On Sun, Jul 17, 2016 at 09:38:31AM -0700, David Bruant wrote: > Out of curiosity, how has is the TOR team handled points 1 and 2?
I cannot answer for TOR, but I can answer for Debian, who also does reproducible builds of Firefox. 1) is not addressed at all, and while the Firefox package is marked as being reproducible, it's only because the chk files are not in the Firefox package, but in the NSS package, which is separate, and is not reproducible because of the .chk files. 2) Debian doesn't ship .tar.bz2 files, but .deb files, and the tools that create those files deal with the reproducibility. That being said, the packages that do reach Debian users are *not* currently reproducible. Many of the required tools to make it happen are not used to build normal packages. They are only used in a separate CI that does two builds with a special toolchain and checks the results are identical. (At least, that's my understanding of the current status) Also note that Debian builds are not PGOed (as is the case with most distros afaik), so that leaves that problem out of the equation. For what it's worth, Debian uses a recursive comparison tool to check for the differences: https://diffoscope.org/ I've actually used that tool to compare our (Mozilla's) Firefox builds on buildbot vs. the same builds on taskcluster a few months ago. That allowed to find a bunch of differences in the build environments, that were subsequently fixed (or ignored when appropriate). (and yes, the tool can show differences in binary files. It allowed to identify the missing API keys that Greg was talking about, but reading the diff can be tedious) Mike _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
