Jérémy Bobbio:
> Ximin Luo:
>> This is quite an open-ended problem and there is no single "correct"
>> answer. I don't even know myself what would be best, at this stage.
> I think what we need to come up with now is a list of use cases. Then we
> can decide which one we want to support and how easy it should be.
> Is anyone willing to share examples where being able to ignore stuff
> would have made their life easier?
> The last one I spotted that could go on the list, ignoring irrelevant
> differences in two Android App packages:
> https://github.com/WhisperSystems/Signal-Android/blob/master/apkdiff/apkdiff.py

For a start, there's the list of already-known issues. 
https://tests.reproducible-builds.org/index_issues.html and I'd imagine people 
analysing diffs would want an easy way to distinguish "issues that someone else 
has already solved" vs "issues nobody has seen before".

(This is why I suggested looking through the existing data: if this mailing 
list discussion only produces 2 or 3 use-cases, this not immensely helpful to 
build a lasting tool with. But we already have a lot of data to go through as 
inspiration for use-cases.)

On a side note, the terminology should be more be precise. I know that you know 
this, but in a public context it's a bit dangerous to say "irrelevant" since it 
gives the impression (to an uncritical reader) that it actually is 100% 
irrelevant. But it's not, see my previous email. The purpose of 
--ignore-profiles is to make it easier to achieve bitwise reproducibility and 
anything less than that is still unsafe. I'm worried about the scenario where 
(e.g.) someone might market reproducibility as "do this build then run 
apkdiff.py, you can see it's the same (ignoring "irrelevant" differences)".

Concretely I have some suggestions:

1. instead of calling this "ignore" we call it "hide". and instead of 
"irrelevant" we say "common"/"minor"/"known"

2. diffoscope --ignore-* (or --hide-*) MUST NOT return 0 or otherwise give the 
impression that two non-identical files are the same, even if all differences 
are "hidden". It should report "n differences hidden".


GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE

Attachment: signature.asc
Description: OpenPGP digital signature

Reproducible-builds mailing list

Reply via email to