Mark,
On 5/5/22 15:28, Mark Thomas wrote:
TL;DR we have platform independent repeatable release builds
Excellent work. Thanks for putting in the time it took for all this.
And now for the longer version:
Nearly all of the plumbing is in place for this. I have one more commit
to add to handle repeatable signing of the Windows installer but I am
holding that back as we need a couple of other things to fall into place
first.
1. We need BND 6.3.0. This is because 6.3.0 contains a fix to a
repeatability issue in the manifest generation. The 6.3.0 release is in
progress. It is current at RC1 and a final release is expected in a
couple of weeks.
2. We need JSign 4.1. I found a couple of minor issues in JSign earlier
today. I've hacked around them locally to test the repeatable build but
we need a proper release. ebourg is working on proper fixes to replace
my hacks. On past experience, I expect he'll have a release out before
BND does.
Once all of the above is in place our release builds will be repeatable
on Windows and Linux provided that:
- The same version of Ant is used
- The same JDK (vendor and version) is used
The reason for the ANT and JDK version requirements is that the version
numbers get placed in the manifests.
I have tested this with building on Linux and then repeating the build
(using the generated signatures for the installer files) on Windows. The
results are bit for bit identical.
The release process will need a small change. Essentially, the release
manager will make the usual version changes, call 'ant release' once to
generate the detached signature files and then tag with the version
updates and the signature files. Then the release manager calls 'ant
release' again to create the actual release.
At this point anyone can take the tag and generate the same release
binaries from the tag.
Awesome. I have a small commit to build.xml that drops environmental
information (e.g. versions, etc.) to a build-release.properties file,
but I'm unable to generate the timestamp in the correct format in order
to put it into the file. Here's the patch for it; I'd love it if anyone
could help solve the problem.
diff --git a/build.xml b/build.xml
index 580b16aca1..88c5f146a1 100644
--- a/build.xml
+++ b/build.xml
@@ -33,6 +33,7 @@
<!-- See "build.properties.default" in the top level directory for
some -->
<!-- property values you may customize.
-->
<property file="${user.home}/build.properties"/>
+ <property file="build-release.properties"/>
<property file="build.properties"/>
<property file="build.properties.default"/>
@@ -2599,6 +2600,44 @@ skip.installer property in build.properties" />
<hashAndSign
file="${tomcat.release}/v${version}/bin/${final.name}.exe" />
</target>
+ <target name="pre-release-read-asf-username"
unless="release.asfusername">
+ <input message="Enter ASF username"
addproperty="release.asfusername" defaultValue="${user.name}" />
+ </target>
+ <target name="pre-release" depends="pre-release-read-asf-username">
+<!--
+ <script language="javascript">
+ project.setProperty('now-sec',
java.lang.System.currentTimeMillis() / 1000);
+ </script>
+-->
+ <tstamp>
+ <format pattern="yyyy-MM-dd'T'HH:mm:ss'Z'"
property="now-readable" timezone="UTC" />
+ </tstamp>
+ <tstamp>
+ <format pattern="ssssssssssssssssss" property="now-sec"
timezone="UTC" />
+ </tstamp>
+ <echo file="build-release.properties">
+# These ant.tstamp properties specify the build-timestamp for
repeatable builds.
+## TODO ant.tstamp.now=${now-sec}
+ant.tstamp.now.iso=${now-readable}
+# This is the ASF user who is the Release Manager for this release.
+release.asfusername=${release.asfusername}
+# Set the version-suffix to "" (empty string) as this is not a
development release.
+version.suffix=
+# Release build environment information:
+release.java.version=${java.version}
+release.java.vm.name=${java.vm.name}
+release.java.vm.version=${java.vm.version}
+release.os=${os.arch} ${os.name} ${os.version}
+release.default.file.encoding=${file.encoding}
+release.ant.version=${ant.version}
+</echo>
+ <echo file="res/maven/mvn.properties">
+asf.ldap.username=${release.asfusername}
+gpg.exec=${gpg.exec}
+maven.asf.release.deploy.version=${version}
+</echo>
+ </target>
+
<target name="release"
depends="clean,release-init,dist-deployer,installer-sign,package-zip,package-winzip,package-tgz,package-deployer-zip,package-deployer-tgz,javadoc,package-docs-tgz,package-src-zip,package-src-tgz,package-src-jar"
description="Create a Tomcat packaged distribution">
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
