[Replicant] diffoscope output of two local 6.0-0003 builds

Simon Josefsson simon at josefsson.org
Sat Dec 16 15:59:20 UTC 2017 

Hi all!

To inspire reproducible builds of Replicant, I built 6.0-0003 twice from
scratch (including two different builds of the toolchain) and ran
diffoscope on the resulting images.  The two builds uses the same
signing key to reduce differences.

https://josefsson.org/local1-vs-local2.html  warning: BIG FILE!

The good thing is that it appears to be a feasible number of differences
to deal with, if anyone wants to help debug things further.  There are
quite some noice in the output that might be easy (or not) to resolve,
like the build-id's, timestamps and hard-coded paths.

My detailed manual analysis of the output is, major things first:

* boot.img 4MB
  system/recovery-from-boot.p 1.5MB
  recovery/recovery-from-boot.p 1.5MB same as previous?

  These are opaque (compressed?) image files with large differences.
  What do they contain?  Kernel?  Initrd ramdisk?  Can we teach
  diffoscope to unpack them?

* system/framework/core-libart.jar
  system/lib/libGLES_trace.so
  system/lib/libwebrtc_audio_preprocessing.so
  system/lib/modules/dhd.ko
  system/xbin/perfprofd

  These are large diff's.  Does anyone know what each of these files do?

  Is the reason for the differences due to Java/C++ name mangling only?
  Perhaps building with the same toolchain avoids these diff's, but I
  like having independently built toolchains too.

* system/bin/install-recovery.sh and recovery/bin/install-recovery.sh:

  Contains some hash, timestamp or build-id data.  How are the hashes
  generated?

Minor things:

* META-INF/com/android/metadata: timestamp

* META-INF/com/google/android/update-binary: Build-Id.

* META-INF/CERT.RSA: what is stored at the end?  RSA sigs should be
  deterministic if the input are the same.

* system/app/messaging/messaging.apk:
  system/bin/*:
  system/etc/ppp/ip-up-vpn:

  Build date/id, sha1 checksum.

* system/build.prop: build info diff's.

* system/etc/NOTICE.html.gz: contains paths from build system?

* system/lib/*: build id diff.

* system/etc/recovery-resource.dat:
  system/framework/*:

  Timestamp in zip metadata.

* system/etc/security/otacerts.zip: contains a hard-coded path from the
  build machine.

Cheers,
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20171216/a615ca2c/attachment.asc>

More information about the Replicant mailing list