On 20/03/2021 15:24, Emmanuel Bourg wrote:
Le 19/03/2021 à 16:39, Mark Thomas a écrit :
Over the last few days I have been looking at making the Tomcat builds
(more) reproducible. I have currently reached the stage where sequential
builds on my local machine produce identical output.
That's a great idea.
There are several caveats
1. Some of the embedded JARs can vary between runs due to a Bnd issue.
That has been reported to the Bnd project and should be fixed shortly.
In Debian the Tomcat package is mostly reproducible, the only difference
is in the OSGi metadata and the Require-Capability field [1]. Is this
the Bnd issue you are referring to ?
Yes. The Bnd team also think they may need to normalize
Provide-Capability as well.
2. The current Windows exe signing process isn't repeatable. There are a
few suggestions workarounds at https://reproducible-builds.org/ and I
need to discuss these with the provider of the code signing service the
ASF uses (DigiCert).
The signature is reproducible but not the timestamp. We'd need something
like a detached signature shipped with the source package, and a build
that either append the signature or get a new one from DigiCert.
Indeed. I'll discuss the options here with DigiCert and report back.
I have a series of commits where each commit addresses a specific issue.
I got a quick look, I guess you replaced the <jar> tasks with <zip> to
make the timestamp of the zip entries reproducible?
No. The Jar entries used the timestamps of the original files. As long
as the Jar task was configured not to add entries for directories (which
used the current time as the last modified date) that part was OK. The
issue was that the manifest was always created with the current time as
the last modified date.
I'm not sure this is
sufficient, there is no guarantee the order of the entries will be the
same (this is usually dependent on the filesystem used, I don't think
Ant sorts the entries).
I haven't hit this issue yet. I suspect I will, or something similar,
when I start testing with different platforms.
In Debian there is a tool (strip-nondeterminism) post-processing the jar
files and fixing the possible variations (entries order, timestamps),
we'll probably need something similar.
Potentially. There isn't any particular deadline for this so we can take
the time to get things fixed in upstream Bnd, Ant, etc.
Mark
Emmanuel Bourg
[1]
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/tomcat9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
