Comments (6)
Can you explain why this is an issue?
from ipsw.
Is there a tool or standard way people are testing this? above and beyond what I'm doing with https://github.com/anchore/syft and sboms?
from ipsw.
Does this have to do with creating an official MacPort for ipsw
?
from ipsw.
Swapping out AppBuildTime for AppBuildCommit. I believe this meets the 'spirit' of this issue
CC @TheRealKeto
from ipsw.
@blacktop I'd like to make clear that I speak for myself, and I am not representing the views of the MacPorts organization, or any other organization.
Given concerns about reproducible builds for this project in MacPorts, I believe the current solution to the issue at hand is too small. Though, according to the Church of Reproducible Builds, Git checksums are appropriate, the situation remains the same.
To address these concerns, I decided to move forward by patching out AppBuildTime
all together, despite a member of the MacPorts team advising me to use a constant value for the field (with something like "unknown"); this approach is not satisfactory. Users should have a clear understanding of version information of programs. By having "unknowns" (like the build time of a program) appear without meaningful information, a field like AppBuildTime
is useful to no one. The same can be said about a commit hash, despite them embraced by the Church of Reproducible Builds. While the version of a port, a constant, changes with every release, such constant is mandatory; a commit hash does not fit that description, so it falls under the same scenario.
The final solution is to make information (whether thats the build time or a commit hash) be determined by mechanisms only available for those building from a clone of the project repository; this should exclude tarballs (particularly those automatically made by Github) as they don't contain the components necessary to determine this information, which often have predetermined versioning systems (whether that's reading from a VERSION file at compile time by the build system, or an approach similar to libimobiledevice
projects with .tarball-version
, or (more simplistically), providing the version at build time).
All this is too pushy, but this should only be considered as advice. I am content with the current approach that has allowed this project to be officially distributed by MacPorts, as it correctly meets the requirements described above, and such solution prevented me from dictating the way in which you manage the development of your own software.
from ipsw.
Can you explain why this is an issue?
The web site I linked to explains. Specifically, https://reproducible-builds.org/docs/timestamps/
Does this have to do with creating an official MacPort for
ipsw
?
Only to the extent that I learned of the existence of ipsw via the pull request that added it to MacPorts, and in that PR a patch was developed to patch out AppBuildTime
, and package management systems like MacPorts don't like carrying around patches forever, so I wanted to report the issue to you.
from ipsw.
Related Issues (20)
- Sort members of generated headers for better diffing
- Crash when extracting entitlement in Mac_15.0_24A5279h beta build HOT 1
- ipsw symbolicate: hide absolute 0 from symbolicate panic backtraces HOT 1
- ipsw symbolicate: add 'unslide' support to panic 210 logs
- ipsw symbolicate: isCorpse is typed int (instead of bool) on iOS 15+ ips HOT 2
- Delta OTA's missed without --build and --version passed HOT 4
- ipsw_db missing new M4 iPads HOT 3
- failed to parse AEA encrypted DMG for iOS 18.1 Beta ipsw HOT 11
- Getting errors while trying to retrieve key for Mac ipsw or trying to decrypt directly the .dmg.aea file using the key. HOT 10
- ld error when linking with .tbd output of ipsw dyld tbd --private HOT 1
- crash when trying to extract a binary from a FAT image when the image is not FAT HOT 1
- File symlink collision during MacOS IPSW extraction.
- Failure to extract DSC without first mounting sys HOT 9
- minimize the size of symbol file
- extract dylib from dylib cache fail HOT 1
- OOM on dyld parse for 19H386-15.8.3
- kexts listed but not extracted
- Fail to retrieve AEA1 DMG fcs-keys for fs HOT 4
- ipsw extract --dmg is missing "exc" option HOT 1
- Support patching .aea otas HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ipsw.