[Nix-dev] Deterministic(bit-perfect) Builds

phreedom at yandex.ru phreedom at yandex.ru
Tue Jun 25 11:43:26 CEST 2013


В письме от Вторник 25 июня 2013 10:57:06 пользователь Vladimír Čunát написал:
> On 06/25/2013 10:45 AM, phreedom at yandex.ru wrote:
> > This is what I have achieved so far:
> Sounds nice.
> 
> Wouldn't it be more certain/universal to LD_PRELOAD or something to
> achieve that the system time always looks the same to any build-time
> tool? (e.g. UNIX time =0)

This is a bit platform-specific and there may be other gotchas like getting the 
mtime using stat instead of querying system time. Other impurities in static 
libs are uid/gid of the file.

But sanitizing build inputs in general is a very interesting topic which has 
practical applications and deserves a separate discussion.

> > Unstripped binaries: may be contaminated by "build-id". Can be avoided
> > either by passing ld --build-id=none param or careful stripping. Needs
> > testing. Luckily this is a very small subset of packages.
> 
> I looked at "man ld" and I think we rather want --build-id=sha1 as it's
> explicitly stated that the ID is uniquely determined by the output.

I haven't checked for sure but vandenoever's tests seem to indicate that the 
default build id is in fact sha1 and it depends on the build dir :(


More information about the nix-dev mailing list