Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Reproducible Builds #670
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jul 19, 2017
Contributor
For me, it seems like your provided images use different source code than the provided one on github. With security in mind, this is a problem!
No, you're just making bad assumptions.
For me, it seems like your provided images use different source code than the provided one on github. With security in mind, this is a problem!
It's not different.
So i don't think you are kidding your users. For sure there is an easy explanation for the file size difference.
So why don't you compare what's actually different in your build? Right now you have no indication that there was any non-reproducible step of the build.
You're obviously using different keys to sign it, so clearly the signatures aren't going to match. You also probably didn't set the same build date and build number which is step one for reproducing a build. The build process is (mostly) reproducible, but you didn't try to reproduce it and the signing process is not reproducible since you don't have the official private keys. You can compare the images but you can't expect the signatures, etc. to match. Your build environment might not match too. You need to compare what's actually different before jumping to conclusions.
No, you're just making bad assumptions.
It's not different.
So why don't you compare what's actually different in your build? Right now you have no indication that there was any non-reproducible step of the build. You're obviously using different keys to sign it, so clearly the signatures aren't going to match. You also probably didn't set the same build date and build number which is step one for reproducing a build. The build process is (mostly) reproducible, but you didn't try to reproduce it and the signing process is not reproducible since you don't have the official private keys. You can compare the images but you can't expect the signatures, etc. to match. Your build environment might not match too. You need to compare what's actually different before jumping to conclusions. |
thestinger
closed this
Jul 19, 2017
thestinger
added
the
Status: invalid
label
Jul 19, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
michi3
Jul 19, 2017
thx for your reply.
As i said, i don't want to offence you. I thought there was an easy explanation.
The Problem with the build date and number:
The docs say to use a script to set up an environment. The script sets the number and date to the aktual time. But the used tag is older. Of course, your builds were created not the same time as my compile time.
I "fixed" this already and there is still a difference.
The Problem with the keys:
ok, i understand this. This makes sence :)
But this two problems are making a difference of 9mb?
Could there also be a problem with the third party libs you are including on compile time?
So, your answer sounds to me that theres is no way for me to check the images against your provided code?
thx for your help
michi3
commented
Jul 19, 2017
|
thx for your reply. The Problem with the build date and number: The Problem with the keys: But this two problems are making a difference of 9mb? Could there also be a problem with the third party libs you are including on compile time? So, your answer sounds to me that theres is no way for me to check the images against your provided code? thx for your help |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jul 19, 2017
Contributor
So, your answer sounds to me that theres is no way for me to check the images against your provided code?
Compare the contents of the images, not the raw signed images. You can check it against the official builds but it's not useful to compare them as a whole since the signatures aren't going to match even if everything is reproduced identically in your build environment, which might not currently be the case but it will be close to reproducible. It's reproducible here other than some yet to be fixed upstream odex issues.
Compare the contents of the images, not the raw signed images. You can check it against the official builds but it's not useful to compare them as a whole since the signatures aren't going to match even if everything is reproduced identically in your build environment, which might not currently be the case but it will be close to reproducible. It's reproducible here other than some yet to be fixed upstream odex issues. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
Jul 19, 2017
Contributor
In out/ you'll notice there's build_date.txt not just build_number.txt too.
|
In |
michi3 commentedJul 19, 2017
•
edited
Edited 1 time
-
michi3
edited Jul 19, 2017
Hey Copperhead-Team,
i tried to reproduce your CopperheadOS builds. What i've done was to:
I followed stritly your docs to build CopperheadOS and everything was good. No Problems.
So the conclusion is that the filesize is different. My own build is 9mb bigger.
For me, it seems like your provided images use different source code than the provided one on github. With security in mind, this is a problem!
So i don't think you are kidding your users. For sure there is an easy explanation for the file size difference.
Have I done something wrong while building? What could be the reason for the file size difference?
(I'm sure you use the same code as i did :) )
thx team!