Description
Description of issue or feature request:
I've been working to create a deterministic test fixture generator for PHP-TUF. I've rooted out the apparent sources of most meaningful non-determinism by fixing the clock and using a fixed well of keypairs. However, some of the JSON export appears to have different behavior on different systems.
Shown below is the diff I see when comparing generated data on GitHub Actions (on Python 3.9 with ubuntu-latest
) versus on my laptop (also Python 3.9 but with Fedora 33). We've pinned all known dependencies using pipenv
, so I don't think it's that.
This causes a cascading set of differences because other files use hashes of snapshot.json
.
Could TUF canonicalize even the JSON data that isn't directly signed?
Expected behavior:
Deterministic (ideally canonical) output of JSON that contains the same functional data.