brag about how reproducible our builds are

This commit is contained in:
Leijurv 2018-10-11 20:02:26 -07:00
parent f33a2ef11b
commit e3b80f11ad
No known key found for this signature in database
GPG Key ID: 44A3EA646EADAC6A

View File

@ -18,7 +18,7 @@ For Impact 4.3, there is no Baritone integration yet, so you will want `baritone
Any official release will be GPG signed by leijurv (44A3EA646EADAC6A) and ZeroMemes (73A788379A197567). Please verify that the hash of the file you download is in `checksums.txt` and that `checksums_signed.asc` is a valid signature by those two public keys of `checksums.txt`.
The build for `baritone-unoptimized-X.Y.Z.jar` is deterministic, and you can verify Travis did it properly by running `scripts/build.sh` yourself and comparing the shasum. The proguarded files (api and standalone) aren't yet reproducible, because proguard annoyingly includes the current timestamp into the final jar.
The build is deterministic, and you can verify Travis did it properly by running `docker build -t cabaletta/baritone. && docker run --rm -it cabaletta/baritone sh scripts/build.sh` yourself and comparing the shasum. Note that for some godawful reason this doesn't work on Mac, the shasums are different even though docker is supposed to work the same everywhere. I get the same shasums as Travis when the host is Linux though.
### Building Baritone yourself
There are a few steps to this