Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 12:42:28PM -0400, Ian Goldberg wrote:
> Thanks to Lunar and dkg at the Internet Freedom Festival for showing me
> a bunch of cool tools (including diffoscope -- try it!) to help make
> reproducible builds.  (If you don't know what there are or why they're
> important, please see https://reproducible-builds.org/ .)
> 
> OK, I've got pidgin-otr (and its dependencies) to a place where I can
> build it on two different machines and get identical .exe (the
> installer) and .zip files out.  Now I'd like to see if others can get
> the same binaries as well.

We've had one non-reproduction reported.  It turns out you have to have
the "bison" package installed, or else the gettext dependency configures
itself differently.  Joy.

So apt-get install bison before doing the test.  After doing that, the
reproduction was indeed successful.  More data, please!

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 05:42 PM, Ian Goldberg wrote:
> Please report here either success, mismatched output (please include
> diffoscope output if possible), or build failures.  Please include your
> build environment.
>

Hi,

I've given it a try in a Docker Ubuntu image:

root@4834a628a4ed:~# cat /etc/issue
Ubuntu 14.04.4 LTS \n \l

I have not been able to reproduce the hashes. I've gotten these:

e417fde854fee1c53dc61d3fe76e2624d38b10b5991361cacd054ca3b8ca7d95 
pidgin-otr-4.0.2.exe
5b54247a9b8300986a9dd881f5b34691e2eebef2cd116fbb3c7e5d168769fdf6 
pidgin-otr-4.0.2-repro_jurre.zip

Diffoscope output and the binaries i've build can be found here:
http://jurrevanbergen.nl/otr/

Best,
Jurre



___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 07:35 PM, Jurre van Bergen wrote:
>
> On 03/20/2016 05:42 PM, Ian Goldberg wrote:
>> Please report here either success, mismatched output (please include
>> diffoscope output if possible), or build failures.  Please include your
>> build environment.
>>
> Hi,
>
> I've given it a try in a Docker Ubuntu image:
>
> root@4834a628a4ed:~# cat /etc/issue
> Ubuntu 14.04.4 LTS \n \l
>
> I have not been able to reproduce the hashes. I've gotten these:
>
> e417fde854fee1c53dc61d3fe76e2624d38b10b5991361cacd054ca3b8ca7d95 
> pidgin-otr-4.0.2.exe
> 5b54247a9b8300986a9dd881f5b34691e2eebef2cd116fbb3c7e5d168769fdf6 
> pidgin-otr-4.0.2-repro_jurre.zip
>
> Diffoscope output and the binaries i've build can be found here:
> http://jurrevanbergen.nl/otr/
>
> Best,
> Jurre
>
>
>
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
However, I will retry with installing the bison package first.

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 07:36:30PM +0100, Jurre van Bergen wrote:
> However, I will retry with installing the bison package first.

That wasn't the only issue (but it was indeed one of the issues).  The
other issue is that zip file you created had a "win32_export" top level
directory that shouldn't be there.  The Makefile.mingw cd's into that
directory before creating the zip, so I'm not sure why that would be
there?  (Also, your zip file had a different name from the one the
Makefile.mingw creates; did you rename it yourself?  Or did you create
the zipfile yourself instead of using the pidgin-otr-4.0.2.zip the
INSTALL.mingw program creates for you?)
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 07:41 PM, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 07:36:30PM +0100, Jurre van Bergen wrote:
>> However, I will retry with installing the bison package first.
> That wasn't the only issue (but it was indeed one of the issues).  The
> other issue is that zip file you created had a "win32_export" top level
> directory that shouldn't be there.  The Makefile.mingw cd's into that
> directory before creating the zip, so I'm not sure why that would be
> there?  (Also, your zip file had a different name from the one the
> Makefile.mingw creates; did you rename it yourself?  Or did you create
> the zipfile yourself instead of using the pidgin-otr-4.0.2.zip the
> INSTALL.mingw program creates for you?)

I renamed that directory myself since it didn't zip it (I didn't had the
dependency installed).

- Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 07:45:37PM +0100, Jurre van Bergen wrote:
> On 03/20/2016 07:41 PM, Ian Goldberg wrote:
> > On Sun, Mar 20, 2016 at 07:36:30PM +0100, Jurre van Bergen wrote:
> >> However, I will retry with installing the bison package first.
> > That wasn't the only issue (but it was indeed one of the issues).  The
> > other issue is that zip file you created had a "win32_export" top level
> > directory that shouldn't be there.  The Makefile.mingw cd's into that
> > directory before creating the zip, so I'm not sure why that would be
> > there?  (Also, your zip file had a different name from the one the
> > Makefile.mingw creates; did you rename it yourself?  Or did you create
> > the zipfile yourself instead of using the pidgin-otr-4.0.2.zip the
> > INSTALL.mingw program creates for you?)
> 
> I renamed that directory myself since it didn't zip it (I didn't had the
> dependency installed).

This is a first cut of the required packages:

sudo apt-get install mingw32 nsis faketime bison zip unzip tar \
wget diffutils findutils build-essential automake patch \
perl-base

[Well, the above and their dependencies, of course.]

If you could try a bare-bones Ubuntu 14.04 Docker, plus the above
packages, and let me know what happens, that would be great!

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 07:55 PM, Ian Goldberg wrote:
>
> This is a first cut of the required packages:
>
> sudo apt-get install mingw32 nsis faketime bison zip unzip tar \
> wget diffutils findutils build-essential automake patch \
>   perl-base
>
> [Well, the above and their dependencies, of course.]
>
> If you could try a bare-bones Ubuntu 14.04 Docker, plus the above
> packages, and let me know what happens, that would be great!
>
> Thanks,
>
>- Ian
>

Building as we speak. Just before, I got to match the exe with the one
you have. The zip doesn't match yet. Let's see if we can pull this off now!

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 08:05:42PM +0100, Jurre van Bergen wrote:
> Building as we speak. Just before, I got to match the exe with the one
> you have.

Awesome!

> The zip doesn't match yet. Let's see if we can pull this off now!

Be sure to let the Makefile build the zip, since it has to run zip
under faketime in order to fix the timestamp in the zip header itself
(which is different from the timestamps on the files within the zip
archive).

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 07:55 PM, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 07:45:37PM +0100, Jurre van Bergen wrote:
>> On 03/20/2016 07:41 PM, Ian Goldberg wrote:
>>> On Sun, Mar 20, 2016 at 07:36:30PM +0100, Jurre van Bergen wrote:
 However, I will retry with installing the bison package first.
>>> That wasn't the only issue (but it was indeed one of the issues).  The
>>> other issue is that zip file you created had a "win32_export" top level
>>> directory that shouldn't be there.  The Makefile.mingw cd's into that
>>> directory before creating the zip, so I'm not sure why that would be
>>> there?  (Also, your zip file had a different name from the one the
>>> Makefile.mingw creates; did you rename it yourself?  Or did you create
>>> the zipfile yourself instead of using the pidgin-otr-4.0.2.zip the
>>> INSTALL.mingw program creates for you?)
>> I renamed that directory myself since it didn't zip it (I didn't had the
>> dependency installed).
> This is a first cut of the required packages:
>
> sudo apt-get install mingw32 nsis faketime bison zip unzip tar \
> wget diffutils findutils build-essential automake patch \
>   perl-base

I'd like to add `apt-get install gettext`. Otherwise we run into the
following issue:

potomo: './po/cs.po' keeping UTF-8  
./potomo: 56: ./potomo: msgfmt: not found

msgfmt is shipped in gettext.

Also, we need libtool: apt-get install libtool


> [Well, the above and their dependencies, of course.]
>
> If you could try a bare-bones Ubuntu 14.04 Docker, plus the above
> packages, and let me know what happens, that would be great!

Now, what is interesting is this required packages list from above broke
my build completely. I now get:

+ cd libotr-4.1.1
+ unset CFLAGS
+ unset LDFLAGS
+ ./bootstrap
+ '[' '!' -e config ']'
+ autoreconf -i
configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
configure.ac:31: error: possibly undefined macro: AM_PATH_LIBGCRYPT
  If this token and others are legitimate, please use m4_pattern_allow.
  See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
+ ./configure --with-pic --host=i586-mingw32msvc
--prefix=/usr/i586-mingw32msvc --enable-static --disable-shared
--with-libgcrypt-prefix=/usr/i586-mingw32msvc
configure: WARNING: unrecognized options: --with-libgcrypt-prefix

David and myself are trying to debug this over an instant messaging
channel. No idea why this broke now and not before.

Reproducible builds are interesting :)

Best,
Jurre

___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread David Goulet
On 20 Mar (12:42:28), Ian Goldberg wrote:
> Thanks to Lunar and dkg at the Internet Freedom Festival for showing me
> a bunch of cool tools (including diffoscope -- try it!) to help make
> reproducible builds.  (If you don't know what there are or why they're
> important, please see https://reproducible-builds.org/ .)
> 
> OK, I've got pidgin-otr (and its dependencies) to a place where I can
> build it on two different machines and get identical .exe (the
> installer) and .zip files out.  Now I'd like to see if others can get
> the same binaries as well.
> 
> My build environment is a 64-bit Ubuntu 14.04, with packages updated to
> today (20 Mar 2016).  TODO: make an explicit list of required packages
> and their versions, and perhaps some automated way to create a virtual
> machine, install those packages, and proceed (gitian?).
> 
> If you have a similar build environment, I'd love to see whether you can
> reproduce these results.  If you have a different one, I'd still be
> interested to see what comes out differently.
> 
> If you want to give it a go:
> 
> wget https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
> tar xzvvf pidgin-otr-4.0.2-repro.tar.gz
> cd pidgin-otr-4.0.2
> time bash -x INSTALL.mingw
> 
> 
> Note that the INSTALL.mingw script does some sudo stuff: it needs to
> install some packages you may not have (mingw32 nsis faketime) and
> install the dependency libraries in /usr/i586-mingw32msvc/.
> 
> This build also does *not* build the Windows GTK or pidgin libraries
> from source.  It simply downloads them from the Internet, but does check
> their sha256 checksums for correctness.  It would be great if those two
> projects also published reproducible builds of those libraries, of
> course.
> 
> When it's done (it takes about 6 minutes on my machines), see if you
> match:
> 
> $ sha256sum pidgin-otr-4.0.2.{exe,zip}
> cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c  
> pidgin-otr-4.0.2.exe

Success:
cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c 
pidgin-otr-4.0.2.exe

> aafad53d2aafa8deff613124a5027e3ab3bcfee73f23dea2a4191beb1dfad238  
> pidgin-otr-4.0.2.zip

Zip is a failure, (like Jurre):

0184dbd6c912d8073dd4a101e631c43ca89029c557964b56b71fc8d5c8793075 
pidgin-otr-4.0.2.zip

Not sure why, I'll run diffoscope to find out what is different.

Thanks!
David

> 
> If you don't, you can grab the files I created (independently on two
> machines) from here and use diffoscope to see what the differences are
> with your version:
> 
> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.exe
> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.zip
> 
> https://diffoscope.org/  (you can install it yourself, or just use the
> online version at https://try.diffoscope.org/)
> 
> 
> Please report here either success, mismatched output (please include
> diffoscope output if possible), or build failures.  Please include your
> build environment.
> 
> Thanks,
> 
>- Ian
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


signature.asc
Description: PGP signature
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 08:57:24PM +0100, Jurre van Bergen wrote:
> > [Well, the above and their dependencies, of course.]
> >
> > If you could try a bare-bones Ubuntu 14.04 Docker, plus the above
> > packages, and let me know what happens, that would be great!
> 
> Now, what is interesting is this required packages list from above broke
> my build completely. I now get:
> 
> + cd libotr-4.1.1
> + unset CFLAGS
> + unset LDFLAGS
> + ./bootstrap
> + '[' '!' -e config ']'
> + autoreconf -i
> configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
> configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
> configure.ac:31: error: possibly undefined macro: AM_PATH_LIBGCRYPT

This means it can't find /usr/i586-mingw32msvc/share/aclocal/libgcrypt.m4.
Aha: it's probably looking for the *native* one and failing.

But that said, we shouldn't actually have to run autoreconf (or
bootstrap) at all.  Can you try just removing "./bootstrap" from
INSTALL.mingw and see what happens?

> David and myself are trying to debug this over an instant messaging
> channel. No idea why this broke now and not before.

Did you perhaps have libgcrypt20-dev installed before, but not now?

> Reproducible builds are interesting :)

Indeed.  Thanks for helping out!
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 03:55:16PM -0400, David Goulet wrote:
> > When it's done (it takes about 6 minutes on my machines), see if you
> > match:
> > 
> > $ sha256sum pidgin-otr-4.0.2.{exe,zip}
> > cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c  
> > pidgin-otr-4.0.2.exe
> 
> Success:
> cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c 
> pidgin-otr-4.0.2.exe

Whee!  That means the contents of the zipfile are going to be correct,
but something about the zipping itself messed up.

> > aafad53d2aafa8deff613124a5027e3ab3bcfee73f23dea2a4191beb1dfad238  
> > pidgin-otr-4.0.2.zip
> 
> Zip is a failure, (like Jurre):
> 
> 0184dbd6c912d8073dd4a101e631c43ca89029c557964b56b71fc8d5c8793075 
> pidgin-otr-4.0.2.zip
> 
> Not sure why, I'll run diffoscope to find out what is different.

Can you stick the zip file online somewhere?

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 09:03 PM, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 08:57:24PM +0100, Jurre van Bergen wrote:
>>> [Well, the above and their dependencies, of course.]
>>>
>>> If you could try a bare-bones Ubuntu 14.04 Docker, plus the above
>>> packages, and let me know what happens, that would be great!
>> Now, what is interesting is this required packages list from above broke
>> my build completely. I now get:
>>
>> + cd libotr-4.1.1
>> + unset CFLAGS
>> + unset LDFLAGS
>> + ./bootstrap
>> + '[' '!' -e config ']'
>> + autoreconf -i
>> configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
>> configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
>> configure.ac:31: error: possibly undefined macro: AM_PATH_LIBGCRYPT
> This means it can't find /usr/i586-mingw32msvc/share/aclocal/libgcrypt.m4.
> Aha: it's probably looking for the *native* one and failing.
>
> But that said, we shouldn't actually have to run autoreconf (or
> bootstrap) at all.  Can you try just removing "./bootstrap" from
> INSTALL.mingw and see what happens?

Will do!

>
>> David and myself are trying to debug this over an instant messaging
>> channel. No idea why this broke now and not before.
> Did you perhaps have libgcrypt20-dev installed before, but not now?

Not at all, it's a clean and super minimal ubuntu 14.04 userland. 64mb
as the base. No libgcrypt can be found.

>
>> Reproducible builds are interesting :)
> Indeed.  Thanks for helping out!

My pleasure!

___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 09:06 PM, Jurre van Bergen wrote:
>
> On 03/20/2016 09:03 PM, Ian Goldberg wrote:
>> On Sun, Mar 20, 2016 at 08:57:24PM +0100, Jurre van Bergen wrote:
 [Well, the above and their dependencies, of course.]

 If you could try a bare-bones Ubuntu 14.04 Docker, plus the above
 packages, and let me know what happens, that would be great!
>>> Now, what is interesting is this required packages list from above broke
>>> my build completely. I now get:
>>>
>>> + cd libotr-4.1.1
>>> + unset CFLAGS
>>> + unset LDFLAGS
>>> + ./bootstrap
>>> + '[' '!' -e config ']'
>>> + autoreconf -i
>>> configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
>>> configure.ac:31: warning: macro 'AM_PATH_LIBGCRYPT' not found in library
>>> configure.ac:31: error: possibly undefined macro: AM_PATH_LIBGCRYPT
>> This means it can't find /usr/i586-mingw32msvc/share/aclocal/libgcrypt.m4.
>> Aha: it's probably looking for the *native* one and failing.
>>
>> But that said, we shouldn't actually have to run autoreconf (or
>> bootstrap) at all.  Can you try just removing "./bootstrap" from
>> INSTALL.mingw and see what happens?
> Will do!
>
>>> David and myself are trying to debug this over an instant messaging
>>> channel. No idea why this broke now and not before.
>> Did you perhaps have libgcrypt20-dev installed before, but not now?
> Not at all, it's a clean and super minimal ubuntu 14.04 userland. 64mb
> as the base. No libgcrypt can be found.
>
>>> Reproducible builds are interesting :)
>> Indeed.  Thanks for helping out!
> My pleasure!
>
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev

Whee!

cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c 
pidgin-otr-4.0.2.exe
f93499735b0d2f66091ab4fd1f2de99ff525b69e0bcd623b486d5b755a3cbe59 
pidgin-otr-4.0.2.zip

The zip isn't correct, I have uploaded it for reference:
http://jurrevanbergen.nl/otr/pidgin-otr-4.0.2.zip

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 09:23:20PM +0100, Jurre van Bergen wrote:
> Whee!
> 
> cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c 
> pidgin-otr-4.0.2.exe
> f93499735b0d2f66091ab4fd1f2de99ff525b69e0bcd623b486d5b755a3cbe59 
> pidgin-otr-4.0.2.zip
> 
> The zip isn't correct, I have uploaded it for reference:
> http://jurrevanbergen.nl/otr/pidgin-otr-4.0.2.zip

The zip files are in fact different, but they have identical content (as
expected, since the nsis installer is indeed reproducible).  And the
differences aren't just in the header, either!  (Maybe a per-file
header?)

Can you confirm the zip program you are using is:

ii  zip3.0-8amd64Archiver for .zip files

$ ls -l /usr/bin/zip
-rwxr-xr-x 1 root root 188296 Oct 21  2013 /usr/bin/zip

$ sha256sum /usr/bin/zip
999c1a1ee93fb610bd86d18533fea233d06eaa52a070f424779a5b9d989fcf48  /usr/bin/zip

?

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 09:30 PM, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 09:23:20PM +0100, Jurre van Bergen wrote:
>> Whee!
>>
>> cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c 
>> pidgin-otr-4.0.2.exe
>> f93499735b0d2f66091ab4fd1f2de99ff525b69e0bcd623b486d5b755a3cbe59 
>> pidgin-otr-4.0.2.zip
>>
>> The zip isn't correct, I have uploaded it for reference:
>> http://jurrevanbergen.nl/otr/pidgin-otr-4.0.2.zip
> The zip files are in fact different, but they have identical content (as
> expected, since the nsis installer is indeed reproducible).  And the
> differences aren't just in the header, either!  (Maybe a per-file
> header?)

https://wiki.debian.org/ReproducibleBuilds/TimestampsInZip

I think that tells us all we need to know!

>
> Can you confirm the zip program you are using is:
>
> ii  zip3.0-8amd64Archiver for .zip files
>
> $ ls -l /usr/bin/zip
> -rwxr-xr-x 1 root root 188296 Oct 21  2013 /usr/bin/zip
>
> $ sha256sum /usr/bin/zip
> 999c1a1ee93fb610bd86d18533fea233d06eaa52a070f424779a5b9d989fcf48  /usr/bin/zip
>

root@861d243e8262:~/pidgin-otr-4.0.2# dpkg --list | grep zip
ii  bzip2   1.0.6-5 
amd64high-quality block-sorting file compressor - utilities
ii  gzip1.6-3ubuntu1
amd64GNU compression utilities
ii  unzip   6.0-9ubuntu1.5  
amd64De-archiver for .zip files
ii  zip 3.0-8   
amd64Archiver for .zip files

root@861d243e8262:~/pidgin-otr-4.0.2# ls -l /usr/bin/zip
-rwxr-xr-x 1 root root 188296 Oct 21  2013 /usr/bin/zip

root@861d243e8262:~/pidgin-otr-4.0.2# sha256sum /usr/bin/zip
999c1a1ee93fb610bd86d18533fea233d06eaa52a070f424779a5b9d989fcf48 
/usr/bin/zip

___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 04:30:44PM -0400, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 09:23:20PM +0100, Jurre van Bergen wrote:
> > Whee!
> > 
> > cab715f8805a800cef678adc1b46c1aa551e3e14e454a909d8269a0afac05d8c 
> > pidgin-otr-4.0.2.exe
> > f93499735b0d2f66091ab4fd1f2de99ff525b69e0bcd623b486d5b755a3cbe59 
> > pidgin-otr-4.0.2.zip
> > 
> > The zip isn't correct, I have uploaded it for reference:
> > http://jurrevanbergen.nl/otr/pidgin-otr-4.0.2.zip
> 
> The zip files are in fact different, but they have identical content (as
> expected, since the nsis installer is indeed reproducible).  And the
> differences aren't just in the header, either!  (Maybe a per-file
> header?)
> 
> Can you confirm the zip program you are using is:
> 
> ii  zip3.0-8amd64Archiver for .zip files
> 
> $ ls -l /usr/bin/zip
> -rwxr-xr-x 1 root root 188296 Oct 21  2013 /usr/bin/zip
> 
> $ sha256sum /usr/bin/zip
> 999c1a1ee93fb610bd86d18533fea233d06eaa52a070f424779a5b9d989fcf48  /usr/bin/zip

It's not the timestamps; I was sure to set those properly.

Aha!  When I cmp -l them, I get a whole lot of differences like this:

7042774 350   0
7042775   3   0
7042779 350   0
7042780   3   0

When you translate the octal values 0350, 0003 to a 2-byte little-endian
decimal number, it's 1000.  That is my uid.  So it seems zip files
store uids?  Who knew?  *headdesk*  "unzip -lv" doesn't show them.

So it seems you're building as root, while I was building as uid 1000.
Perhaps fakeroot is the answer?  But what else is hiding in there that's
not visible?  Permissions (group writable, etc.) on the files?  Anyone
here know zip/unzip really well?
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
OK, here we go.  "unzip -Zv" for the win.  Here's the diff of the output
of that for my and your zip files.  So there is indeed file permission
and uid/gid information in a zip file; the former is easy to fix with
chmod, and the latter with fakeroot.  There's also a timestamp
difference in the "DOS time" due to timezones.  Hopefully that can be
fixed by simply setting TZ=UTC (the wiki page you pointed to says it
should).

OK, I'll try to make this zip file deteministic.  We'll see whether that
happens today or not, though.

Thanks, all!

   - Ian


--- /dev/fd/63  2016-03-20 16:45:07.214391423 -0400
+++ /dev/fd/62  2016-03-20 16:45:07.218391423 -0400
@@ -1,4 +1,4 @@
-Archive:  pidgin-otr-4.0.2.zip
+Archive:  pidgin-otr-4.0.2-jurre.zip
 There is no zipfile comment.
 
 End-of-central-directory record:
@@ -31,7 +31,7 @@
   compression sub-type (deflation):   normal
   file security status:   not encrypted
   extended local header:  no
-  file last modified on (DOS date/time):  2016 Mar 20 11:56:38
+  file last modified on (DOS date/time):  2016 Mar 20 15:56:38
   file last modified on (UT extra field modtime): 2016 Mar 20 11:56:37 local
   file last modified on (UT extra field modtime): 2016 Mar 20 15:56:37 UTC
   32-bit CRC value (hex): 3426caf9
@@ -68,7 +68,7 @@
   compression sub-type (deflation):   normal
   file security status:   not encrypted
   extended local header:  no
-  file last modified on (DOS date/time):  2016 Mar 20 11:56:38
+  file last modified on (DOS date/time):  2016 Mar 20 15:56:38
   file last modified on (UT extra field modtime): 2016 Mar 20 11:56:37 local
   file last modified on (UT extra field modtime): 2016 Mar 20 15:56:37 UTC
   32-bit CRC value (hex): ca2bb9c7
@@ -105,7 +105,7 @@
   compression sub-type (deflation):   normal
   file security status:   not encrypted
   extended local header:  no
-  file last modified on (DOS date/time):  2016 Mar 20 11:56:38
+  file last modified on (DOS date/time):  2016 Mar 20 15:56:38
   file last modified on (UT extra field modtime): 2016 Mar 20 11:56:37 local
   file last modified on (UT extra field modtime): 2016 Mar 20 15:56:37 UTC
   32-bit CRC value (hex): fdef15a5
@@ -142,7 +142,7 @@
   compression sub-type (deflation):   normal
   file security status:   not encrypted
   extended local header:  no
-  file last modified on (DOS date/time):  2016 Mar 20 11:56:38
+  file last modified on (DOS date/time):  2016 Mar 20 15:56:38
   file last modified on (UT extra field modtime): 2016 Mar 20 11:56:37 local
   file last modified on (UT extra field modtime): 2016 Mar 20 15:56:37 UTC
   32-bit CRC value (hex): 138ff7da
@@ -179,7 +179,7 @@
   compression sub-type (deflation):   normal
   file security status:   not encrypted
   extended local header:  no
-  file last modified on (DOS date/time):  2016 Mar 20 11:56:38
+  file last modified on (DOS date/time):  2016 Mar 20 15:56:38
   file last modified on (UT extra field modtime): 2016 Mar 20 11:56:37 local
   file last modified on (UT extra field modtime): 2016 Mar 20 15:56:37 UTC
   32-bit CRC value (hex): de94043e
@@ -216,7 +216,7 @@
   compression sub-type (deflation):   normal
   file security status:   not encrypted
   extended local header:  no
-  file last modified on (DOS date/time):  2016 Mar 20 11:56:38
+  file last modified on (DOS date/time):  2016 Mar 20 15:56:38
   file last modified on (UT extra field modtime): 2016 Mar 20 11:56:37 local
   file last modified on (UT extra field modtime): 2016 Mar 20 15:56:37 UTC
   32-bit CRC value (hex): 49a2168c
@@ -227,14 +227,14 @@
   length of file comment: 0 characters
   disk number on which file begins:   disk 1
   apparent file type: binary
-  Unix file attributes (100664 octal):-rw-rw-r--
+  Unix file attributes (100644 octal):-rw-r--r--
   MS-DOS file attributes (00 hex):none
 
   The central-directory extra field contains:
   - A subfield with ID 0x5455 (universal time) and 5 data bytes.
 The local extra field has UTC/GMT modification/access times.
   - A subfield with ID 0x7875 (Unix UID/GID (any size)) and 11 data bytes:
-01 04 e8 03 00 00 04 e8 03 00 00.
+01 04 00 00 00 00 04 00 00 00 00.
 
   There is no file comment.
 
@@ -253,7 +253,7 @@
   compression sub-type (deflation):   normal
   file security status:  

Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 04:51:59PM -0400, Ian Goldberg wrote:
> OK, here we go.  "unzip -Zv" for the win.  Here's the diff of the output
> of that for my and your zip files.  So there is indeed file permission
> and uid/gid information in a zip file; the former is easy to fix with
> chmod, and the latter with fakeroot.  There's also a timestamp
> difference in the "DOS time" due to timezones.  Hopefully that can be
> fixed by simply setting TZ=UTC (the wiki page you pointed to says it
> should).
> 
> OK, I'll try to make this zip file deteministic.  We'll see whether that
> happens today or not, though.

Ah, I went ahead and made the changes.  It's actually better than I
thought.  We don't need to run zip under faketime if we use the -o
option (which sets the timestamp for the archive itself to equal the
oldest timestamp of a file in the archive).  We also add the -X option,
which removes Unix uid/gids and extended timestamps from the zip file
entirely.  We also use chmod -R u=rwX,go=rX to canonicalize the
permissions on the files.

I've updated the source tarball in place:

https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz

Unpack it, and just run INSTALL.mingw against a clean Ubuntu 14.04.  (It
now installs all the packages you suggested.)

I'm building it now myself.  Let's compare hashes in a few minutes.  ;-)

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 05:20:08PM -0400, Ian Goldberg wrote:
> Ah, I went ahead and made the changes.  It's actually better than I
> thought.  We don't need to run zip under faketime if we use the -o
> option (which sets the timestamp for the archive itself to equal the
> oldest timestamp of a file in the archive).  We also add the -X option,
> which removes Unix uid/gids and extended timestamps from the zip file
> entirely.  We also use chmod -R u=rwX,go=rX to canonicalize the
> permissions on the files.
> 
> I've updated the source tarball in place:
> 
> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
> 
> Unpack it, and just run INSTALL.mingw against a clean Ubuntu 14.04.  (It
> now installs all the packages you suggested.)
> 
> I'm building it now myself.  Let's compare hashes in a few minutes.  ;-)

OK, built.  The above tarball, whose hash is itself:

22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
pidgin-otr-4.0.2-repro.tar.gz

generates these files for me:

19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
pidgin-otr-4.0.2.exe
7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
pidgin-otr-4.0.2.zip

How about yoU?

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 10:20 PM, Ian Goldberg wrote:
> Unpack it, and just run INSTALL.mingw against a clean Ubuntu 14.04.  (It
> now installs all the packages you suggested.)
>
> I'm building it now myself.  Let's compare hashes in a few minutes.  ;-)

I'm running a build. My home connection is super slow so it will take a
while.

I'll let you know.

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 10:25 PM, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 05:20:08PM -0400, Ian Goldberg wrote:
>> Ah, I went ahead and made the changes.  It's actually better than I
>> thought.  We don't need to run zip under faketime if we use the -o
>> option (which sets the timestamp for the archive itself to equal the
>> oldest timestamp of a file in the archive).  We also add the -X option,
>> which removes Unix uid/gids and extended timestamps from the zip file
>> entirely.  We also use chmod -R u=rwX,go=rX to canonicalize the
>> permissions on the files.
>>
>> I've updated the source tarball in place:
>>
>> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
>>
>> Unpack it, and just run INSTALL.mingw against a clean Ubuntu 14.04.  (It
>> now installs all the packages you suggested.)
>>
>> I'm building it now myself.  Let's compare hashes in a few minutes.  ;-)
> OK, built.  The above tarball, whose hash is itself:
>
> 22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
> pidgin-otr-4.0.2-repro.tar.gz
>
> generates these files for me:
>
> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
> pidgin-otr-4.0.2.exe
> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
> pidgin-otr-4.0.2.zip
>
> How about yoU?
>
>- Ian
>

Woohoo!

root@5036add14019:~/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*

19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191 
pidgin-otr-4.0.2.exe
7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e 
pidgin-otr-4.0.2.zip

Seems we got a full matching build!

I did the following change:

sudo apt-get install mingw32 nsis faketime bison zip unzip tar \
wget diffutils findutils build-essential automake patch \
perl-base coreutils libtool -y

sudo apt-get install gettext -y

First we install bison so we're sure it can configure gettext and be safe.

Yay! :)

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 11:21:39PM +0100, Jurre van Bergen wrote:
> > OK, built.  The above tarball, whose hash is itself:
> >
> > 22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
> > pidgin-otr-4.0.2-repro.tar.gz
> >
> > generates these files for me:
> >
> > 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
> > pidgin-otr-4.0.2.exe
> > 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
> > pidgin-otr-4.0.2.zip
> >
> > How about yoU?
> >
> >- Ian
> >
> 
> Woohoo!
> 
> root@5036add14019:~/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*
> 
> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191 
> pidgin-otr-4.0.2.exe
> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e 
> pidgin-otr-4.0.2.zip
> 
> Seems we got a full matching build!

Yay!!!  Would anyone else like to try, perhaps on Debian or something?

> I did the following change:
> 
> sudo apt-get install mingw32 nsis faketime bison zip unzip tar \
> wget diffutils findutils build-essential automake patch \
> perl-base coreutils libtool -y
> 
> sudo apt-get install gettext -y
> 
> First we install bison so we're sure it can configure gettext and be safe.

Do you think that's needed?  bison is a compile-time configuration for
gettext, not run-time.  We need bison to build the Windows version of
gettext, not to use the Linux version, I think?

But the "-y", sure.  :-)

Thanks again!

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread Jurre van Bergen


On 03/20/2016 11:26 PM, Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 11:21:39PM +0100, Jurre van Bergen wrote:
>>> OK, built.  The above tarball, whose hash is itself:
>>>
>>> 22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
>>> pidgin-otr-4.0.2-repro.tar.gz
>>>
>>> generates these files for me:
>>>
>>> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
>>> pidgin-otr-4.0.2.exe
>>> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
>>> pidgin-otr-4.0.2.zip
>>>
>>> How about yoU?
>>>
>>>- Ian
>>>
>> Woohoo!
>>
>> root@5036add14019:~/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*
>>
>> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191 
>> pidgin-otr-4.0.2.exe
>> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e 
>> pidgin-otr-4.0.2.zip
>>
>> Seems we got a full matching build!
> Yay!!!  Would anyone else like to try, perhaps on Debian or something?

Seems to go wrong here: https://paste.debian.net/hidden/16c109b6/

>
>> I did the following change:
>>
>> sudo apt-get install mingw32 nsis faketime bison zip unzip tar \
>> wget diffutils findutils build-essential automake patch \
>> perl-base coreutils libtool -y
>>
>> sudo apt-get install gettext -y
>>
>> First we install bison so we're sure it can configure gettext and be safe.
> Do you think that's needed?  bison is a compile-time configuration for
> gettext, not run-time.  We need bison to build the Windows version of
> gettext, not to use the Linux version, I think?
Doesn't seem necessary indeed! I got a matching build without my
modifications. Myth busted!

>
> But the "-y", sure.  :-)
:-)

Best,
Jurre

___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread David Goulet
On 20 Mar (17:25:27), Ian Goldberg wrote:
> On Sun, Mar 20, 2016 at 05:20:08PM -0400, Ian Goldberg wrote:
> > Ah, I went ahead and made the changes.  It's actually better than I
> > thought.  We don't need to run zip under faketime if we use the -o
> > option (which sets the timestamp for the archive itself to equal the
> > oldest timestamp of a file in the archive).  We also add the -X option,
> > which removes Unix uid/gids and extended timestamps from the zip file
> > entirely.  We also use chmod -R u=rwX,go=rX to canonicalize the
> > permissions on the files.
> > 
> > I've updated the source tarball in place:
> > 
> > https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
> > 
> > Unpack it, and just run INSTALL.mingw against a clean Ubuntu 14.04.  (It
> > now installs all the packages you suggested.)
> > 
> > I'm building it now myself.  Let's compare hashes in a few minutes.  ;-)
> 
> OK, built.  The above tarball, whose hash is itself:
> 
> 22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
> pidgin-otr-4.0.2-repro.tar.gz
> 
> generates these files for me:
> 
> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
> pidgin-otr-4.0.2.exe
> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
> pidgin-otr-4.0.2.zip

Success for me :)

19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191 
pidgin-otr-4.0.2.exe
7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e 
pidgin-otr-4.0.2.zip

Cheers!
David

> 
> How about yoU?
> 
>- Ian
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


signature.asc
Description: PGP signature
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread HW42
Ian Goldberg:
> On Sun, Mar 20, 2016 at 05:20:08PM -0400, Ian Goldberg wrote:
>> Ah, I went ahead and made the changes.  It's actually better than I
>> thought.  We don't need to run zip under faketime if we use the -o
>> option (which sets the timestamp for the archive itself to equal the
>> oldest timestamp of a file in the archive).  We also add the -X option,
>> which removes Unix uid/gids and extended timestamps from the zip file
>> entirely.  We also use chmod -R u=rwX,go=rX to canonicalize the
>> permissions on the files.
>> 
>> I've updated the source tarball in place:
>> 
>> https://cs.uwaterloo.ca/~iang/pidgin-otr-4.0.2-repro.tar.gz
>> 
>> Unpack it, and just run INSTALL.mingw against a clean Ubuntu 14.04.  (It
>> now installs all the packages you suggested.)
>> 
>> I'm building it now myself.  Let's compare hashes in a few minutes.  ;-)
> 
> OK, built.  The above tarball, whose hash is itself:
> 
> 22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
> pidgin-otr-4.0.2-repro.tar.gz
> 
> generates these files for me:
> 
> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
> pidgin-otr-4.0.2.exe
> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
> pidgin-otr-4.0.2.zip
> 
> How about yoU?

I can reproduce this in an Ubuntu Trusty chroot (/proc and /dev/shm need
to be mounted).

I tested (most) of the variations from [0]. I found only one problem:
In Makefile.mingw:148 it should be LC_ALL=C instead of LANG=C else the
locale settings can change the sort order of the files in the zip.

> [...]
> This means it can't find /usr/i586-mingw32msvc/share/aclocal/libgcrypt.m4.
> Aha: it's probably looking for the *native* one and failing.
> 
> But that said, we shouldn't actually have to run autoreconf (or
> bootstrap) at all.  Can you try just removing "./bootstrap" from
> INSTALL.mingw and see what happens?

Another option is to set ACLOCAL_PATH:

  export ACLOCAL_PATH=/usr/i586-mingw32msvc/share/aclocal


HW42

[0]: https://tests.reproducible-builds.org/reproducible.html#variation



signature.asc
Description: OpenPGP digital signature
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-20 Thread John Menerick
Works for me on Kali Rolling 

19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191 
pidgin-otr-4.0.2.exe

7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e 
pidgin-otr-4.0.2.zip


Warmly,

John Menerick
https://securesql.info


> On Mar 20, 2016, at 3:26 PM, Ian Goldberg  wrote:
> 
> On Sun, Mar 20, 2016 at 11:21:39PM +0100, Jurre van Bergen wrote:
>>> OK, built.  The above tarball, whose hash is itself:
>>> 
>>> 22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
>>> pidgin-otr-4.0.2-repro.tar.gz
>>> 
>>> generates these files for me:
>>> 
>>> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
>>> pidgin-otr-4.0.2.exe
>>> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
>>> pidgin-otr-4.0.2.zip
>>> 
>>> How about yoU?
>>> 
>>>   - Ian
>> 
>> Woohoo!
>> 
>> root@5036add14019:~/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*
>> 
>> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191 
>> pidgin-otr-4.0.2.exe
>> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e 
>> pidgin-otr-4.0.2.zip
>> 
>> Seems we got a full matching build!
> 
> Yay!!!  Would anyone else like to try, perhaps on Debian or something?
> 
>> I did the following change:
>> 
>> sudo apt-get install mingw32 nsis faketime bison zip unzip tar \
>>wget diffutils findutils build-essential automake patch \
>>perl-base coreutils libtool -y
>> 
>> sudo apt-get install gettext -y
>> 
>> First we install bison so we're sure it can configure gettext and be safe.
> 
> Do you think that's needed?  bison is a compile-time configuration for
> gettext, not run-time.  We need bison to build the Windows version of
> gettext, not to use the Linux version, I think?
> 
> But the "-y", sure.  :-)
> 
> Thanks again!
> 
>   - Ian
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-21 Thread Ian Goldberg
On Mon, Mar 21, 2016 at 12:07:02AM +0100, Jurre van Bergen wrote:
> > Yay!!!  Would anyone else like to try, perhaps on Debian or something?
> 
> Seems to go wrong here: https://paste.debian.net/hidden/16c109b6/

Hmm.  I could easily believe the output would be different on a
different distro (different versions of various packages, etc.), but
that it totally failed to build is a little odder.  Does Debian use a
different path from /usr/i586-mingw32msvc/ for its mingw32 stuff,
perchance?

If we want the Windows binary to build on Debian, some Debian-using
person will likely need to debug this.

___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-21 Thread Ian Goldberg
On Mon, Mar 21, 2016 at 03:44:48AM +0100, HW42 wrote:
> > OK, built.  The above tarball, whose hash is itself:
> > 
> > 22c6a6c250ca277e36ffed1ff1bd6d366209664471c80c3c507f8811ba5c28da  
> > pidgin-otr-4.0.2-repro.tar.gz
> > 
> > generates these files for me:
> > 
> > 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191  
> > pidgin-otr-4.0.2.exe
> > 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e  
> > pidgin-otr-4.0.2.zip
> > 
> > How about yoU?
> 
> I can reproduce this in an Ubuntu Trusty chroot (/proc and /dev/shm need
> to be mounted).
> 
> I tested (most) of the variations from [0]. I found only one problem:
> In Makefile.mingw:148 it should be LC_ALL=C instead of LANG=C else the
> locale settings can change the sort order of the files in the zip.

Ah, good catch, thanks!  Pushed to git.

> > This means it can't find /usr/i586-mingw32msvc/share/aclocal/libgcrypt.m4.
> > Aha: it's probably looking for the *native* one and failing.
> > 
> > But that said, we shouldn't actually have to run autoreconf (or
> > bootstrap) at all.  Can you try just removing "./bootstrap" from
> > INSTALL.mingw and see what happens?
> 
> Another option is to set ACLOCAL_PATH:
> 
>   export ACLOCAL_PATH=/usr/i586-mingw32msvc/share/aclocal

Yes, but we really don't want to be re-autoconfing, anyway.

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-21 Thread Ian Goldberg
On Sun, Mar 20, 2016 at 09:28:43PM -0700, John Menerick wrote:
> Works for me on Kali Rolling 
> 
> 19f315c8317105a89d5b6fde6c2caa63ffa2e150df5fb0d67ee20ac985b0b191 
> pidgin-otr-4.0.2.exe
> 
> 7e9dc2175591d7aabc9f96e737817fa917f3e4441b62727bb9730e516c47822e 
> pidgin-otr-4.0.2.zip
> 
> 
> Warmly,
> 
> John Menerick
> https://securesql.info

Wow; I didn't really expect it to work on a totally different distro.
Very cool!

This weekend is the first time that I know of that anyone other than me
and my former student Rob has ever even *tried to build* the Windows
binary.  And it's reproducible from the tarball, w00t!  :-)

So now that we can reproduce from the tarball, we should try to make the
tarball itself reproducible from git.  This is better than just making
the binary reproducile directly from git, since (a) we do distribute the
tarball, and we want people to be able to check that the tarball we
distribute does not have anything snuck in there that doesn't come from
git, and (b) the pidgin-otr Windows binary build process just downloads
the libotr source tarball (it does not try to access the libotr git), so
the libotr tarball should itself be a reproducible build from its git.

So who knows how to make a reproducible tarball?  We'd need to
normalize:
- The order of the files (I think make dist already does this, though)
- The timestamps (--mtime), owners (--owner, --group), permissions (I
  guess we could chmod the files first, or some combination of
  --no-same-permissions and umask?) of the files
- Anything else?

And getting autoconf to get the "make dist" target actually *do* that
might take some examining, but worst case, we can override $TAR or
$am__tar, I suppose.

Thanks again, all.  Welcome to spring!  [He says as there's a light
dusting of snow on the ground after a couple of weeks in the
plus-teens-Celcius range.]

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-21 Thread Jurre van Bergen


On 03/21/2016 01:49 PM, Ian Goldberg wrote:
> On Mon, Mar 21, 2016 at 12:07:02AM +0100, Jurre van Bergen wrote:
>>> Yay!!!  Would anyone else like to try, perhaps on Debian or something?
>> Seems to go wrong here: https://paste.debian.net/hidden/16c109b6/
> Hmm.  I could easily believe the output would be different on a
> different distro (different versions of various packages, etc.), but
> that it totally failed to build is a little odder.  Does Debian use a
> different path from /usr/i586-mingw32msvc/ for its mingw32 stuff,
> perchance?
Plausible.

> If we want the Windows binary to build on Debian, some Debian-using
> person will likely need to debug this.
I'll investigate as a Debian using person :)

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-21 Thread Ian Goldberg
On Mon, Mar 21, 2016 at 09:09:40AM -0400, Ian Goldberg wrote:
> So who knows how to make a reproducible tarball?  We'd need to
> normalize:
> - The order of the files (I think make dist already does this, though)
> - The timestamps (--mtime), owners (--owner, --group), permissions (I
>   guess we could chmod the files first, or some combination of
>   --no-same-permissions and umask?) of the files
> - Anything else?
> 
> And getting autoconf to get the "make dist" target actually *do* that
> might take some examining, but worst case, we can override $TAR or
> $am__tar, I suppose.

OK, here's the scoop.  As with most people, my knowledge of
automake/autoconf is basically "find another project that does what I
want and copy that".  Unfortunately, I couldn't easily find another
project successfully doing reproducible tarballs from "make dist".
So what I came up with may not be The Right Way To Do It.  Please, if
anyone here can make this better, speak up!  I'm particularly squeamish
about overriding am__tar in configure.ac, since things with double
underscores sound to me like "private! internal! don't look here!".

The commit is here:

https://bugs.otr.im/projects/pidgin-otr/repository/revisions/af8542f5ef26b3cc41245846a22537bd97c634fe/diff

If other people want to see if they get the same .tar.gz as I do:

git clone git://git.otr.im/pidgin_otr
cd pidgin_otr/
git checkout devel
intltoolize --force --copy
autoreconf -s -i
./configure
make dist
sha256sum pidgin-otr-4.0.2.tar.gz

I get:

b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d  
pidgin-otr-4.0.2.tar.gz

and then, why not:

tar xzvvf pidgin-otr-4.0.2.tar.gz
cd pidgin-otr-4.0.2
bash -x INSTALL.mingw
sha256sum pidgin-otr-4.0.2.*

I get:

9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1  
pidgin-otr-4.0.2.exe
ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea  
pidgin-otr-4.0.2.zip


*** NOTE: in order to run "./configure" as a precursor to "make dist"
for pidgin-otr, you will have to have pidgin-otr's _native_ dependencies
installed, including the dev versions of libotr (or an installation
from source/git), libgpg-error, libgcrypt, glib, gtk+, and pidgin.  Is
there a way around this, if all you want to do is "make dist" and not
actually build the package?

The sha256 checksums for the .exe and .zip files are different from
yesterday, since the changes to the pidgin-otr source caused the source
timestamp (*not* a build timestamp!) to change, and the source timestamp
appears in the binaries.

Anyone want to give this a shot?

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-24 Thread Ian Goldberg
Could I get someone to try this out?

Thanks,

   - Ian

On Mon, Mar 21, 2016 at 05:32:55PM -0400, Ian Goldberg wrote:
> On Mon, Mar 21, 2016 at 09:09:40AM -0400, Ian Goldberg wrote:
> > So who knows how to make a reproducible tarball?  We'd need to
> > normalize:
> > - The order of the files (I think make dist already does this, though)
> > - The timestamps (--mtime), owners (--owner, --group), permissions (I
> >   guess we could chmod the files first, or some combination of
> >   --no-same-permissions and umask?) of the files
> > - Anything else?
> > 
> > And getting autoconf to get the "make dist" target actually *do* that
> > might take some examining, but worst case, we can override $TAR or
> > $am__tar, I suppose.
> 
> OK, here's the scoop.  As with most people, my knowledge of
> automake/autoconf is basically "find another project that does what I
> want and copy that".  Unfortunately, I couldn't easily find another
> project successfully doing reproducible tarballs from "make dist".
> So what I came up with may not be The Right Way To Do It.  Please, if
> anyone here can make this better, speak up!  I'm particularly squeamish
> about overriding am__tar in configure.ac, since things with double
> underscores sound to me like "private! internal! don't look here!".
> 
> The commit is here:
> 
> https://bugs.otr.im/projects/pidgin-otr/repository/revisions/af8542f5ef26b3cc41245846a22537bd97c634fe/diff
> 
> If other people want to see if they get the same .tar.gz as I do:
> 
> git clone git://git.otr.im/pidgin_otr
> cd pidgin_otr/
> git checkout devel
> intltoolize --force --copy
> autoreconf -s -i
> ./configure
> make dist
> sha256sum pidgin-otr-4.0.2.tar.gz
> 
> I get:
> 
> b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d  
> pidgin-otr-4.0.2.tar.gz
> 
> and then, why not:
> 
> tar xzvvf pidgin-otr-4.0.2.tar.gz
> cd pidgin-otr-4.0.2
> bash -x INSTALL.mingw
> sha256sum pidgin-otr-4.0.2.*
> 
> I get:
> 
> 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1  
> pidgin-otr-4.0.2.exe
> ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea  
> pidgin-otr-4.0.2.zip
> 
> 
> *** NOTE: in order to run "./configure" as a precursor to "make dist"
> for pidgin-otr, you will have to have pidgin-otr's _native_ dependencies
> installed, including the dev versions of libotr (or an installation
> from source/git), libgpg-error, libgcrypt, glib, gtk+, and pidgin.  Is
> there a way around this, if all you want to do is "make dist" and not
> actually build the package?
> 
> The sha256 checksums for the .exe and .zip files are different from
> yesterday, since the changes to the pidgin-otr source caused the source
> timestamp (*not* a build timestamp!) to change, and the source timestamp
> appears in the binaries.
> 
> Anyone want to give this a shot?
> 
> Thanks,
> 
>- Ian
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-24 Thread Jurre van Bergen


On 03/24/2016 01:02 PM, Ian Goldberg wrote:
> Could I get someone to try this out?
>
> Thanks,
>
>- Ian

Probably this easter weekend i'll work on this!

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-24 Thread Jurre van Bergen


On 03/24/2016 01:02 PM, Ian Goldberg wrote:
> Could I get someone to try this out?
>
> Thanks,
>
>- Ian
>
> On Mon, Mar 21, 2016 at 05:32:55PM -0400, Ian Goldberg wrote:
>> On Mon, Mar 21, 2016 at 09:09:40AM -0400, Ian Goldberg wrote:
>>> So who knows how to make a reproducible tarball?  We'd need to
>>> normalize:
>>> - The order of the files (I think make dist already does this, though)
>>> - The timestamps (--mtime), owners (--owner, --group), permissions (I
>>>   guess we could chmod the files first, or some combination of
>>>   --no-same-permissions and umask?) of the files
>>> - Anything else?
>>>
>>> And getting autoconf to get the "make dist" target actually *do* that
>>> might take some examining, but worst case, we can override $TAR or
>>> $am__tar, I suppose.
>> OK, here's the scoop.  As with most people, my knowledge of
>> automake/autoconf is basically "find another project that does what I
>> want and copy that".  Unfortunately, I couldn't easily find another
>> project successfully doing reproducible tarballs from "make dist".
>> So what I came up with may not be The Right Way To Do It.  Please, if
>> anyone here can make this better, speak up!  I'm particularly squeamish
>> about overriding am__tar in configure.ac, since things with double
>> underscores sound to me like "private! internal! don't look here!".
>>
>> The commit is here:
>>
>> https://bugs.otr.im/projects/pidgin-otr/repository/revisions/af8542f5ef26b3cc41245846a22537bd97c634fe/diff
>>
>> If other people want to see if they get the same .tar.gz as I do:
>>
>> git clone git://git.otr.im/pidgin_otr
>> cd pidgin_otr/
>> git checkout devel
>> intltoolize --force --copy
>> autoreconf -s -i
>> ./configure
>> make dist
>> sha256sum pidgin-otr-4.0.2.tar.gz
>>
>> I get:
>>
>> b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d  
>> pidgin-otr-4.0.2.tar.gz
Wheee! Success!

root@918bc0b631ee:/pidgin_otr# sha256sum pidgin-otr-4.0.2.tar.gz
b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d 
pidgin-otr-4.0.2.tar.gz

>>
>> and then, why not:
>>
>> tar xzvvf pidgin-otr-4.0.2.tar.gz
>> cd pidgin-otr-4.0.2
>> bash -x INSTALL.mingw
>> sha256sum pidgin-otr-4.0.2.*
>>
>> I get:
>>
>> 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1  
>> pidgin-otr-4.0.2.exe
>> ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea  
>> pidgin-otr-4.0.2.zip


Again, success!

root@918bc0b631ee:/pidgin_otr/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*
9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 
pidgin-otr-4.0.2.exe
ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea 
pidgin-otr-4.0.2.zip


>>
>>
>> *** NOTE: in order to run "./configure" as a precursor to "make dist"
>> for pidgin-otr, you will have to have pidgin-otr's _native_ dependencies
>> installed, including the dev versions of libotr (or an installation
>> from source/git), libgpg-error, libgcrypt, glib, gtk+, and pidgin.  Is
>> there a way around this, if all you want to do is "make dist" and not
>> actually build the package?

I'm not the right person to answer this question..

Best,
Jurre
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-25 Thread Ian Goldberg
On Thu, Mar 24, 2016 at 10:54:46PM +0100, Jurre van Bergen wrote:
> >> I get:
> >>
> >> b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d  
> >> pidgin-otr-4.0.2.tar.gz
> Wheee! Success!
> 
> root@918bc0b631ee:/pidgin_otr# sha256sum pidgin-otr-4.0.2.tar.gz
> b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d 
> pidgin-otr-4.0.2.tar.gz
> 
> >>
> >> and then, why not:
> >>
> >> tar xzvvf pidgin-otr-4.0.2.tar.gz
> >> cd pidgin-otr-4.0.2
> >> bash -x INSTALL.mingw
> >> sha256sum pidgin-otr-4.0.2.*
> >>
> >> I get:
> >>
> >> 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1  
> >> pidgin-otr-4.0.2.exe
> >> ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea  
> >> pidgin-otr-4.0.2.zip
> 
> 
> Again, success!
> 
> root@918bc0b631ee:/pidgin_otr/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*
> 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 
> pidgin-otr-4.0.2.exe
> ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea 
> pidgin-otr-4.0.2.zip

Awesome!  Can we try it for libotr as well?

git clone git://git.otr.im/libotr
cd libotr
git checkout devel
./bootstrap
./configure
make dist
sha256sum libotr-4.1.1.tar.gz

I get:

2bfdb9c1e50e86d546084267694130e251b18d08bda5e64940059f317900a827  
libotr-4.1.1.tar.gz

Thanks,

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-25 Thread David Goulet
On 25 Mar (08:44:28), Ian Goldberg wrote:
> On Thu, Mar 24, 2016 at 10:54:46PM +0100, Jurre van Bergen wrote:
> > >> I get:
> > >>
> > >> b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d  
> > >> pidgin-otr-4.0.2.tar.gz
> > Wheee! Success!
> > 
> > root@918bc0b631ee:/pidgin_otr# sha256sum pidgin-otr-4.0.2.tar.gz
> > b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d 
> > pidgin-otr-4.0.2.tar.gz
> > 
> > >>
> > >> and then, why not:
> > >>
> > >> tar xzvvf pidgin-otr-4.0.2.tar.gz
> > >> cd pidgin-otr-4.0.2
> > >> bash -x INSTALL.mingw
> > >> sha256sum pidgin-otr-4.0.2.*
> > >>
> > >> I get:
> > >>
> > >> 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1  
> > >> pidgin-otr-4.0.2.exe
> > >> ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea  
> > >> pidgin-otr-4.0.2.zip
> > 
> > 
> > Again, success!
> > 
> > root@918bc0b631ee:/pidgin_otr/pidgin-otr-4.0.2# sha256sum pidgin-otr-4.0.2.*
> > 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 
> > pidgin-otr-4.0.2.exe
> > ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea 
> > pidgin-otr-4.0.2.zip
> 
> Awesome!  Can we try it for libotr as well?
> 
> git clone git://git.otr.im/libotr
> cd libotr
> git checkout devel
> ./bootstrap
> ./configure
> make dist
> sha256sum libotr-4.1.1.tar.gz
> 
> I get:
> 
> 2bfdb9c1e50e86d546084267694130e251b18d08bda5e64940059f317900a827  
> libotr-4.1.1.tar.gz

ec8b75f9f7b21675789c9a2eee83a13ec3d82b04b820fdb9f462deee07efb41b 
libotr-4.1.1.tar.gz

It's very possible the libgcrypt version makes a difference here. What is the
package version you are using?

David

> 
> Thanks,
> 
>- Ian
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


signature.asc
Description: PGP signature
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-25 Thread Ian Goldberg
On Fri, Mar 25, 2016 at 09:18:38AM -0400, David Goulet wrote:
> > > root@918bc0b631ee:/pidgin_otr/pidgin-otr-4.0.2# sha256sum 
> > > pidgin-otr-4.0.2.*
> > > 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 
> > > pidgin-otr-4.0.2.exe
> > > ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea 
> > > pidgin-otr-4.0.2.zip
> > 
> > Awesome!  Can we try it for libotr as well?
> > 
> > git clone git://git.otr.im/libotr
> > cd libotr
> > git checkout devel
> > ./bootstrap
> > ./configure
> > make dist
> > sha256sum libotr-4.1.1.tar.gz
> > 
> > I get:
> > 
> > 2bfdb9c1e50e86d546084267694130e251b18d08bda5e64940059f317900a827  
> > libotr-4.1.1.tar.gz
> 
> ec8b75f9f7b21675789c9a2eee83a13ec3d82b04b820fdb9f462deee07efb41b 
> libotr-4.1.1.tar.gz
> 
> It's very possible the libgcrypt version makes a difference here. What is the
> package version you are using?

libgcrypt11-dev  1.5.3-2ubuntu4.3

(i.e. current Ubuntu 14.04; the versions of autoconf, automake, etc.
will also been important)
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-25 Thread David Goulet
On 25 Mar (09:22:02), Ian Goldberg wrote:
> On Fri, Mar 25, 2016 at 09:18:38AM -0400, David Goulet wrote:
> > > > root@918bc0b631ee:/pidgin_otr/pidgin-otr-4.0.2# sha256sum 
> > > > pidgin-otr-4.0.2.*
> > > > 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 
> > > > pidgin-otr-4.0.2.exe
> > > > ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea 
> > > > pidgin-otr-4.0.2.zip
> > > 
> > > Awesome!  Can we try it for libotr as well?
> > > 
> > > git clone git://git.otr.im/libotr
> > > cd libotr
> > > git checkout devel
> > > ./bootstrap
> > > ./configure
> > > make dist
> > > sha256sum libotr-4.1.1.tar.gz
> > > 
> > > I get:
> > > 
> > > 2bfdb9c1e50e86d546084267694130e251b18d08bda5e64940059f317900a827  
> > > libotr-4.1.1.tar.gz

2bfdb9c1e50e86d546084267694130e251b18d08bda5e64940059f317900a827 
libotr-4.1.1.tar.gz

:)

> > 
> > ec8b75f9f7b21675789c9a2eee83a13ec3d82b04b820fdb9f462deee07efb41b 
> > libotr-4.1.1.tar.gz
> > 
> > It's very possible the libgcrypt version makes a difference here. What is 
> > the
> > package version you are using?
> 
> libgcrypt11-dev  1.5.3-2ubuntu4.3
> 
> (i.e. current Ubuntu 14.04; the versions of autoconf, automake, etc.
> will also been important)

Indeed, that was my mistake.

Thanks!
David

> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


signature.asc
Description: PGP signature
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-28 Thread Ian Goldberg
OK, there was a weird issue with reproducible builds of the tarball for
libotr.

It turns out (at least with the current Ubuntu 14.04 version of
automake) that the first time you run autoreconf, which itself runs
automake, automake does not find config/depcomp (since it does not yet
exist), and so does not list config/depcomp in the resulting
Makefile.in.  (Which is weird, because it lists other files in config/
that it just created, but not depcomp.)  Running autoreconf *again*
causes config/depcomp to become correctly listed in Makefile.in.

So I committed a change to the ./bootstrap program to run autoreconf,
then grep -q config/depcomp Makefile.in, then run it again if the grep
failed.

Now "make dist" will produce identical output, whether you run it from a
fresh clone or a directory you've used before.  And if you untar the
"make dist" output tarball, and "./configure; make dist", or even
"./bootstrap; ./configure; make dist", you get the byte-for-byte
identical tarball to the one you started with.

At least I do.

With the current commit (libotr devel branch commit 0774db331766), I
get (on Ubuntu 14.04):

f54fc56b979f10a5ea7861975bec13110951d0508d7625dfb40b326bb1142b68  
libotr-4.1.1.tar.gz

   - Ian
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


Re: [OTR-dev] Reproducible builds of pidgin-otr for Windows

2016-03-28 Thread David Goulet
On 28 Mar (18:52:37), Ian Goldberg wrote:
> OK, there was a weird issue with reproducible builds of the tarball for
> libotr.
> 
> It turns out (at least with the current Ubuntu 14.04 version of
> automake) that the first time you run autoreconf, which itself runs
> automake, automake does not find config/depcomp (since it does not yet
> exist), and so does not list config/depcomp in the resulting
> Makefile.in.  (Which is weird, because it lists other files in config/
> that it just created, but not depcomp.)  Running autoreconf *again*
> causes config/depcomp to become correctly listed in Makefile.in.
> 
> So I committed a change to the ./bootstrap program to run autoreconf,
> then grep -q config/depcomp Makefile.in, then run it again if the grep
> failed.
> 
> Now "make dist" will produce identical output, whether you run it from a
> fresh clone or a directory you've used before.  And if you untar the
> "make dist" output tarball, and "./configure; make dist", or even
> "./bootstrap; ./configure; make dist", you get the byte-for-byte
> identical tarball to the one you started with.
> 
> At least I do.
> 
> With the current commit (libotr devel branch commit 0774db331766), I
> get (on Ubuntu 14.04):
> 
> f54fc56b979f10a5ea7861975bec13110951d0508d7625dfb40b326bb1142b68  
> libotr-4.1.1.tar.gz

Woot! :)

f54fc56b979f10a5ea7861975bec13110951d0508d7625dfb40b326bb1142b68 
libotr-4.1.1.tar.gz

Good job! Thanks!
David

> 
>- Ian
> ___
> OTR-dev mailing list
> OTR-dev@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-dev


signature.asc
Description: PGP signature
___
OTR-dev mailing list
OTR-dev@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev