-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reproducible build of 1.4.3 did not match #188
Comments
Thanks for the investigation into this. Reproducibility is very much a goal for this project. As you note, v1.4.3 is not reproducible across different machines. Versions earlier than this were in fact not even reproducible on the same machine, but the upgrade to Java 16 (which was largely done to resolve this reproducibility related bug: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8252730) resolved this. The runtime bundled with Sparrow can be problem in achieving reproducibility, but this can be resolved by specifying the same Java release by the same vendor. For Sparrow, this is currently AdoptOpenJdk jdk-16.0.1+9 Hotspot (available for all supported platforms from this page: https://adoptopenjdk.net/archive.html?variant=openjdk16&jvmVariant=hotspot). For future reference, they are: When The v1.5.0 release will continue the journey to full reproducibility. The binaries for this release should be reproducible across machines. By that I mean the binaries themselves, not the installer packages (so the contents of the The next steps are the installer packages, and the signatures for the MacOS release DMG. I don't have deep experience in either the different packaging formats or on how best to solve the problem of verifying a signed binary (I note there are different approaches here). That said, I'm confident these challenges can be overcome (and would welcome any assistance!). |
First draft of reproducible build instructions: https://github.com/sparrowwallet/sparrow/blob/master/docs/reproducible.md |
To summarise for those reading: 1.5.0+ has reproducible .tar.gz and .zip. Installer packages are not (yet). Assistance wanted. |
I attempted to perform a reproducible build of Sparrow 1.4.3 but my build results did not match the published released. The build was deterministic in that repeated attempts to build it resulted in the same binary, but the build results did not match the published binaries.
It seems like the problem is that the Java runtime is bundled with Sparrow, and this runtime is pulled from the system doing the build itself. So I likely have a different runtime installed and this causes the non-reproducibility.
Additionally, the deb and rpm files are not reproducible. Diffoscope tells me that this is partially timestamp based, but also more complicated than just that.
The text was updated successfully, but these errors were encountered: