Why are checksums different for the exact same package from "latest" and "quarterly"?

[ikevin8me]

I'm wondering why the checksums for exactly the same package for "latest" and "quarterly" are different.

For example, these two are from "latest" of "FreeBSD:14:amd64":

{"name":"bhyve-firmware","origin":"sysutils/bhyve-firmware","version":"1.0_2","comment":"Collection of Firmware for bhyve","maintainer":"[email]fabian.freyer@physik.tu-berlin.de[/email]","www":"[URL]https://wiki.freebsd.org/bhyve/UEFI[/URL]","abi":"FreeBSD:14:*","arch":"freebsd:14:*","prefix":"/usr/local","sum":"ff2e7b01474aa75f3481c9a63678db8644cfa31a29ef858d16783ab7338a37d7","flatsize":243,"path":"All/bhyve-firmware-1.0_2.pkg","repopath":"All/bhyve-firmware-1.0_2.pkg","licenselogic":"single","licenses":["NA"],"pkgsize":939,"desc":"A collection of firmware for bhyve.","deps":{"edk2-bhyve":{"origin":"sysutils/edk2","version":"g202308_4"}},"categories":["sysutils"],"annotations":{"build_timestamp":"2024-05-21T07:34:19+0000","ports_top_git_hash":"a40e26254","ports_top_checkout_unclean":"no","port_git_hash":"a40e26254","port_checkout_unclean":"no","built_by":"poudriere-git-3.4.1-30-g79e3edcd"}}

{"name":"edk2-bhyve","origin":"sysutils/edk2","version":"g202308_4","comment":"EDK2 Firmware for bhyve","maintainer":"[email]uboot@FreeBSD.org[/email]","www":"[URL]https://github.com/tianocore/edk2/ReadMe.rst[/URL]","abi":"FreeBSD:14:amd64","arch":"freebsd:14:x86:64","prefix":"/usr/local","sum":"5a43070b7ea17f4e0f1211bf89e121db847fcc6b2ad59915f12284ce421ffdfa","flatsize":7848802,"path":"All/edk2-bhyve-g202308_4.pkg","repopath":"All/edk2-bhyve-g202308_4.pkg","licenselogic":"single","licenses":["BSD3CLAUSE"],"pkgsize":1442240,"desc":"EDK II Project\n\nA modern, feature-rich, cross-platform firmware development environment for the\nUEFI and PI specifications from [URL="http://www.uefi.org"]www.uefi.org[/URL].","categories":["sysutils"],"annotations":{"build_timestamp":"2024-05-21T07:13:53+0000","ports_top_git_hash":"a40e26254","ports_top_checkout_unclean":"no","port_git_hash":"a40e26254","port_checkout_unclean":"no","built_by":"poudriere-git-3.4.1-30-g79e3edcd","cpe":"cpe:2.3:a:tianocore:edk2:g202308:::::freebsd14:x64:4","flavor":"bhyve","FreeBSD_version":"1400097"}}

And, these two are from "quarterly" of the same "FreeBSD:14:amd64":

{"name":"bhyve-firmware","origin":"sysutils/bhyve-firmware","version":"1.0_2","comment":"Collection of Firmware for bhyve","maintainer":"[email]fabian.freyer@physik.tu-berlin.de[/email]","www":"[URL]https://wiki.freebsd.org/bhyve/UEFI[/URL]","abi":"FreeBSD:14:*","arch":"freebsd:14:*","prefix":"/usr/local","sum":"38b3b74d3f464804abfb3810bf2decf1ce4eaccefa93aa0ed8393f75772f2975","flatsize":243,"path":"All/bhyve-firmware-1.0_2.pkg","repopath":"All/bhyve-firmware-1.0_2.pkg","licenselogic":"single","licenses":["NA"],"pkgsize":947,"desc":"A collection of firmware for bhyve.","deps":{"edk2-bhyve":{"origin":"sysutils/edk2","version":"g202308_4"}},"categories":["sysutils"],"annotations":{"build_timestamp":"2024-04-09T07:40:49+0000","ports_top_git_hash":"c5cd82114","ports_top_checkout_unclean":"no","port_git_hash":"b3aa1ea86","port_checkout_unclean":"no","built_by":"poudriere-git-3.4.1-1-g1e9f97d6"}}

{"name":"edk2-bhyve","origin":"sysutils/edk2","version":"g202308_4","comment":"EDK2 Firmware for bhyve","maintainer":"[email]uboot@FreeBSD.org[/email]","www":"[URL]https://github.com/tianocore/edk2/ReadMe.rst[/URL]","abi":"FreeBSD:14:amd64","arch":"freebsd:14:x86:64","prefix":"/usr/local","sum":"5e81c71982da8e0dece6d9943f72a71bc3482a7c4dd212abd9b06af174645524","flatsize":7848802,"path":"All/edk2-bhyve-g202308_4.pkg","repopath":"All/edk2-bhyve-g202308_4.pkg","licenselogic":"single","licenses":["BSD3CLAUSE"],"pkgsize":1442298,"desc":"EDK II Project\n\nA modern, feature-rich, cross-platform firmware development environment for the\nUEFI and PI specifications from [URL="http://www.uefi.org"]www.uefi.org[/URL].","categories":["sysutils"],"annotations":{"build_timestamp":"2024-04-09T07:22:43+0000","ports_top_git_hash":"c5cd82114","ports_top_checkout_unclean":"no","port_git_hash":"b3aa1ea86","port_checkout_unclean":"no","built_by":"poudriere-git-3.4.1-1-g1e9f97d6","cpe":"cpe:2.3:a:tianocore:edk2:g202308:::::freebsd14:x64:4","flavor":"bhyve","FreeBSD_version":"1400097"}}

I presume "bhyve-firmware-1.0_2.pkg" and "edk2-bhyve-g202308_4.pkg" are having exactly the same content as the "flatsize" are the same for both "latest" and "quarterly", 243 and 7848802 respectively.

The differences in checksums:
bhyve-firmware-1.0_2.pkg, latest: ff2e7b01474aa75f3481c9a63678db8644cfa31a29ef858d16783ab7338a37d7
edk2-bhyve-g202308_4.pkg, latest: 5a43070b7ea17f4e0f1211bf89e121db847fcc6b2ad59915f12284ce421ffdfa

bhyve-firmware-1.0_2.pkg, quarterly: 38b3b74d3f464804abfb3810bf2decf1ce4eaccefa93aa0ed8393f75772f2975
edk2-bhyve-g202308_4.pkg, quarterly: 5e81c71982da8e0dece6d9943f72a71bc3482a7c4dd212abd9b06af174645524

Does anyone know why?

 

[mer]

Guessing here, take with a grain of salt.
Quarterly packages are built against things in quarterly
Latest packages are built against things in latest

A single package may be the same source between the two, but they are built against different dependencies, they are built at physically different times, they may have different config options.

Those are possible reasons I can think of why they would checksum different.

 

[SirDice]

The +MANIFEST file within the package archive contains a "build_timestamp" of the build time. I'm pretty sure they're not built at exactly the same time. The "port_git_hash" would be different too. I'm sure there are a couple of others that will be different but these two were the most obvious. If the +MANIFEST isn't exactly the same the hash of the entire package will change.

 

[ikevin8me]

I see. It is the +MANIFEST file inside.

 

[SirDice]

Packages are tar(1) compressed archives. You can untar them and check it yourself. There's a +COMPACT_MANIFEST file too, it only has a couple of the variables from +MANIFEST. The thing to note here is that their contents are slightly different between the two packages, even if the binaries themselves are the same. Small changes to the content can lead to big changes in the hash, because that's the nature of a hash.