It just appeared that the tar.gz we put online are not reproducible
because a timestamp is put by default into the archive. Passing "-n"
to gzip is sufficient to remove this timestamp, so let's do it, and
also make the gzip command configurable for more flexibility. Now
issuing the commands multiple times finally results in the same
archives being produced.
This should be backported to supported stable branches.
Given that some OSes have bash in /usr/local/bin and in order not to
give too easy an excuse to Olivier for not backporting fixes, let's
make a few scripts rely on /usr/bin/env bash instead of /bin/bash :-)
Currently only md5 signatures are generated. While md5
still is not broken with regard to preimage attacks, sha256
clearly is the current secure solution.
This patch should be backported to all supported branches.
Passing "-a" will make it easier to automatically create archives from
tagged repositories. It doesn't ask any question and doesn't return an
error when the current branch is not tagged nor if the release already
exists.
First we must not report an error when "git diff HEAD" fails. Second, we
don't want to "cd" to the home dir when "git rev-parse --show-toplevel"
returns an empty string. Third, we definitely want to check that a master
branch really exists in the current directory to avoid mistakes.
These ones have been used for several months already and are quite
convenient to emit new releases and backport fixes. I'm fed up with
having different versions on different machines, let's commit them
now.
Willy Tarreau
Tim Duesterhus