[OTR-dev] Reproducible builds of pidgin-otr for Windows
Ian Goldberg
ian at cypherpunks.ca
Mon Mar 21 17:32:55 EDT 2016
On Mon, Mar 21, 2016 at 09:09:40AM -0400, Ian Goldberg wrote:
> So who knows how to make a reproducible tarball? We'd need to
> normalize:
> - The order of the files (I think make dist already does this, though)
> - The timestamps (--mtime), owners (--owner, --group), permissions (I
> guess we could chmod the files first, or some combination of
> --no-same-permissions and umask?) of the files
> - Anything else?
>
> And getting autoconf to get the "make dist" target actually *do* that
> might take some examining, but worst case, we can override $TAR or
> $am__tar, I suppose.
OK, here's the scoop. As with most people, my knowledge of
automake/autoconf is basically "find another project that does what I
want and copy that". Unfortunately, I couldn't easily find another
project successfully doing reproducible tarballs from "make dist".
So what I came up with may not be The Right Way To Do It. Please, if
anyone here can make this better, speak up! I'm particularly squeamish
about overriding am__tar in configure.ac, since things with double
underscores sound to me like "private! internal! don't look here!".
The commit is here:
https://bugs.otr.im/projects/pidgin-otr/repository/revisions/af8542f5ef26b3cc41245846a22537bd97c634fe/diff
If other people want to see if they get the same .tar.gz as I do:
git clone git://git.otr.im/pidgin_otr
cd pidgin_otr/
git checkout devel
intltoolize --force --copy
autoreconf -s -i
./configure
make dist
sha256sum pidgin-otr-4.0.2.tar.gz
I get:
b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d pidgin-otr-4.0.2.tar.gz
and then, why not:
tar xzvvf pidgin-otr-4.0.2.tar.gz
cd pidgin-otr-4.0.2
bash -x INSTALL.mingw
sha256sum pidgin-otr-4.0.2.*
I get:
9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 pidgin-otr-4.0.2.exe
ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea pidgin-otr-4.0.2.zip
*** NOTE: in order to run "./configure" as a precursor to "make dist"
for pidgin-otr, you will have to have pidgin-otr's _native_ dependencies
installed, including the dev versions of libotr (or an installation
from source/git), libgpg-error, libgcrypt, glib, gtk+, and pidgin. Is
there a way around this, if all you want to do is "make dist" and not
actually build the package?
The sha256 checksums for the .exe and .zip files are different from
yesterday, since the changes to the pidgin-otr source caused the source
timestamp (*not* a build timestamp!) to change, and the source timestamp
appears in the binaries.
Anyone want to give this a shot?
Thanks,
- Ian
More information about the OTR-dev
mailing list