For some context, I'm working on a package manager-like utility that supports building packages as a non-root user. I want to make sure that packages built by a root user and built by a non-root user are absolutely indistinguishable rather than, say, using a tar
archive and ignoring the metadata.
Is there a format/utility a bit like tar
where files and directories inside the archive don't (and ideally can't) contain metadata like permission bits, timestamps, and ownership-related info? I'd like the archive to be completely described by the directories and files that exist in it and the file contents (and thus it is incapable of storing symlinks or hard links either).
I'm also okay with an archive format that doesn't have the ability to distinguish between absolute and relative paths (i.e. /a/b
and a/b
map to the same thing because the archive's notion of a path is different from a Unix path).
pax
ortar
or whatever underfakeroot
when building the archive for a package as a non-superuser.tar
archive after creating it? Or configure acpio
archive not to keep track of timestamps and permissions? I'm not trying to reinvent the wheel. I'd like to be able to inspect the archive after creating it.