Opened 5 years ago

Closed 5 years ago

#15023 closed enhancement (fixed)

Build MAR tools archive deterministically

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-gitian, tbb-4.5-alpha, TorBrowserTeam201503R
Cc: mikeperry, mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should build mar-tools-* deterministically if possible. The content does not seem to differ which is good, nevertheless the SHA256 sums of two zip archives is not the same. The problem is very likely that we are not using our deterministic zip wrapper but zip directly. See e.g.

zip -r mar-tools-linux${GBUILD_BITS}.zip mar-tools

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by mikeperry

Keywords: ttb-4.5-alpha added

I know I previously said that it's not necessary to publish the mar-tools in the dist or in sha256sums.txt, but for build/code signing integrity reasons I think we should also be verifying that they are identical to what other builders produce. I also think we should fix this for 4.5-stable, esp since it's just switching how we zip them up.

comment:2 Changed 5 years ago by gk

Keywords: tbb-4.5-alpha added; ttb-4.5-alpha removed

comment:3 Changed 5 years ago by mcs

Keywords: TorBrowserTeam201503R added
Status: newneeds_review

comment:4 Changed 5 years ago by gk

Merged as commit bc8eb2befd19fd13798f9a0527b2fa821555408e. How do we want to expose this? Even if it does not matter to users at least the devs doing the Tor Browser releases might be interested in an easy way to see whether the tools are matching. Shall we put the SHA256 sums into the txt file and not ship the tools in dist? Or shall we do the former and the latter?

I have no strong opinion here apart from the one that I want to see whether the SHA256 sums match without the need for asking every time.

comment:5 Changed 5 years ago by gk

Status: needs_reviewassigned

comment:6 Changed 5 years ago by gk

Resolution: fixed
Status: assignedclosed

We go with just adding the linux MAR tools. Turns out the code was already there just commented. Removing the comment results in adding the Linux MAR tools to the build dir (which in turn gets them hashed into the sha256sums.txt file). Fixed in commit 8fc54b8ab6e96ff8fc722066bc7756b25d23619f.

Note: See TracTickets for help on using tickets.