[OTR-dev] Reproducible builds of pidgin-otr for Windows

David Goulet dgoulet at ev0ke.net
Sun Mar 20 15:55:16 EDT 2016 

On 20 Mar (12:42:28), Ian Goldberg wrote:
> Thanks to Lunar and dkg at the Internet Freedom Festival for showing me
> a bunch of cool tools (including diffoscope -- try it!) to help make
> reproducible builds.  (If you don't know what there are or why they're
> important, please see https://reproducible-builds.org/ .)
> 
> OK, I've got pidgin-otr (and its dependencies) to a place where I can
> build it on two different machines and get identical .exe (the
> installer) and .zip files out.  Now I'd like to see if others can get
> the same binaries as well.
> 
> My build environment is a 64-bit Ubuntu 14.04, with packages updated to
> today (20 Mar 2016).  TODO: make an explicit list of required packages
> and their versions, and perhaps some automated way to create a virtual
> machine, install those packages, and proceed (gitian?).
> 
> If you have a similar build environment, I'd love to see whether you can
> reproduce these results.  If you have a different one, I'd still be
> interested to see what comes out differently.
> 
> If you want to give it a go:
> 
> wget https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
> tar xzvvf pidgin-otr-4.0.2-repro.tar.gz
> cd pidgin-otr-4.0.2
> time bash -x INSTALL.mingw
> 
> 
> Note that the INSTALL.mingw script does some sudo stuff: it needs to
> install some packages you may not have (mingw32 nsis faketime) and
> install the dependency libraries in /usr/i586-mingw32msvc/.
> 
> This build also does *not* build the Windows GTK or pidgin libraries
> from source.  It simply downloads them from the Internet, but does check
> their sha256 checksums for correctness.  It would be great if those two
> projects also published reproducible builds of those libraries, of
> course.
> 
> When it's done (it takes about 6 minutes on my machines), see if you
> match:
> 
> $ sha256sum pidgin-otr-4.0.2.{exe,zip}
> cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c  pidgin-otr-4.0.2.exe

Success:
cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c pidgin-otr-4.0.2.exe

> aafad53d2aafa8deff613124a5027e3ab3bcfee73f23dea2a4191beb1dfad238  pidgin-otr-4.0.2.zip

Zip is a failure, (like Jurre):

0184dbd6c912d8073dd4a101e631c43ca89029c557964b56b71fc8d5c8793075 pidgin-otr-4.0.2.zip

Not sure why, I'll run diffoscope to find out what is different.

Thanks!
David

> 
> If you don't, you can grab the files I created (independently on two
> machines) from here and use diffoscope to see what the differences are
> with your version:
> 
> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.exe
> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.zip
> 
> https://diffoscope.org/  (you can install it yourself, or just use the
> online version at https://try.diffoscope.org/)
> 
> 
> Please report here either success, mismatched output (please include
> diffoscope output if possible), or build failures.  Please include your
> build environment.
> 
> Thanks,
> 
>    - Ian
> _______________________________________________
> OTR-dev mailing list
> OTR-dev at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20160320/4445e4c3/attachment-0001.sig>

More information about the OTR-dev mailing list