_NAME}

# Create reproducible archive by setting deterministic timestamp
TMPDIR=$(mktemp -d)
unzip -q ${EXT_LOCAL_NAME} -d ${TMPDIR}
rm -f ${EXT_LOCAL_NAME}
cd ${TMPDIR} && find -exec touch -d 1970-01-01T00:00:00Z "{}" \; && zip -q -r -oX ${EXT_LOCAL_NAME} *
rm -rf ${TMPDIR}
@joaomoreno joaomoreno added the *out-of-scope Posted issue is not in scope of VS Code label Nov 24, 2023
@joaomoreno
Copy link
Member

We closed this issue because we don't plan to address it in the foreseeable future. If you disagree and feel that this issue is crucial: we are happy to listen and to reconsider.

If you wonder what we are up to, please see our roadmap and issue reporting guidelines.

Thanks for your understanding, and happy coding!

@joaomoreno joaomoreno closed this as not planned Won't fix, can't repro, duplicate, stale Nov 24, 2023
@stevedlawrence stevedlawrence mentioned this issue Dec 5, 2024
Merged
@scholarsmate
Copy link

I think reproducible builds are something to reconsider. There are downstream projects that exist where reproducibility is at least important if not critical. While it may not be considered crucial with vsce in isolation, it can indeed be critical for other projects that use vsce.

luxass pushed a commit to luxass/vscode-vsce that referenced this issue Dec 15, 2024
@stevedlawrence @luxass
Allow for reproducible .vsix packages
75c6db2 
Running the same build produces .vsix package that have the same
content, but are not bit for bit the same, making it somewhat
complicated to verify reproducible builds. Two changes are needed to fix
this:

1. The mtime of each file added to the .vsix archive is included in each
   archive entry, so builds that happen at different times will have
   different entry timestamps. To fix this, if the SOURCE_DATE_EPOCH
   environment variable is defined, it it now used as entry timestamp
   value instead. Builds will now be reproducible as long as they set
   the same SOURCE_DATE_EPOCH value. If the environment variable is not
   defined or is not an integer, the current behavior is used.
2. The order that files are collected in preparation for packaging into
   the .vsix file is non-deterministic, which can lead to archives with
   the same content but in different orders. To fix this, files are
   sorted by archive entry name prior to adding.

Fixes microsoft#906
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
*out-of-scope Posted issue is not in scope of VS Code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow for reproducible .vsix packages stevedlawrence/vscode-vsce
3 participants
@joaomoreno @scholarsmate @mering