Is there a correct way to verify the source code of a blessed replica proposal now that the binaries are using compression?
For proposal 54964 , the git commit is: 0ef2aebde4ff735a1a93efa342dcf966b6df5061 , and the release_package_sha256_hex hash specified in the proposal is
When I checkout the ic repo at the commit: 0ef2aebde4ff735a1a93efa342dcf966b6df5061 and build the code with the build commands in the readme, the build is successful but the hashes are different than the one in the proposal
How can I verify the source code of the replica?
The canister module GZip compression that I implemented recently is not related to this issue.
When I try to build the IC OS image from the same commit, I get yet another hash:
$ git status
HEAD detached at 0ef2aebd
$ ./gitlab-ci/tools/docker-run ./gitlab-ci/tools/build-ic
There might be an issue with the build reproducibility; I asked our release engineers for clarification.
Thanks, If I remember correct it is the extracted root.img file that is different.
I’m seeing the same thing when building for proposal 56257
the proposal hash is
at commit 3ad313dcda03e2db45e81d02c5f931fdf3bf5bc1
When I checkout 3ad313dcda03e2db45e81d02c5f931fdf3bf5bc1 and build on my machine:
@levi Many thanks for discovering and reporting this issue. We are currently investigating and will update you on the progress.
We haven’t pinpointed the source yet, but assume it is related to the Docker image used in our build environment.
@levi do you still see issues with reproducibility?