[OTR-dev] Reproducible builds of pidgin-otr for Windows

Ian Goldberg ian at cypherpunks.ca
Sun Mar 20 16:41:04 EDT 2016


On Sun, Mar 20, 2016 at 04:30:44PM -0400, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 09:23:20PM +0100, Jurre van Bergen wrote:
> > Whee!
> > 
> > cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c 
> > pidgin-otr-4.0.2.exe
> > f93499735b0d2f66091ab4fd1f2de99ff525b69e0bcd623b486d5b755a3cbe59 
> > pidgin-otr-4.0.2.zip
> > 
> > The zip isn't correct, I have uploaded it for reference:
> > http://jurrevanbergen.nl/otr/pidgin-otr-4.0.2.zip
> 
> The zip files are in fact different, but they have identical content (as
> expected, since the nsis installer is indeed reproducible).  And the
> differences aren't just in the header, either!  (Maybe a per-file
> header?)
> 
> Can you confirm the zip program you are using is:
> 
> ii  zip            3.0-8        amd64        Archiver for .zip files
> 
> $ ls -l /usr/bin/zip
> -rwxr-xr-x 1 root root 188296 Oct 21  2013 /usr/bin/zip
> 
> $ sha256sum /usr/bin/zip
> 999c1a1ee93fb610bd86d18533fea233d06eaa52a070f424779a5b9d989fcf48  /usr/bin/zip

It's not the timestamps; I was sure to set those properly.

Aha!  When I cmp -l them, I get a whole lot of differences like this:

7042774 350   0
7042775   3   0
7042779 350   0
7042780   3   0

When you translate the octal values 0350, 0003 to a 2-byte little-endian
decimal number, it's 1000.  That is my uid.  So it seems zip files
store uids?  Who knew?  *headdesk*  "unzip -lv" doesn't show them.

So it seems you're building as root, while I was building as uid 1000.
Perhaps fakeroot is the answer?  But what else is hiding in there that's
not visible?  Permissions (group writable, etc.) on the files?  Anyone
here know zip/unzip really well?


More information about the OTR-dev mailing list