You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2023/01/12 22:24:01 UTC
Verifying reproducible release builds
All,
I spent some time today verifying that the release artifacts that Mark
published the other day for 10.1.5 were indeed reproducible by me.
Fortunately, they were, but it was a little bit of a process so I went
ahead and documented it.
https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build
Now, anybody can follow those instructions and perform a verifiable
release build and sure that the process truly is repeatable and verifiable.
I'd love it if anyone who is mildly interested in such things would (a)
check my work in Confluence and (b) actually try the verification
process on any of this month's builds to see if you are successful.
Some things on my TODO list for this:
1. Allow verification without having to install+configure GPG
2. Allow verification using a "verify" ant build target
This should be as straightforward as possible, so anyone wanting to
see what is being done isn't confused by byzantine ant stuff. It
should be as straightforward as a shell script with no functions
or loops.
Unfortunately, the existing ant script contains <property> tasks at the
top-level and not in a <target>, so they occur before all targets. That
means that we either need to have users wanting to verify builds
create/modify one of the several build.properties files, or specify some
properties on the command-line e.g. to disable GPG.
I could also write a separate build-verify.xml which might be a bit more
straightforward to both implement AND read by a potential verifier.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Verifying reproducible release builds
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Emmanuel,
On 1/15/23 04:41, Emmanuel Bourg wrote:
> Hi Christopher,
>
> Le 12/01/2023 à 23:24, Christopher Schultz a écrit :
>
>> I spent some time today verifying that the release artifacts that Mark
>> published the other day for 10.1.5 were indeed reproducible by me.
>> Fortunately, they were, but it was a little bit of a process so I went
>> ahead and documented it.
>>
>> https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build
>
> A couple of suggestions:
> - I'd use shasum rather than diff to compare the artifacts
Fair enough. Neither command is available on Windows without installing
anything separate, though. For the .sig files, simply viewing them (in
pairs) is possible on Windows natively. I could put instructions for how
to do that in the wiki.
> - if the artifacts are not identical, the diffoscope tool [1] can help
> identify the differences
Good information to have, but not likely helpful for someone performing
a verification. They would really only care that they were simply _not
identical_, I think.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Verifying reproducible release builds
Posted by Emmanuel Bourg <eb...@apache.org>.
Hi Christopher,
Le 12/01/2023 à 23:24, Christopher Schultz a écrit :
> I spent some time today verifying that the release artifacts that Mark
> published the other day for 10.1.5 were indeed reproducible by me.
> Fortunately, they were, but it was a little bit of a process so I went
> ahead and documented it.
>
> https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build
A couple of suggestions:
- I'd use shasum rather than diff to compare the artifacts
- if the artifacts are not identical, the diffoscope tool [1] can help
identify the differences
Emmanuel Bourg
[1] https://diffoscope.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org