[OTR-dev] Reproducible builds of pidgin-otr for Windows

Jurre van Bergen drwhax at 2600nl.net
Thu Mar 24 17:54:46 EDT 2016



On 03/24/2016 01:02 PM, Ian Goldberg wrote:
> Could I get someone to try this out?
>
> Thanks,
>
>    - Ian
>
> On Mon, Mar 21, 2016 at 05:32:55PM -0400, Ian Goldberg wrote:
>> On Mon, Mar 21, 2016 at 09:09:40AM -0400, Ian Goldberg wrote:
>>> So who knows how to make a reproducible tarball?  We'd need to
>>> normalize:
>>> - The order of the files (I think make dist already does this, though)
>>> - The timestamps (--mtime), owners (--owner, --group), permissions (I
>>>   guess we could chmod the files first, or some combination of
>>>   --no-same-permissions and umask?) of the files
>>> - Anything else?
>>>
>>> And getting autoconf to get the "make dist" target actually *do* that
>>> might take some examining, but worst case, we can override $TAR or
>>> $am__tar, I suppose.
>> OK, here's the scoop.  As with most people, my knowledge of
>> automake/autoconf is basically "find another project that does what I
>> want and copy that".  Unfortunately, I couldn't easily find another
>> project successfully doing reproducible tarballs from "make dist".
>> So what I came up with may not be The Right Way To Do It.  Please, if
>> anyone here can make this better, speak up!  I'm particularly squeamish
>> about overriding am__tar in configure.ac, since things with double
>> underscores sound to me like "private! internal! don't look here!".
>>
>> The commit is here:
>>
>> https://bugs.otr.im/projects/pidgin-otr/repository/revisions/af8542f5ef26b3cc41245846a22537bd97c634fe/diff
>>
>> If other people want to see if they get the same .tar.gz as I do:
>>
>> git clone git://git.otr.im/pidgin_otr
>> cd pidgin_otr/
>> git checkout devel
>> intltoolize --force --copy
>> autoreconf -s -i
>> ./configure
>> make dist
>> sha256sum pidgin-otr-4.0.2.tar.gz
>>
>> I get:
>>
>> b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d  pidgin-otr-4.0.2.tar.gz
Wheee! Success!

root at 918bc0b631ee:/pidgin_otr# sha256sum pidgin-otr-4.0.2.tar.gz
b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d 
pidgin-otr-4.0.2.tar.gz

>>
>> and then, why not:
>>
>> tar xzvvf pidgin-otr-4.0.2.tar.gz
>> cd pidgin-otr-4.0.2
>> bash -x INSTALL.mingw
>> sha256sum pidgin-otr-4.0.2.*
>>
>> I get:
>>
>> 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1  pidgin-otr-4.0.2.exe
>> ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea  pidgin-otr-4.0.2.zip


Again, success!

root at 918bc0b631ee:/pidgin_otr/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*
9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 
pidgin-otr-4.0.2.exe
ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea 
pidgin-otr-4.0.2.zip


>>
>>
>> *** NOTE: in order to run "./configure" as a precursor to "make dist"
>> for pidgin-otr, you will have to have pidgin-otr's _native_ dependencies
>> installed, including the dev versions of libotr (or an installation
>> from source/git), libgpg-error, libgcrypt, glib, gtk+, and pidgin.  Is
>> there a way around this, if all you want to do is "make dist" and not
>> actually build the package?

I'm not the right person to answer this question..

Best,
Jurre


More information about the OTR-dev mailing list