New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verifying binary releases #893

Open
mstorsjo opened this Issue May 26, 2014 · 6 comments

Comments

Projects
None yet
5 participants
@mstorsjo
Contributor

mstorsjo commented May 26, 2014

At some point there's been said that users of the binary releases will be able to verify those releases by themselves compiling an identical binary from source for comparison. (Can't find the exact quote right now.)

To actually be able to do that, it would be good to know more in detail what compiler/toolchain version that has been used to build the binaries - without that it's essentially impossible to try to recreate an identical binary.

@ethanhugg

This comment has been minimized.

Contributor

ethanhugg commented May 26, 2014

Supporting replicatable builds is still on our to-do list.

@fluffy

This comment has been minimized.

Member

fluffy commented Aug 18, 2014

I was thinking that one good start to this might be to pick one of the arch (say Linux) and start to add to the start of the build some commands that printed out varios versions of things in use. We could then publish the log of the build along with the build so people could see things used. I'd also like to see someone make a simple set up that had the script to spin up a new instance of a server on Rackspace, install the appropriate tools on it, do the build, get the results including exact version used, down load the results, then kill the server. If that script was in github, we could use it and it might get us a lot closer to replaceable builds.

@fluffy fluffy added the enhancement label Aug 18, 2014

@maxnordlund

This comment has been minimized.

maxnordlund commented Jun 23, 2015

What about using some sort of container, such as docker or rkt? This will ensure a mostly deterministic environment, as long as you don't run apt-get update or similar.

@fluffy

This comment has been minimized.

Member

fluffy commented Jun 24, 2015

I put together a docker build setup for making a linux build. It is on a branch at

https://github.com/cisco/openh264/tree/cj-build1

It does seem to make deterministic builds.

I think this is probably a good approach going forward but we need to see some sort of container to make a windows build

On Jun 23, 2015, at 1:16 PM, Max Nordlund notifications@github.com wrote:

What about using some sort of container, such as docker or rkt? This will ensure a mostly deterministic environment, as long as you don't run apt-get update or similar.


Reply to this email directly or view it on GitHub.

@maxnordlund

This comment has been minimized.

maxnordlund commented Jun 24, 2015

Yes, that is something we need and maybe http://mxe.cc/ can be used for cross-compiling? Then you don't need to be on windows or have access to its binaries to actually compile for it.

That branch is a fair bit behind master ~750 commits. Could you try to update it, please?

@luser

This comment has been minimized.

Contributor

luser commented Nov 18, 2015

The Tor project has been doing deterministic builds (including of Firefox):
https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details

Using their methodology is probably the best way to go about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment