Reproducible Builds on Windows

Andrew Leonard anleonar at redhat.com
Mon Dec 2 09:20:47 UTC 2024 

For reproducible Temurin Windows builds, we specify our MS VS version in
our SBOM, basically as soon as you use a slightly different VS compiler,
the native PE code is different... which I think is as expected really.
For our Linux builds of OpenJDK we use what's termed a "DevKit", which is a
specific version level of the gcc compiler, a "user" can independently
re-create the DevKit Toolchain from source "identically", and then use that
to identically build OpenJDK. Ref:
https://htmlpreview.github.io/?https://raw.githubusercontent.com/openjdk/jdk/master/doc/building.html#cross-compiling-the-easy-way


On Mon, Dec 2, 2024 at 7:34 AM Chris Lamb <chris at reproducible-builds.org>
wrote:

> Danilo wrote:
>
> > One aspect that I cannot get rid of is the embedded toolchain
> > information, as well as differing behavior between toolchain versions.
> […]
> > From what I could gather, there is no way to really solve this issue.
> > The approach that we currently plan to implement is to simply declare
> > the toolchain version we used, and let the user deal with the effort to
> > get it installed.
>
> I can't solve your specific problem with the embedded MSVC versions,
> but your alternative plan to simply declare the version out-of-band is
> the general approach taken in most non-Windows environments. As in,
> you would not be doing anything dramatically different from other
> platforms.
>
> The claim that "X is reproducible" carries an implicit "given the same
> build environment". Most projects declare the toolchain versions by
> recording the build environment programmatically and distributing that
> info in some way: see [0] for some concrete examples.
>
> For instance, Debian tooling generates a .buildinfo file that
> includes the build dependencies along with the versions used. Users
> must indeed "deal with the effort" to match that if they want to
> reproduce the package.
>
> However, the scriptable packaging tools for Debian and friends make it
> relatively straightforward (in theory!!) to programmatically install a
> whole bunch of dependencies with specific versions. That might not be
> the case under Windows and with VC components.
>
> Intriguingly, the way you couch your "alternative" solution with some
> hesitation might suggest asking users to install a specific version
> goes against the social norms for that technical platform/community.
> I'd be interested to learn about that, as its the kind of "we don't
> tend to do that.." thing that does not end up in technical
> documentation. :)
>
>
>   [0] https://reproducible-builds.org/docs/recording/
>
>
> Best wishes,
>
> --
>       o
>     ⬋   ⬊      Chris Lamb
>    o     o     reproducible-builds.org 💠
>     ⬊   ⬋
>       o
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20241202/ae675766/attachment.htm>

More information about the rb-general mailing list