Verifying reproducible release builds

[Christopher Schultz <ch...@christopherschultz.net>]

All,

I spent some time today verifying that the release artifacts that Mark 
published the other day for 10.1.5 were indeed reproducible by me. 
Fortunately, they were, but it was a little bit of a process so I went 
ahead and documented it.

https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build

Now, anybody can follow those instructions and perform a verifiable 
release build and sure that the process truly is repeatable and verifiable.

I'd love it if anyone who is mildly interested in such things would (a) 
check my work in Confluence and (b) actually try the verification 
process on any of this month's builds to see if you are successful.

Some things on my TODO list for this:

1. Allow verification without having to install+configure GPG
2. Allow verification using a "verify" ant build target

    This should be as straightforward as possible, so anyone wanting to
    see what is being done isn't confused by byzantine ant stuff. It
    should be as straightforward as a shell script with no functions
    or loops.

Unfortunately, the existing ant script contains <property> tasks at the 
top-level and not in a <target>, so they occur before all targets. That 
means that we either need to have users wanting to verify builds 
create/modify one of the several build.properties files, or specify some 
properties on the command-line e.g. to disable GPG.

I could also write a separate build-verify.xml which might be a bit more 
straightforward to both implement AND read by a potential verifier.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Verifying reproducible release builds

[Christopher Schultz <ch...@christopherschultz.net>]

Emmanuel,

On 1/15/23 04:41, Emmanuel Bourg wrote:
> Hi Christopher,
> 
> Le 12/01/2023 à 23:24, Christopher Schultz a écrit :
> 
>> I spent some time today verifying that the release artifacts that Mark 
>> published the other day for 10.1.5 were indeed reproducible by me. 
>> Fortunately, they were, but it was a little bit of a process so I went 
>> ahead and documented it.
>>
>> https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build
> 
> A couple of suggestions:
> - I'd use shasum rather than diff to compare the artifacts

Fair enough. Neither command is available on Windows without installing 
anything separate, though. For the .sig files, simply viewing them (in 
pairs) is possible on Windows natively. I could put instructions for how 
to do that in the wiki.

> - if the artifacts are not identical, the diffoscope tool [1] can help 
> identify the differences

Good information to have, but not likely helpful for someone performing 
a verification. They would really only care that they were simply _not 
identical_, I think.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Verifying reproducible release builds

[Emmanuel Bourg <eb...@apache.org>]

Hi Christopher,

Le 12/01/2023 à 23:24, Christopher Schultz a écrit :

> I spent some time today verifying that the release artifacts that Mark 
> published the other day for 10.1.5 were indeed reproducible by me. 
> Fortunately, they were, but it was a little bit of a process so I went 
> ahead and documented it.
> 
> https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build

A couple of suggestions:
- I'd use shasum rather than diff to compare the artifacts
- if the artifacts are not identical, the diffoscope tool [1] can help 
identify the differences

Emmanuel Bourg

[1] https://diffoscope.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org