Thanks to Lunar and dkg at the Internet Freedom Festival for showing me a bunch of cool tools (including diffoscope -- try it!) to help make reproducible builds. (If you don't know what there are or why they're important, please see https://reproducible-builds.org/ .)
OK, I've got pidgin-otr (and its dependencies) to a place where I can build it on two different machines and get identical .exe (the installer) and .zip files out. Now I'd like to see if others can get the same binaries as well. My build environment is a 64-bit Ubuntu 14.04, with packages updated to today (20 Mar 2016). TODO: make an explicit list of required packages and their versions, and perhaps some automated way to create a virtual machine, install those packages, and proceed (gitian?). If you have a similar build environment, I'd love to see whether you can reproduce these results. If you have a different one, I'd still be interested to see what comes out differently. If you want to give it a go: wget https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz tar xzvvf pidgin-otr-4.0.2-repro.tar.gz cd pidgin-otr-4.0.2 time bash -x INSTALL.mingw Note that the INSTALL.mingw script does some sudo stuff: it needs to install some packages you may not have (mingw32 nsis faketime) and install the dependency libraries in /usr/i586-mingw32msvc/. This build also does *not* build the Windows GTK or pidgin libraries from source. It simply downloads them from the Internet, but does check their sha256 checksums for correctness. It would be great if those two projects also published reproducible builds of those libraries, of course. When it's done (it takes about 6 minutes on my machines), see if you match: $ sha256sum pidgin-otr-4.0.2.{exe,zip} cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c pidgin-otr-4.0.2.exe aafad53d2aafa8deff613124a5027e3ab3bcfee73f23dea2a4191beb1dfad238 pidgin-otr-4.0.2.zip If you don't, you can grab the files I created (independently on two machines) from here and use diffoscope to see what the differences are with your version: https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.exe https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.zip https://diffoscope.org/ (you can install it yourself, or just use the online version at https://try.diffoscope.org/) Please report here either success, mismatched output (please include diffoscope output if possible), or build failures. Please include your build environment. Thanks, - Ian _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
