Re: 回复:转发:Verification of known issues related to reproducible builds
Ximin Luo
infinity0 at debian.org
Sat Dec 10 09:50:00 UTC 2016
你好:
> Thanks for your reply. In fact, your chinese are very good.
>
> My issues are about the consistency of binary files byte for byte.
>
Hehe, good to know that what I said made sense. But it's not good enough to talk with, I do have to write mostly in English, sorry! :)
It would be much easier to help you, if you can tell us what software you are trying to reproduce the consistency of. Many reproducibility issues (maybe including the ones you described below) they sometimes happen, sometimes do not happen.
Until you do this, it's hard for us to give exact answers to your questions. I can only give half-answers to your questions. (See further below.)
Ideally you would show us the output of diffoscope, something like this: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/rustc.html
It is generated by this program: https://packages.debian.org/sid/diffoscope
Unfortunately at this time, it only works well on Debian GNU/Linux and Arch Linux. But we are happy to add support for other platforms, if other people can contribute this. If you want to do that, the source code is here: https://anonscm.debian.org/cgit/reproducible/diffoscope.git/
You can try it online here https://try.diffoscope.org/ but for security reasons, it only tries to process small differences. For files with very large differences, you will need to run diffoscope yourself, locally.
> ---原始邮件---
> 发件人: "Ximin Luo"<infinity0 at debian.org>
> 发送时间: 2016年12月10日 00:08:58
> 收件人: "软件重构"<reproducible-builds at lists.alioth.debian.org>;"马艳平"<king.ma at huawei.com>;"你好"<763413589 at qq.com>;
> 主题: Re: 转发:Verification of known issues related to reproducible builds
>
> [..]
>
> 你好:
>> ---原始邮件---
>> 发件人: "自己"<763413589 at qq.com>
>> 发送时间: 2016年12月7日 10:09:10
>> 收件人: "软件重构"<qa-jenkins-dev at lists.alioth.debian.org>;
>> 主题: Verification of known issues related to reproducible builds
>>
>>
>> It is difficult to validate some issues, as bellow:
>> 1)timestamps generated by mangosdk spiprocessor
>>
>> It is difficult to get the class org.mangosdk.spi.processor.SpiProcessor.
>>
The source code for this and related classes are here:
https://sources.debian.net/src/libspi-java/0.2.4-1/src/org/mangosdk/spi/processor/SpiProcessor.java/?hl=56#L56
Older and future versions are / will be here: https://sources.debian.net/src/libspi-java/
>> 2)random order in java jar manifest mf
>>
>> I got two java .jar files written by Eclipse and command jar respectively. But the MANIFEST.MF of both java .jar files were identical.
>>
Sometimes manifest.mf might be autogenerated by another process, or they might contain extra things that are not in your own manifest.mf, and these extra things might have a random order.
If you don't see this issue in your own software, then 都好, 不用着急. :)
>> 3)timestamps added by xbean spring
>>
>> In fact, i do not know how to validate this issue.
>>
>> 4)random order in plexus comonents xml
>> I tried so many times to install Plexus plugin into Eclipse, but never success.
>>
Similar to what I said above - if you don't need xbean nor plexus to build your software, then you don't need to worry about these issues.
Ximin
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list