Arch Linux

Since the RFC about source transparency[1] we noticed some reproducible builds issues with GNU projects.

Their git repositories do not contain the entire (what we consider) source code and building from git causes downloads of additional files that aren't pinned by cryptographic checksums.

The packages can be reproduced shortly after they've been released, but become unreproducible over time. In some cases the package starts to fail-to-build-from-source because our integrity checks for source code inputs are failing (due to upstream editing)[2].

In some packages we fixed this already by taking the translations out of the released dist tarballs[3][4] (which is not elegant, but the best compromise at the moment).

The list is incomplete and updated as more instances are found.

[1]: https://rfc.archlinux.page/0046-upstream-package-sources/#transparency
[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/gdbm/-/issues/3
[3]: https://gitlab.archlinux.org/archlinux/packaging/packages/coreutils/-/merge_requests/2
[4]: https://gitlab.archlinux.org/archlinux/packaging/packages/wget/-/merge_requests/2

---

MR for diffutils opened: https://gitlab.archlinux.org/archlinux/packaging/packages/diffutils/-/merge_requests/4
MR for grep opened: https://gitlab.archlinux.org/archlinux/packaging/packages/grep/-/merge_requests/4
MR for gdbm opened: https://gitlab.archlinux.org/archlinux/packaging/packages/gdbm/-/merge_requests/2

Our grub package ships an unstable version that does not have a matching dist tarballs so we won't be able to apply the same fix for it.
We can either source a dist tarball from an older version of grub from the source array (but that means shipping potentially un-matching translation files to users), host translation files ourself (which is more manual labor for us), or stop shipping translations for grub... I guess neither of those are desirable...?