Last active
February 15, 2024 11:20
-
-
Save drupol/7188284ed1e990cc5c09277b08981d85 to your computer and use it in GitHub Desktop.
box-project/box reproducible PHAR poc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From b91328c0cce43b0e9fe9b1841953813f04bfa88d Mon Sep 17 00:00:00 2001 | |
From: Pol Dellaiera <pol.dellaiera@protonmail.com> | |
Date: Thu, 15 Feb 2024 12:02:02 +0100 | |
Subject: [PATCH] reproducibility patch | |
--- | |
box.json.dist | 9 ++++++--- | |
scoper.inc.php | 1 + | |
2 files changed, 7 insertions(+), 3 deletions(-) | |
diff --git a/box.json.dist b/box.json.dist | |
index b62be74..1bd403a 100644 | |
--- a/box.json.dist | |
+++ b/box.json.dist | |
@@ -1,6 +1,8 @@ | |
{ | |
"$schema": "res/schema.json", | |
+ "alias": "box-project", | |
+ | |
"banner": [ | |
"This file is part of the box project.", | |
"", | |
@@ -10,7 +12,7 @@ | |
"This source file is subject to the MIT license that is bundled", | |
"with this source code in the file LICENSE." | |
], | |
- | |
+ "check-requirements": false, | |
"files": [ | |
"res/schema.json" | |
], | |
@@ -19,11 +21,12 @@ | |
], | |
"directories-bin": ["res/requirement-checker"], | |
- "compression": "GZ", | |
+ "compression": "NONE", | |
"compactors": [ | |
"KevinGH\\Box\\Compactor\\Php", | |
"KevinGH\\Box\\Compactor\\PhpScoper", | |
"KevinGH\\Box\\Compactor\\Json" | |
], | |
- "datetime": "release-date" | |
+ "datetime": "1970-01-01", | |
+ "timestamp": "1970-01-01" | |
} | |
diff --git a/scoper.inc.php b/scoper.inc.php | |
index c3fdc2d..9bd3762 100644 | |
--- a/scoper.inc.php | |
+++ b/scoper.inc.php | |
@@ -22,6 +22,7 @@ $jetBrainStubsPatcher = (require __DIR__.'/vendor/humbug/php-scoper/res/create-s | |
); | |
return [ | |
+ 'prefix' => 'BoxProject', | |
'exclude-files' => $jetBrainStubs, | |
'exclude-classes' => [ | |
IsolatedFinder::class, | |
-- | |
2.43.0 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -e | |
rm -rf diffoscope box | |
git clone https://github.com/box-project/box.git | |
cd box | |
git apply ../0001-reproducibility-patch.patch | |
mkdir -p diffoscope | |
echo "Checking the reproducibility of the Composer 'vendor' directory..." | |
# Making sure vendor dir is reproducible, yes by default since Composer 2.6.4 | |
composer i --quiet | |
echo "Checksum of the vendor dir: $(tar --owner=0 --group=0 --numeric-owner --sort=name --mtime='1970-01-01 00:00:00Z' -c vendor | sha256sum)" | |
rm -rf vendor | |
composer i --quiet | |
echo "Checksum of the vendor dir: $(tar --owner=0 --group=0 --numeric-owner --sort=name --mtime='1970-01-01 00:00:00Z' -c vendor | sha256sum)" | |
rm -rf vendor | |
# First build | |
echo "Compiling the first build..." | |
composer i --quiet | |
bin/box compile --quiet | |
echo "Checksum of the first build: $(sha256sum bin/box.phar)" | |
php -r '$phar = new Phar("bin/box.phar"); $phar->extractTo("./diffoscope/box-1");' | |
rm -rf vendor bin/box.phar | |
# Second build | |
echo "Compiling the second build..." | |
composer i --quiet | |
bin/box compile --quiet | |
echo "Checksum of the second build: $(sha256sum bin/box.phar)" | |
php -r '$phar = new Phar("bin/box.phar"); $phar->extractTo("./diffoscope/box-2");' | |
rm -rf vendor bin/box.phar | |
# Build comparison | |
echo "Running diffoscope..." | |
cd diffoscope | |
diffoscope box-1 box-2 --exclude-directory-metadata recursive |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment