Mark,
On 10/12/23 13:15, Mark Thomas wrote:
12 Oct 2023 10:29:02 Christopher Schultz <ch...@christopherschultz.net>:
All,
I've been working on an "ant verify-release" target and I'm finding
that in the 9.0 release -- the one I'm using as a guinea pig -- the
SHA-512 hashes do not match for these artifacts:
apache-tomcat-9.0.82-fulldocs.tar.gz
apache-tomcat-9.0.82-src.tar.gz
apache-tomcat-9.0.82-src.zip
They have different file sizes. The *-src artifacts seem to be off
only by a few bytes (of file size, I haven't compared the contents
yet) but the fulldocs are quite different.
I'm thinking that maybe these artifacts aren't expected to match 100%
but I'm not entirely sure. If it's possible to get these to be
reproducible, I think it would be good.
I did notice that the build contains <fixcrlf> in many places and in
some places we are converting to CRLF and LF in others. Sometimes we
are using UTF-8 and ISO-8859-1 in others. These are always specified,
so I wouldn't expect there to be a problem in these areas with
reproducibility (because they are consistently inconsistent).
Building the fulldocs tar looks like we do not perform a fixcrlf on
all files that will go into the archive, so if Rémy built on Linux (he
did) and I verified on Windows (I did) I think maybe the line-endings
are the problem.
Do we want these artifacts to be 100% reproducible? If so, we have a
little bit of work to do.
With the exact same version of Ant and the exact same JVM version and
vendor the builds should be repeatable.
I'm using the exact same versions of the JDK and ant as Rémy, though it
is on a different platform. Should be expect cross-platform
repeatability? I should hope so. The other release artifacts I didn't
mention are all identical (e.g. binary tarballs, .zips, and .exes).
I have checked repeatability across Linux / Windows for some versions
and it was OK.
Might need to diff the build.xml files to see if they have diverged.
I have committed my verify-release ant target to main. Please have a
look and see if you spot any errors in the implementation. I definitely
got different sha512 sums for the above 3 files when I performed the
build locally. NOTE: The verify-release target currently *ignores* the
checks the the above files on the off-chance it was intentional. But the
build will perform the checks and issue a notification... before telling
you that the build was perfect when it wasn't.
Since the tarball and .exes were identical, I reported the build as
"repeatable" for the vote.
I'm not yet able to test for repeatability for 11.0.x because I haven't
yet installed Java 21 on my Windows VM. Chocolatey doesn't yet have that
package and I'd prefer to use that to the standard packages from
Eclipse/Temurin/Adoptium/whatever because they are far easier to update.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org