Skip to content

Instantly share code, notes, and snippets.

@drupol
Last active February 15, 2024 11:20
Show Gist options
  • Save drupol/7188284ed1e990cc5c09277b08981d85 to your computer and use it in GitHub Desktop.
Save drupol/7188284ed1e990cc5c09277b08981d85 to your computer and use it in GitHub Desktop.
box-project/box reproducible PHAR poc
From b91328c0cce43b0e9fe9b1841953813f04bfa88d Mon Sep 17 00:00:00 2001
From: Pol Dellaiera <pol.dellaiera@protonmail.com>
Date: Thu, 15 Feb 2024 12:02:02 +0100
Subject: [PATCH] reproducibility patch
---
box.json.dist | 9 ++++++---
scoper.inc.php | 1 +
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/box.json.dist b/box.json.dist
index b62be74..1bd403a 100644
--- a/box.json.dist
+++ b/box.json.dist
@@ -1,6 +1,8 @@
{
"$schema": "res/schema.json",
+ "alias": "box-project",
+
"banner": [
"This file is part of the box project.",
"",
@@ -10,7 +12,7 @@
"This source file is subject to the MIT license that is bundled",
"with this source code in the file LICENSE."
],
-
+ "check-requirements": false,
"files": [
"res/schema.json"
],
@@ -19,11 +21,12 @@
],
"directories-bin": ["res/requirement-checker"],
- "compression": "GZ",
+ "compression": "NONE",
"compactors": [
"KevinGH\\Box\\Compactor\\Php",
"KevinGH\\Box\\Compactor\\PhpScoper",
"KevinGH\\Box\\Compactor\\Json"
],
- "datetime": "release-date"
+ "datetime": "1970-01-01",
+ "timestamp": "1970-01-01"
}
diff --git a/scoper.inc.php b/scoper.inc.php
index c3fdc2d..9bd3762 100644
--- a/scoper.inc.php
+++ b/scoper.inc.php
@@ -22,6 +22,7 @@ $jetBrainStubsPatcher = (require __DIR__.'/vendor/humbug/php-scoper/res/create-s
);
return [
+ 'prefix' => 'BoxProject',
'exclude-files' => $jetBrainStubs,
'exclude-classes' => [
IsolatedFinder::class,
--
2.43.0
#!/usr/bin/env bash
set -e
rm -rf diffoscope box
git clone https://github.com/box-project/box.git
cd box
git apply ../0001-reproducibility-patch.patch
mkdir -p diffoscope
echo "Checking the reproducibility of the Composer 'vendor' directory..."
# Making sure vendor dir is reproducible, yes by default since Composer 2.6.4
composer i --quiet
echo "Checksum of the vendor dir: $(tar --owner=0 --group=0 --numeric-owner --sort=name --mtime='1970-01-01 00:00:00Z' -c vendor | sha256sum)"
rm -rf vendor
composer i --quiet
echo "Checksum of the vendor dir: $(tar --owner=0 --group=0 --numeric-owner --sort=name --mtime='1970-01-01 00:00:00Z' -c vendor | sha256sum)"
rm -rf vendor
# First build
echo "Compiling the first build..."
composer i --quiet
bin/box compile --quiet
echo "Checksum of the first build: $(sha256sum bin/box.phar)"
php -r '$phar = new Phar("bin/box.phar"); $phar->extractTo("./diffoscope/box-1");'
rm -rf vendor bin/box.phar
# Second build
echo "Compiling the second build..."
composer i --quiet
bin/box compile --quiet
echo "Checksum of the second build: $(sha256sum bin/box.phar)"
php -r '$phar = new Phar("bin/box.phar"); $phar->extractTo("./diffoscope/box-2");'
rm -rf vendor bin/box.phar
# Build comparison
echo "Running diffoscope..."
cd diffoscope
diffoscope box-1 box-2 --exclude-directory-metadata recursive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment