On 29/05/2023 05.25, David A. Wheeler wrote:
If you have tips on common likely errors, please post, I think that would be of interest to many.
https://github.com/openSUSE/build-compare/issues/53 https://github.com/openSUSE/build-compare/issues/33 https://github.com/openSUSE/build-compare/pull/36 https://github.com/openSUSE/build-compare/pull/28 We use bash there to not add dependencies.Looking at the bugs, those were mostly problems of tracking state in variables.
It would be less troublesome if we would not use it like diffoscope to report all diffs, but instead exit on the first relevant diff to keep it simple.
The cleaner way is to use strip-nondeterminism to remove all these insignificant bits during build and make the resulting bit-reproducible output the official binary.As a *recipient* who has no control over the build process used by someone else to create their package, I need some workable alternatives to estimate risk.
A recipient could still use strip-nondeterminism (and custom sed) on both files before calling diff.
Testing for bit-identity is trivial. Testing for semantic equivalence is not.To ensure that the filters did not remove significant parts (e.g. sed /.*//), they should then use the filtered version in production.
Ciao Bernhard M.
OpenPGP_signature
Description: OpenPGP digital signature
