#28102: Make sure we pick the exact same compile environment for Tor Browser builds -------------------------------------------+-------------------------- Reporter: gk | Owner: tbb-team Type: defect | Status: new Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-rbm, TorBrowserTeam201810 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------+--------------------------
Comment (by boklm): I can think about the following ways to fix that: - specify exactly the versions of the packages we need, when we know that this package can cause reproducibility issues. For example we could make the firefox build on macOS require `gcc-49=4.9.2-10+deb8u1`. The problem is that any package update could cause such issue, and it can take time until we notice it. With complex package such as gcc, with many dependencies, the list of packages for which we need to specify the version might be long. - add a container image version number. We can then increase this number when we need to invalidate old containers after we found that an update is causing a reproducibility issue. Like the first option, this means that we only fix the issues after finding them, and the previous releases can become unreproducible. - use snapshots.debian.org to only install package updates that were available on a specific date. I think the main problem would be that changing the selected date would cause everything to be rebuilt, but that might be ok if we don't do it too often. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28102#comment:1> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs