Le 19/03/2021 à 16:39, Mark Thomas a écrit : > Over the last few days I have been looking at making the Tomcat builds > (more) reproducible. I have currently reached the stage where sequential > builds on my local machine produce identical output.
That's a great idea. > There are several caveats > > 1. Some of the embedded JARs can vary between runs due to a Bnd issue. > That has been reported to the Bnd project and should be fixed shortly. In Debian the Tomcat package is mostly reproducible, the only difference is in the OSGi metadata and the Require-Capability field [1]. Is this the Bnd issue you are referring to ? > 2. The current Windows exe signing process isn't repeatable. There are a > few suggestions workarounds at https://reproducible-builds.org/ and I > need to discuss these with the provider of the code signing service the > ASF uses (DigiCert). The signature is reproducible but not the timestamp. We'd need something like a detached signature shipped with the source package, and a build that either append the signature or get a new one from DigiCert. > I have a series of commits where each commit addresses a specific issue. I got a quick look, I guess you replaced the <jar> tasks with <zip> to make the timestamp of the zip entries reproducible? I'm not sure this is sufficient, there is no guarantee the order of the entries will be the same (this is usually dependent on the filesystem used, I don't think Ant sorts the entries). In Debian there is a tool (strip-nondeterminism) post-processing the jar files and fixing the possible variations (entries order, timestamps), we'll probably need something similar. Emmanuel Bourg [1] https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/tomcat9.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org