On Tue, 25 Feb 2020 18:15:31 GMT, Bernhard M. Wiedemann <github.com+637990+bmwiedem...@openjdk.org> wrote:
>>> FWIW, I have scripts that will unpack the modular jar files and diff each >>> class >> >> I agree that such specialized diff tools have some value, yet, there are >> also some limitations and downsides to them. E.g. you cannot simply tell >> another party what the expected sha256sum of a build result is. >> >> https://www.suse.com/c/?p=42014 also has a section on problems with "the >> use of specialized comparison tools like [openSUSE's] ‘build-compare‘ " >> >> I probably should write an FAQ entry about that topic... >> >>> each released build is necessarily going to be different because you want a >>> unique time stamp and build number associated with it. >> >> For release builds, it is important that other people can take the released >> sources and reproduce the same original binaries with the same release >> number (and ideally same timestamps) to easily verify that the build was >> clean (not corrupted by bad CPUs/RAM/HDDs or someone messing with the build >> machine). >> I heard, some people even use that to save network bandwidth: add a small >> patch locally+remotely, build it locally, tell the world the new build hash, >> but have others upload their binaries with the right hash. > > Hi, did you find time to review this? No, I'm pretty backed up on reviews. It's on my queue, though. ------------- PR: https://git.openjdk.java.net/jfx/pull/99
