On 20 Mar (12:42:28), Ian Goldberg wrote: > Thanks to Lunar and dkg at the Internet Freedom Festival for showing me > a bunch of cool tools (including diffoscope -- try it!) to help make > reproducible builds. (If you don't know what there are or why they're > important, please see https://reproducible-builds.org/ .) > > OK, I've got pidgin-otr (and its dependencies) to a place where I can > build it on two different machines and get identical .exe (the > installer) and .zip files out. Now I'd like to see if others can get > the same binaries as well. > > My build environment is a 64-bit Ubuntu 14.04, with packages updated to > today (20 Mar 2016). TODO: make an explicit list of required packages > and their versions, and perhaps some automated way to create a virtual > machine, install those packages, and proceed (gitian?). > > If you have a similar build environment, I'd love to see whether you can > reproduce these results. If you have a different one, I'd still be > interested to see what comes out differently. > > If you want to give it a go: > > wget https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz > tar xzvvf pidgin-otr-4.0.2-repro.tar.gz > cd pidgin-otr-4.0.2 > time bash -x INSTALL.mingw > > > Note that the INSTALL.mingw script does some sudo stuff: it needs to > install some packages you may not have (mingw32 nsis faketime) and > install the dependency libraries in /usr/i586-mingw32msvc/. > > This build also does *not* build the Windows GTK or pidgin libraries > from source. It simply downloads them from the Internet, but does check > their sha256 checksums for correctness. It would be great if those two > projects also published reproducible builds of those libraries, of > course. > > When it's done (it takes about 6 minutes on my machines), see if you > match: > > $ sha256sum pidgin-otr-4.0.2.{exe,zip} > cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c > pidgin-otr-4.0.2.exe
Success: cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c pidgin-otr-4.0.2.exe > aafad53d2aafa8deff613124a5027e3ab3bcfee73f23dea2a4191beb1dfad238 > pidgin-otr-4.0.2.zip Zip is a failure, (like Jurre): 0184dbd6c912d8073dd4a101e631c43ca89029c557964b56b71fc8d5c8793075 pidgin-otr-4.0.2.zip Not sure why, I'll run diffoscope to find out what is different. Thanks! David > > If you don't, you can grab the files I created (independently on two > machines) from here and use diffoscope to see what the differences are > with your version: > > https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.exe > https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.zip > > https://diffoscope.org/ (you can install it yourself, or just use the > online version at https://try.diffoscope.org/) > > > Please report here either success, mismatched output (please include > diffoscope output if possible), or build failures. Please include your > build environment. > > Thanks, > > - Ian > _______________________________________________ > OTR-dev mailing list > [email protected] > http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
signature.asc
Description: PGP signature
_______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
