On 09/08/2022 16:22, Mark Thomas wrote:
On 09/08/2022 15:46, Mark Thomas wrote:
On 09/08/2022 15:12, Christopher Schultz wrote:
All,
I'm curious to find out if anyone is able to build a byte-for-byte
identical release given the 8.5.82 tag in GitHub. You won't be able
to generate the correct signed Windows binaries, of course, but you
should theoretically be able to build everything else.
TL;DR the build isn't reproducible.
There is something weird going on with time zones and timestamps that I
haven't got my head around yet. The tar.gz source archive is fine. The
zip archive is not.
In the release vote files, the files in the zip archive have a timestamp
15 hours earlier that those in the tar.gz archive. In my local build the
files in the zip archive have a timestamp 1 hour later than the tar.gz
archive.
I'm digging into this now.
Good news and bad news.
Once I switched my machine to the same timezone Chris was in when he
built the release, the release was 100% repeatable.
This issue is the zip files. Time stamps in zip files use local (yes,
local - I didn't mistype that) time. Hence you need to use the same time
zone to get a repeatable build.
We have a few options here:
1. Document the time zone in use for the build and require the same
timezone to be used for repeatable builds.
2. Require UTC.
3. Find a way to force Ant to use a specific timezone.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
