-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement reproducibility for the JSDoc builds #18256
Implement reproducibility for the JSDoc builds #18256
Conversation
The JSDoc builds are currently not reproducible because a timestamp is included in the output, meaning that two builds from identical source code, made at different times, result in different output. This is undesirable because it makes diffing the output difficult, for instance recently during the Gulp 5 efforts, because the timestamp differences are irrelevant and could obscure actually important differences in the output during e.g. code changes. Moreover, reprodicibility of build artifacts has become increasingly important; please refer to the Reproducible Builds initiative at https://reproducible-builds.org (note the "Why does it matter?" section specifically) and https://reproducible-builds.org/docs/timestamps which further explains the problem of timestamps in build artifacts. This commit fixes the issue by configuring JSDoc to not include the timestamps in the output. It's not relevant for end users and without it the build is fully reproducible so that identical source code builds result in bit-by-bit identical output artifacts. Note that this option sadly can only be set via a configuration file, and not via the command line parameters like we used to have, so for consistency we also move the other options into the configuration file so they are all in one place and the Gulpfile becomes a bit simpler.
Before this patch, on the current
I have triggered two builds from the same source code, moved the output into separate folders, computed the combined SHA256 hash of all files and generated the recursive diff. Note that the SHA256 hashes are different and the diff includes only timestamp changes. I have repeated this process with this patch applied below. Note that the SHA256 hashes are equal now and the diff is empty:
|
/botio-linux preview |
From: Bot.io (Linux m4)ReceivedCommand cmd_preview from @timvandermeij received. Current queue size: 0 Live output at: http://54.241.84.105:8877/7c1af6f3258bc9f/output.txt |
From: Bot.io (Linux m4)SuccessFull output at http://54.241.84.105:8877/7c1af6f3258bc9f/output.txt Total script time: 0.98 mins Published |
Note that the only observable difference in the API documentation is that http://54.241.84.105:8877/7c1af6f3258bc9f/api now only shows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r=me, thank you!
The JSDoc builds are currently not reproducible because a timestamp is included in the output, meaning that two builds from identical source code, made at different times, result in different output.
This is undesirable because it makes diffing the output difficult, for instance recently during the Gulp 5 efforts, because the timestamp differences are irrelevant and could obscure actually important differences in the output during e.g. code changes. Moreover, reprodicibility of build artifacts has become increasingly important; please refer to the Reproducible Builds initiative at https://reproducible-builds.org (note the "Why does it matter?" section specifically) and https://reproducible-builds.org/docs/timestamps which further explains the problem of timestamps in build artifacts.
This commit fixes the issue by configuring JSDoc to not include the timestamps in the output. It's not relevant for end users and without it the build is fully reproducible so that identical source code builds result in bit-by-bit identical output artifacts.
Note that this option sadly can only be set via a configuration file, and not via the command line parameters like we used to have, so for consistency we also move the other options into the configuration file so they are all in one place and the Gulpfile becomes a bit simpler.