[OTR-dev] Reproducible builds of pidgin-otr for Windows
David Goulet
dgoulet at ev0ke.net
Sun Mar 20 15:55:16 EDT 2016
On 20 Mar (12:42:28), Ian Goldberg wrote:
> Thanks to Lunar and dkg at the Internet Freedom Festival for showing me
> a bunch of cool tools (including diffoscope -- try it!) to help make
> reproducible builds. (If you don't know what there are or why they're
> important, please see https://reproducible-builds.org/ .)
>
> OK, I've got pidgin-otr (and its dependencies) to a place where I can
> build it on two different machines and get identical .exe (the
> installer) and .zip files out. Now I'd like to see if others can get
> the same binaries as well.
>
> My build environment is a 64-bit Ubuntu 14.04, with packages updated to
> today (20 Mar 2016). TODO: make an explicit list of required packages
> and their versions, and perhaps some automated way to create a virtual
> machine, install those packages, and proceed (gitian?).
>
> If you have a similar build environment, I'd love to see whether you can
> reproduce these results. If you have a different one, I'd still be
> interested to see what comes out differently.
>
> If you want to give it a go:
>
> wget https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
> tar xzvvf pidgin-otr-4.0.2-repro.tar.gz
> cd pidgin-otr-4.0.2
> time bash -x INSTALL.mingw
>
>
> Note that the INSTALL.mingw script does some sudo stuff: it needs to
> install some packages you may not have (mingw32 nsis faketime) and
> install the dependency libraries in /usr/i586-mingw32msvc/.
>
> This build also does *not* build the Windows GTK or pidgin libraries
> from source. It simply downloads them from the Internet, but does check
> their sha256 checksums for correctness. It would be great if those two
> projects also published reproducible builds of those libraries, of
> course.
>
> When it's done (it takes about 6 minutes on my machines), see if you
> match:
>
> $ sha256sum pidgin-otr-4.0.2.{exe,zip}
> cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c pidgin-otr-4.0.2.exe
Success:
cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c pidgin-otr-4.0.2.exe
> aafad53d2aafa8deff613124a5027e3ab3bcfee73f23dea2a4191beb1dfad238 pidgin-otr-4.0.2.zip
Zip is a failure, (like Jurre):
0184dbd6c912d8073dd4a101e631c43ca89029c557964b56b71fc8d5c8793075 pidgin-otr-4.0.2.zip
Not sure why, I'll run diffoscope to find out what is different.
Thanks!
David
>
> If you don't, you can grab the files I created (independently on two
> machines) from here and use diffoscope to see what the differences are
> with your version:
>
> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.exe
> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.zip
>
> https://diffoscope.org/ (you can install it yourself, or just use the
> online version at https://try.diffoscope.org/)
>
>
> Please report here either success, mismatched output (please include
> diffoscope output if possible), or build failures. Please include your
> build environment.
>
> Thanks,
>
> - Ian
> _______________________________________________
> OTR-dev mailing list
> OTR-dev at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20160320/4445e4c3/attachment-0001.sig>
More information about the OTR-dev
mailing list