Is there a standard archive format with no file metadata?Is there a GUI tool to show an archive information...
Can an Unconscious PC hear you?
Could you use uppercase or special characters in a password in early Unix?
Why didn't Aboriginal Australians discover agriculture?
Can I decrease voltage to get higher amperage?
Why do baby boomers have to sell 5% of their retirement accounts by the end of the year?
Is using a photo reference for pose fair use?
Meaning of “Bulldog drooled courses through his jowls”
Does using an img title attribute in addition to the alt attribute help image SEO?
How to get to Antarctica without using a travel company
Why is 1.e4 c5 2.Nf3 b6 so unpopular?
What's the best way to notate this syncopation?
Can I exit and reenter a UK station while waiting for a connecting train?
Did Bobby Fischer actually write "Bobby Fischer Teaches Chess"
Can Chill Touch prevent Regeneration?
Moving objects and gravitational radiation
What is gerrymandering called if it's not the result of redrawing districts?
Modeling the Round (Nearest Integer) function
Why is 10.1.255.255 an invalid broadcast address?
Why doesn't English employ an H in front of Ares?
Do neurons of a neural network model a linear relationship?
Convexity of a QP
Most optimal hallways with random gravity inside?
Can every type of linear filter be modelled by a convolution?
Are Changelings immune to the Polymorph spell?
Is there a standard archive format with no file metadata?
Is there a GUI tool to show an archive information with ratio visualization?Indexed archive format?Archive for root file system with quick random accessCreate an archive with command “gzip”Print archive file list instantly (without decompressing entire archive)file system, archive bitEncrypt file list when creating 7zip archive on command lineIs there an archive file format supporting file-level concatenation?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{
margin-bottom:0;
}
For some context, I'm working on a package manager-like utility that supports building packages as a non-root user. I want to make sure that packages built by a root user and built by a non-root user are absolutely indistinguishable rather than, say, using a tar archive and ignoring the metadata.
Is there a format/utility a bit like tar where files and directories inside the archive don't (and ideally can't) contain metadata like permission bits, timestamps, and ownership-related info? I'd like the archive to be completely described by the directories and files that exist in it and the file contents (and thus it is incapable of storing symlinks or hard links either).
I'm also okay with an archive format that doesn't have the ability to distinguish between absolute and relative paths (i.e. /a/b and a/b map to the same thing because the archive's notion of a path is different from a Unix path).
archive reproducible-build
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
add a comment
|
For some context, I'm working on a package manager-like utility that supports building packages as a non-root user. I want to make sure that packages built by a root user and built by a non-root user are absolutely indistinguishable rather than, say, using a tar archive and ignoring the metadata.
Is there a format/utility a bit like tar where files and directories inside the archive don't (and ideally can't) contain metadata like permission bits, timestamps, and ownership-related info? I'd like the archive to be completely described by the directories and files that exist in it and the file contents (and thus it is incapable of storing symlinks or hard links either).
I'm also okay with an archive format that doesn't have the ability to distinguish between absolute and relative paths (i.e. /a/b and a/b map to the same thing because the archive's notion of a path is different from a Unix path).
archive reproducible-build
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
Or you could stick with the archive file formats that exist, and do as Debian does: runpaxortaror whatever underfakerootwhen building the archive for a package as a non-superuser.
– JdeBP
Mar 8 '17 at 3:39
Is there a way to strip the metadata from atararchive after creating it? Or configure acpioarchive not to keep track of timestamps and permissions? I'm not trying to reinvent the wheel. I'd like to be able to inspect the archive after creating it.
– Gregory Nisbet
Mar 8 '17 at 4:14
Have you read the Debian wiki on reproducible builds?
– Gilles
Mar 8 '17 at 22:40
add a comment
|
For some context, I'm working on a package manager-like utility that supports building packages as a non-root user. I want to make sure that packages built by a root user and built by a non-root user are absolutely indistinguishable rather than, say, using a tar archive and ignoring the metadata.
Is there a format/utility a bit like tar where files and directories inside the archive don't (and ideally can't) contain metadata like permission bits, timestamps, and ownership-related info? I'd like the archive to be completely described by the directories and files that exist in it and the file contents (and thus it is incapable of storing symlinks or hard links either).
I'm also okay with an archive format that doesn't have the ability to distinguish between absolute and relative paths (i.e. /a/b and a/b map to the same thing because the archive's notion of a path is different from a Unix path).
archive reproducible-build
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
For some context, I'm working on a package manager-like utility that supports building packages as a non-root user. I want to make sure that packages built by a root user and built by a non-root user are absolutely indistinguishable rather than, say, using a tar archive and ignoring the metadata.
Is there a format/utility a bit like tar where files and directories inside the archive don't (and ideally can't) contain metadata like permission bits, timestamps, and ownership-related info? I'd like the archive to be completely described by the directories and files that exist in it and the file contents (and thus it is incapable of storing symlinks or hard links either).
I'm also okay with an archive format that doesn't have the ability to distinguish between absolute and relative paths (i.e. /a/b and a/b map to the same thing because the archive's notion of a path is different from a Unix path).
archive reproducible-build
archive reproducible-build
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
edited Mar 8 '17 at 22:39
Gilles
580k141 gold badges1196 silver badges1710 bronze badges
580k141 gold badges1196 silver badges1710 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
asked Mar 8 '17 at 1:35
Gregory NisbetGregory Nisbet
1,54612 silver badges27 bronze badges
1,54612 silver badges27 bronze badges
Or you could stick with the archive file formats that exist, and do as Debian does: runpaxortaror whatever underfakerootwhen building the archive for a package as a non-superuser.
– JdeBP
Mar 8 '17 at 3:39
Is there a way to strip the metadata from atararchive after creating it? Or configure acpioarchive not to keep track of timestamps and permissions? I'm not trying to reinvent the wheel. I'd like to be able to inspect the archive after creating it.
– Gregory Nisbet
Mar 8 '17 at 4:14
Have you read the Debian wiki on reproducible builds?
– Gilles
Mar 8 '17 at 22:40
add a comment
|
Or you could stick with the archive file formats that exist, and do as Debian does: runpaxortaror whatever underfakerootwhen building the archive for a package as a non-superuser.
– JdeBP
Mar 8 '17 at 3:39
Is there a way to strip the metadata from atararchive after creating it? Or configure acpioarchive not to keep track of timestamps and permissions? I'm not trying to reinvent the wheel. I'd like to be able to inspect the archive after creating it.
– Gregory Nisbet
Mar 8 '17 at 4:14
Have you read the Debian wiki on reproducible builds?
– Gilles
Mar 8 '17 at 22:40
Or you could stick with the archive file formats that exist, and do as Debian does: run
pax or tar or whatever under fakeroot when building the archive for a package as a non-superuser.– JdeBP
Mar 8 '17 at 3:39
Or you could stick with the archive file formats that exist, and do as Debian does: run
pax or tar or whatever under fakeroot when building the archive for a package as a non-superuser.– JdeBP
Mar 8 '17 at 3:39
Is there a way to strip the metadata from a
tar archive after creating it? Or configure a cpio archive not to keep track of timestamps and permissions? I'm not trying to reinvent the wheel. I'd like to be able to inspect the archive after creating it.– Gregory Nisbet
Mar 8 '17 at 4:14
Is there a way to strip the metadata from a
tar archive after creating it? Or configure a cpio archive not to keep track of timestamps and permissions? I'm not trying to reinvent the wheel. I'd like to be able to inspect the archive after creating it.– Gregory Nisbet
Mar 8 '17 at 4:14
Have you read the Debian wiki on reproducible builds?
– Gilles
Mar 8 '17 at 22:40
Have you read the Debian wiki on reproducible builds?
– Gilles
Mar 8 '17 at 22:40
add a comment
|
2 Answers
2
active
oldest
votes
You cannot remove user information when using tar (or cpio) but can force them to avoid distinguishing who made the package. Using tar and forcing some parameters to avoid distinguishing the user who has built the package (see man tar):
-P,--absolute-names: Force tar to not remove leading '/' (this is done by default). If you can don't put absolute paths on command line the path you mention will be kept (try tu use -C or --change-directory if you cannot cd in the root dir you want)
--owner: force user stored in tar file ignoring the actual owner of the files/directrories (e.g. --owner=root)
--group: force group stored in tar file (e.g. --group=root).
--no-acls: avoids copying your own ACLs in tar file
--numeric-owner,--numeric-group: masks the actual names of accounts on your local storing only UID/GID (not needed if your force root since root is always 0)
--mtime: to force the modification time of all files/directories in order to mask when they where actually modified
Be aware that symlinks with absolute paths will be stored as is. However it is mainly better to always use relative symlinks when they point inside your package tree.
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
add a comment
|
The best I found was the following, which attempts to normalise by
- sorting the file list
- using numeric 0 for owner and group
- removing the
randwbits for the owner, and all the permissions for everyone else - fixing the
mtimeto the UNIX epoch
find <files> -print0
| sort -z
| tar -cf <output>.tar
--format=posix
--numeric-owner
--owner=0
--group=0
--mode="go-rwx,u-rw"
--mtime='1970-01-01'
--no-recursion
--null
--files-from -
I wrote more about this at http://h2.jaguarpaw.co.uk/posts/reproducible-tar/
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
add a comment
|
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f349887%2fis-there-a-standard-archive-format-with-no-file-metadata%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You cannot remove user information when using tar (or cpio) but can force them to avoid distinguishing who made the package. Using tar and forcing some parameters to avoid distinguishing the user who has built the package (see man tar):
-P,--absolute-names: Force tar to not remove leading '/' (this is done by default). If you can don't put absolute paths on command line the path you mention will be kept (try tu use -C or --change-directory if you cannot cd in the root dir you want)
--owner: force user stored in tar file ignoring the actual owner of the files/directrories (e.g. --owner=root)
--group: force group stored in tar file (e.g. --group=root).
--no-acls: avoids copying your own ACLs in tar file
--numeric-owner,--numeric-group: masks the actual names of accounts on your local storing only UID/GID (not needed if your force root since root is always 0)
--mtime: to force the modification time of all files/directories in order to mask when they where actually modified
Be aware that symlinks with absolute paths will be stored as is. However it is mainly better to always use relative symlinks when they point inside your package tree.
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
add a comment
|
You cannot remove user information when using tar (or cpio) but can force them to avoid distinguishing who made the package. Using tar and forcing some parameters to avoid distinguishing the user who has built the package (see man tar):
-P,--absolute-names: Force tar to not remove leading '/' (this is done by default). If you can don't put absolute paths on command line the path you mention will be kept (try tu use -C or --change-directory if you cannot cd in the root dir you want)
--owner: force user stored in tar file ignoring the actual owner of the files/directrories (e.g. --owner=root)
--group: force group stored in tar file (e.g. --group=root).
--no-acls: avoids copying your own ACLs in tar file
--numeric-owner,--numeric-group: masks the actual names of accounts on your local storing only UID/GID (not needed if your force root since root is always 0)
--mtime: to force the modification time of all files/directories in order to mask when they where actually modified
Be aware that symlinks with absolute paths will be stored as is. However it is mainly better to always use relative symlinks when they point inside your package tree.
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
add a comment
|
You cannot remove user information when using tar (or cpio) but can force them to avoid distinguishing who made the package. Using tar and forcing some parameters to avoid distinguishing the user who has built the package (see man tar):
-P,--absolute-names: Force tar to not remove leading '/' (this is done by default). If you can don't put absolute paths on command line the path you mention will be kept (try tu use -C or --change-directory if you cannot cd in the root dir you want)
--owner: force user stored in tar file ignoring the actual owner of the files/directrories (e.g. --owner=root)
--group: force group stored in tar file (e.g. --group=root).
--no-acls: avoids copying your own ACLs in tar file
--numeric-owner,--numeric-group: masks the actual names of accounts on your local storing only UID/GID (not needed if your force root since root is always 0)
--mtime: to force the modification time of all files/directories in order to mask when they where actually modified
Be aware that symlinks with absolute paths will be stored as is. However it is mainly better to always use relative symlinks when they point inside your package tree.
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
You cannot remove user information when using tar (or cpio) but can force them to avoid distinguishing who made the package. Using tar and forcing some parameters to avoid distinguishing the user who has built the package (see man tar):
-P,--absolute-names: Force tar to not remove leading '/' (this is done by default). If you can don't put absolute paths on command line the path you mention will be kept (try tu use -C or --change-directory if you cannot cd in the root dir you want)
--owner: force user stored in tar file ignoring the actual owner of the files/directrories (e.g. --owner=root)
--group: force group stored in tar file (e.g. --group=root).
--no-acls: avoids copying your own ACLs in tar file
--numeric-owner,--numeric-group: masks the actual names of accounts on your local storing only UID/GID (not needed if your force root since root is always 0)
--mtime: to force the modification time of all files/directories in order to mask when they where actually modified
Be aware that symlinks with absolute paths will be stored as is. However it is mainly better to always use relative symlinks when they point inside your package tree.
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
answered Mar 8 '17 at 9:22
ppoilbarbeppoilbarbe
661 bronze badge
661 bronze badge
add a comment
|
add a comment
|
The best I found was the following, which attempts to normalise by
- sorting the file list
- using numeric 0 for owner and group
- removing the
randwbits for the owner, and all the permissions for everyone else - fixing the
mtimeto the UNIX epoch
find <files> -print0
| sort -z
| tar -cf <output>.tar
--format=posix
--numeric-owner
--owner=0
--group=0
--mode="go-rwx,u-rw"
--mtime='1970-01-01'
--no-recursion
--null
--files-from -
I wrote more about this at http://h2.jaguarpaw.co.uk/posts/reproducible-tar/
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
add a comment
|
The best I found was the following, which attempts to normalise by
- sorting the file list
- using numeric 0 for owner and group
- removing the
randwbits for the owner, and all the permissions for everyone else - fixing the
mtimeto the UNIX epoch
find <files> -print0
| sort -z
| tar -cf <output>.tar
--format=posix
--numeric-owner
--owner=0
--group=0
--mode="go-rwx,u-rw"
--mtime='1970-01-01'
--no-recursion
--null
--files-from -
I wrote more about this at http://h2.jaguarpaw.co.uk/posts/reproducible-tar/
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
add a comment
|
The best I found was the following, which attempts to normalise by
- sorting the file list
- using numeric 0 for owner and group
- removing the
randwbits for the owner, and all the permissions for everyone else - fixing the
mtimeto the UNIX epoch
find <files> -print0
| sort -z
| tar -cf <output>.tar
--format=posix
--numeric-owner
--owner=0
--group=0
--mode="go-rwx,u-rw"
--mtime='1970-01-01'
--no-recursion
--null
--files-from -
I wrote more about this at http://h2.jaguarpaw.co.uk/posts/reproducible-tar/
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
The best I found was the following, which attempts to normalise by
- sorting the file list
- using numeric 0 for owner and group
- removing the
randwbits for the owner, and all the permissions for everyone else - fixing the
mtimeto the UNIX epoch
find <files> -print0
| sort -z
| tar -cf <output>.tar
--format=posix
--numeric-owner
--owner=0
--group=0
--mode="go-rwx,u-rw"
--mtime='1970-01-01'
--no-recursion
--null
--files-from -
I wrote more about this at http://h2.jaguarpaw.co.uk/posts/reproducible-tar/
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
answered 51 mins ago
Tom EllisTom Ellis
1311 silver badge5 bronze badges
1311 silver badge5 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f349887%2fis-there-a-standard-archive-format-with-no-file-metadata%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Or you could stick with the archive file formats that exist, and do as Debian does: run
paxortaror whatever underfakerootwhen building the archive for a package as a non-superuser.– JdeBP
Mar 8 '17 at 3:39
Is there a way to strip the metadata from a
tararchive after creating it? Or configure acpioarchive not to keep track of timestamps and permissions? I'm not trying to reinvent the wheel. I'd like to be able to inspect the archive after creating it.– Gregory Nisbet
Mar 8 '17 at 4:14
Have you read the Debian wiki on reproducible builds?
– Gilles
Mar 8 '17 at 22:40