[OTR-dev] Reproducible builds of pidgin-otr for Windows

Ian Goldberg ian at cypherpunks.ca
Thu Mar 24 08:02:55 EDT 2016 

Could I get someone to try this out?

Thanks,

   - Ian

On Mon, Mar 21, 2016 at 05:32:55PM -0400, Ian Goldberg wrote:
> On Mon, Mar 21, 2016 at 09:09:40AM -0400, Ian Goldberg wrote:
> > So who knows how to make a reproducible tarball?  We'd need to
> > normalize:
> > - The order of the files (I think make dist already does this, though)
> > - The timestamps (--mtime), owners (--owner, --group), permissions (I
> >   guess we could chmod the files first, or some combination of
> >   --no-same-permissions and umask?) of the files
> > - Anything else?
> > 
> > And getting autoconf to get the "make dist" target actually *do* that
> > might take some examining, but worst case, we can override $TAR or
> > $am__tar, I suppose.
> 
> OK, here's the scoop.  As with most people, my knowledge of
> automake/autoconf is basically "find another project that does what I
> want and copy that".  Unfortunately, I couldn't easily find another
> project successfully doing reproducible tarballs from "make dist".
> So what I came up with may not be The Right Way To Do It.  Please, if
> anyone here can make this better, speak up!  I'm particularly squeamish
> about overriding am__tar in configure.ac, since things with double
> underscores sound to me like "private! internal! don't look here!".
> 
> The commit is here:
> 
> https://bugs.otr.im/projects/pidgin-otr/repository/revisions/af8542f5ef26b3cc41245846a22537bd97c634fe/diff
> 
> If other people want to see if they get the same .tar.gz as I do:
> 
> git clone git://git.otr.im/pidgin_otr
> cd pidgin_otr/
> git checkout devel
> intltoolize --force --copy
> autoreconf -s -i
> ./configure
> make dist
> sha256sum pidgin-otr-4.0.2.tar.gz
> 
> I get:
> 
> b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d  pidgin-otr-4.0.2.tar.gz
> 
> and then, why not:
> 
> tar xzvvf pidgin-otr-4.0.2.tar.gz
> cd pidgin-otr-4.0.2
> bash -x INSTALL.mingw
> sha256sum pidgin-otr-4.0.2.*
> 
> I get:
> 
> 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1  pidgin-otr-4.0.2.exe
> ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea  pidgin-otr-4.0.2.zip
> 
> 
> *** NOTE: in order to run "./configure" as a precursor to "make dist"
> for pidgin-otr, you will have to have pidgin-otr's _native_ dependencies
> installed, including the dev versions of libotr (or an installation
> from source/git), libgpg-error, libgcrypt, glib, gtk+, and pidgin.  Is
> there a way around this, if all you want to do is "make dist" and not
> actually build the package?
> 
> The sha256 checksums for the .exe and .zip files are different from
> yesterday, since the changes to the pidgin-otr source caused the source
> timestamp (*not* a build timestamp!) to change, and the source timestamp
> appears in the binaries.
> 
> Anyone want to give this a shot?
> 
> Thanks,
> 
>    - Ian
> _______________________________________________
> OTR-dev mailing list
> OTR-dev at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev

More information about the OTR-dev mailing list