TL;DR we have platform independent repeatable release builds
And now for the longer version:
Nearly all of the plumbing is in place for this. I have one more commit
to add to handle repeatable signing of the Windows installer but I am
holding that back as we need a couple of other things to fall into place
first.
1. We need BND 6.3.0. This is because 6.3.0 contains a fix to a
repeatability issue in the manifest generation. The 6.3.0 release is in
progress. It is current at RC1 and a final release is expected in a
couple of weeks.
2. We need JSign 4.1. I found a couple of minor issues in JSign earlier
today. I've hacked around them locally to test the repeatable build but
we need a proper release. ebourg is working on proper fixes to replace
my hacks. On past experience, I expect he'll have a release out before
BND does.
Once all of the above is in place our release builds will be repeatable
on Windows and Linux provided that:
- The same version of Ant is used
- The same JDK (vendor and version) is used
The reason for the ANT and JDK version requirements is that the version
numbers get placed in the manifests.
I have tested this with building on Linux and then repeating the build
(using the generated signatures for the installer files) on Windows. The
results are bit for bit identical.
The release process will need a small change. Essentially, the release
manager will make the usual version changes, call 'ant release' once to
generate the detached signature files and then tag with the version
updates and the signature files. Then the release manager calls 'ant
release' again to create the actual release.
At this point anyone can take the tag and generate the same release
binaries from the tag.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
