[OTR-dev] Reproducible builds of pidgin-otr for Windows
Ian Goldberg
ian at cypherpunks.ca
Sun Mar 20 12:42:28 EDT 2016
Thanks to Lunar and dkg at the Internet Freedom Festival for showing me
a bunch of cool tools (including diffoscope -- try it!) to help make
reproducible builds. (If you don't know what there are or why they're
important, please see https://reproducible-builds.org/ .)
OK, I've got pidgin-otr (and its dependencies) to a place where I can
build it on two different machines and get identical .exe (the
installer) and .zip files out. Now I'd like to see if others can get
the same binaries as well.
My build environment is a 64-bit Ubuntu 14.04, with packages updated to
today (20 Mar 2016). TODO: make an explicit list of required packages
and their versions, and perhaps some automated way to create a virtual
machine, install those packages, and proceed (gitian?).
If you have a similar build environment, I'd love to see whether you can
reproduce these results. If you have a different one, I'd still be
interested to see what comes out differently.
If you want to give it a go:
wget https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
tar xzvvf pidgin-otr-4.0.2-repro.tar.gz
cd pidgin-otr-4.0.2
time bash -x INSTALL.mingw
Note that the INSTALL.mingw script does some sudo stuff: it needs to
install some packages you may not have (mingw32 nsis faketime) and
install the dependency libraries in /usr/i586-mingw32msvc/.
This build also does *not* build the Windows GTK or pidgin libraries
from source. It simply downloads them from the Internet, but does check
their sha256 checksums for correctness. It would be great if those two
projects also published reproducible builds of those libraries, of
course.
When it's done (it takes about 6 minutes on my machines), see if you
match:
$ sha256sum pidgin-otr-4.0.2.{exe,zip}
cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c pidgin-otr-4.0.2.exe
aafad53d2aafa8deff613124a5027e3ab3bcfee73f23dea2a4191beb1dfad238 pidgin-otr-4.0.2.zip
If you don't, you can grab the files I created (independently on two
machines) from here and use diffoscope to see what the differences are
with your version:
https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.exe
https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.zip
https://diffoscope.org/ (you can install it yourself, or just use the
online version at https://try.diffoscope.org/)
Please report here either success, mismatched output (please include
diffoscope output if possible), or build failures. Please include your
build environment.
Thanks,
- Ian
More information about the OTR-dev
mailing list