Avoid bootstrap issue and fix reproducibility

Robin Candaurequested to merge
repro_and_bootstrap into main

GNU does not include PO files (used for translations) in their git repositories. When building GNU software from git sources, PO files are downloaded during their bootstrap script in prepare() from https://translationproject.org/latest/ in an un-versioned way (see /latest/ in the URL):

[...]
Fetching gnulib PO files from https://translationproject.org/latest/
[...]

Aside from resulting in a file download during build (which should ideally be generally avoided), this also may break reproducibility. Indeed, since the PO files are downloaded in an unstable way, we can't guarantee the content / state of PO files at any given time across builds (see the current coreutils diffoscope output for instance).

On the specific case of wget, this also creates an additional bootstrap issue since the PO files are downloaded via wget, resulting in the wget package (make-)depending on itself:

[...]
Fetching gnulib PO files from https://translationproject.org/latest/
/build/wget/src/wget/gnulib/gnulib-tool.sh: line 5886: wget: command not found
[...]

So far, we have been working around this bootstrap issue via a custom $_bootstrap variable that skips the PO file downloading when set to 1. But it's fair to say that it isn't really an elegant solution and the self dependency leads to confusion.

Switching back to the custom dist tarballs (which contains the static translation files) as the primary source for the package is not desirable either as per our guidelines established in our RFC 46.

This commit aims to address those concerns by:

  • setting SKIP_PO=1 as an environment variable for the GNU bootstrap script: This skips the PO files downloading step from the bootstrap script; preventing downloading PO files from the internet during build, avoiding unpredictable state / content for said files for reproducible builds, as well as preventing the wget self dependency leading to bootstrap issues.
  • sourcing the signed custom dist tarball for $pkgver and generating / installing PO files from there: This prevents having a package without translation files altogether and it also ensures that the state of the translation files are predictable / matches the version of wget we are re-distributing.

All and all, we are still compiling the software from "transparent" sources (as defined in our RFC 46) and we are only installing translation files from an "intransparent" dist tarball (not an ideal solution altogether, but still better than the current setup in terms of packaging, bootstrapping and reproducible builds.

Edited by Robin Candau

Merge request reports