[
https://issues.apache.org/jira/browse/DAFFODIL-2911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Lawrence resolved DAFFODIL-2911.
--------------------------------------
Assignee: Olabusayo Kilo
Resolution: Won't Fix
It's difficult to come up with a perfect solution that is 1) easy to use and 2)
works in all environments. I think a better alternative is to have a container
(that is much simpler than our current release candidate container) be used for
reproducible builds. So if your environment doesn't perfectly match the release
candidate container environmet, you can use that to create release artifacts
and compare them against the release artifacts. That's still probably a ways
off, but it's a better solution than this, and this isn't too big of a deal as
long as you know the git version to use.
> source release artifact is not easily reproducible
> --------------------------------------------------
>
> Key: DAFFODIL-2911
> URL: https://issues.apache.org/jira/browse/DAFFODIL-2911
> Project: Daffodil
> Issue Type: Bug
> Components: Infrastructure
> Reporter: Steve Lawrence
> Assignee: Olabusayo Kilo
> Priority: Major
>
> The release candidate container uses "git archive --format=zip" to create the
> source release zip. But git does not guarantee reproducibility with this
> created artifact. In fact, it seems to make changes frequently enough that
> three recent git versions I tested (2.41.0, 2.44.0, and 2.45.1) all created
> archives with difference hashes. The content appears to be the same, but
> compression algorithms change or other metadata is changed.
> As long as we know the git version used to create the zip it's easy to test,
> but that can be a pain. Ideally we could replace git archive with something
> that is more consistent and more easily reproducible regardless of the git
> version installed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
