Page MenuHomePhabricator
Create Task
Maniphest T392349

MediaWiki release tarballs should be bit-for-bit reproducible
Open, Needs TriagePublic
Actions

Description

Currently the MediaWiki release tarballs are generated by an individual person on their local workstation and then directly uploaded to releases.wikimedia.org for public usage. Having that process be bit-for-bit reproducible would allow setting up automated tests to ensure that those tarballs match what we expect them to match.

I ran diffoscope to compare the "official" 1.43.1 tarball and one I generated with makerelease2.py locally. The diff is here: https://people.wikimedia.org/~taavi/misc/diffoscope-mw-1.43-1/

Seemingly the main issue is that files include local usernames and file modification timestamps. I think we could for example use the date of the Git tag as a consistent timestamp?

Event Timeline

taavi created this task.Apr 20 2025, 4:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 20 2025, 4:27 PM
ashley awarded a token.Apr 20 2025, 5:59 PM
Izno awarded a token.Apr 20 2025, 9:06 PM
Reedy subscribed.Apr 21 2025, 3:45 PM

I note this is a little hard with how we don't run CI before we build tarballs.

If CI happens to fail after pushing to gerrit, we either need to force submit the commits, and then fix in a followup, or fix, and know that there may be some (hopefully only minor) drift as things get fixed up to pass CI.

waldyrious subscribed.May 17 2025, 4:37 PM
XtexChooser subscribed.Jun 1 2025, 9:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits