fidencio
commented
1 year ago We must consider pinning a version of llvm, llvm-ar, and nasm as well.
One possible way to do so is providing a container image, which could be updated on every change of some parts of the project*, and also provide this container image as part of the tagging process.
Changes to track:
- Cargo.toml
- Cargo.lock
- Toolchain
This process could be fully automated via GitHub actions, as we already do something similar for Kata Containers, and users would be able to use this whenever they "recreate" the build.
jyao1
dimakuv
Hi I would like to discuss td-shim release tagging process.
[Background & requirement] Ideally, we need to support reproducible build for td-shim. It means: For a release image + same build environment (compiler + toolchain), we can reproduce same binary at any time and on any system.
Reference: https://github.com/confidential-containers/td-shim/issues/256
[Problem] Currently, we do have release tag - which indicates the source code version of td-shim. But we do not have cargo.lock - that means: Even with same source code, we might not be able to reproduce same binary, because the dependency crate might be upgraded. That breaks the rule.
Reference: https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
Cargo.lock can be used to lock the version. However, we do want to keep using the latest crate to bug fix, or security fix. We may consider putting Cargo.lock for the project, if we treat Td-Shim as an end project. But if we want to treat Td-Payload as an end project, the locking td-shim is not a good idea.
Reference: https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries
[Possible Solution] When we create a release for td-shim, we also create the release specific cargo.lock. That can deterministically reproduce the same release image.