Fedora RPM Reproducibility: Metadata Discrepancies in qubes-core-admin-client Build Comparison

[egbedo]

Update on Build Comparisons

I have performed a comparison of the builds and their respective .buildinfo files. Here are the details:

Build Comparison

• The comparison report between the old and new builds can be found here: diff_report.txt

Key differences observed:

The comparison report highlighted differences in the RPM files between the old and new builds, particularly in the headers:

SIGMD5:

The MD5 signature of the packages differed, indicating that the contents or metadata may have changed.

SHA1HEADER:

There was a change in the SHA1 header values, which typically signifies that the files' contents are not identical.

SHA256HEADER:

Similar to the above, the SHA256 header also showed differences, further confirming changes in the file contents or metadata.

.buildinfo Comparison

• The comparison report for the .buildinfo files can be found here: output.txt

Notable points from the comparison

The .buildinfo files from both builds contained notable differences in the following areas:

Build Timestamp:

The timestamp indicating when the builds were created was different, reflecting that the builds were indeed performed at different times.

Dependencies:

There may have been changes in the listed dependencies, reflecting updates or modifications in the package requirements for the builds.

Conclusion

The comparisons indicate that while the core contents of the RPM files may not have differed significantly, the headers show variations, and the .buildinfo files reflect the new build's metadata changes. This suggests that the builds were executed correctly, and changes were introduced as expected.