Re: Verifying reproducible release builds
Emmanuel, On 1/15/23 04:41, Emmanuel Bourg wrote: Hi Christopher, Le 12/01/2023 à 23:24, Christopher Schultz a écrit : I spent some time today verifying that the release artifacts that Mark published the other day for 10.1.5 were indeed reproducible by me. Fortunately, they were, but it was a little bit of a process so I went ahead and documented it. https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build A couple of suggestions: - I'd use shasum rather than diff to compare the artifacts Fair enough. Neither command is available on Windows without installing anything separate, though. For the .sig files, simply viewing them (in pairs) is possible on Windows natively. I could put instructions for how to do that in the wiki. - if the artifacts are not identical, the diffoscope tool [1] can help identify the differences Good information to have, but not likely helpful for someone performing a verification. They would really only care that they were simply _not identical_, I think. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Verifying reproducible release builds
Hi Christopher, Le 12/01/2023 à 23:24, Christopher Schultz a écrit : I spent some time today verifying that the release artifacts that Mark published the other day for 10.1.5 were indeed reproducible by me. Fortunately, they were, but it was a little bit of a process so I went ahead and documented it. https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build A couple of suggestions: - I'd use shasum rather than diff to compare the artifacts - if the artifacts are not identical, the diffoscope tool [1] can help identify the differences Emmanuel Bourg [1] https://diffoscope.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Verifying reproducible release builds
All, I spent some time today verifying that the release artifacts that Mark published the other day for 10.1.5 were indeed reproducible by me. Fortunately, they were, but it was a little bit of a process so I went ahead and documented it. https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build Now, anybody can follow those instructions and perform a verifiable release build and sure that the process truly is repeatable and verifiable. I'd love it if anyone who is mildly interested in such things would (a) check my work in Confluence and (b) actually try the verification process on any of this month's builds to see if you are successful. Some things on my TODO list for this: 1. Allow verification without having to install+configure GPG 2. Allow verification using a "verify" ant build target This should be as straightforward as possible, so anyone wanting to see what is being done isn't confused by byzantine ant stuff. It should be as straightforward as a shell script with no functions or loops. Unfortunately, the existing ant script contains tasks at the top-level and not in a , so they occur before all targets. That means that we either need to have users wanting to verify builds create/modify one of the several build.properties files, or specify some properties on the command-line e.g. to disable GPG. I could also write a separate build-verify.xml which might be a bit more straightforward to both implement AND read by a potential verifier. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org