12 Oct 2023 10:29:02 Christopher Schultz <ch...@christopherschultz.net>:
All,
I've been working on an "ant verify-release" target and I'm finding
that in the 9.0 release -- the one I'm using as a guinea pig -- the
SHA-512 hashes do not match for these artifacts:
apache-tomcat-9.0.82-fulldocs.tar.gz
apache-tomcat-9.0.82-src.tar.gz
apache-tomcat-9.0.82-src.zip
They have different file sizes. The *-src artifacts seem to be off only
by a few bytes (of file size, I haven't compared the contents yet) but
the fulldocs are quite different.
I'm thinking that maybe these artifacts aren't expected to match 100%
but I'm not entirely sure. If it's possible to get these to be
reproducible, I think it would be good.
I did notice that the build contains <fixcrlf> in many places and in
some places we are converting to CRLF and LF in others. Sometimes we
are using UTF-8 and ISO-8859-1 in others. These are always specified,
so I wouldn't expect there to be a problem in these areas with
reproducibility (because they are consistently inconsistent).
Building the fulldocs tar looks like we do not perform a fixcrlf on all
files that will go into the archive, so if Rémy built on Linux (he did)
and I verified on Windows (I did) I think maybe the line-endings are
the problem.
Do we want these artifacts to be 100% reproducible? If so, we have a
little bit of work to do.
With the exact same version of Ant and the exact same JVM version and
vendor the builds should be repeatable.
I have checked repeatability across Linux / Windows for some versions and
it was OK.
Might need to diff the build.xml files to see if they have diverged.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
