Problem: no reproducible builds

[landanhu]

https://github.com/NixOS/nixpkgs/blob/master/doc/languages-frameworks/rust.section.md

https://www.hadean.com/blog/managing-rust-dependencies-with-nix-part-i

[tomtau]

Another option is https://gitian.org

[tomtau]

https://users.rust-lang.org/t/testing-out-reproducible-builds/9758

[yihuang]

I think there are two issues at hand here:

• deterministic build dependencies, I think this one is a non-issue with Cargo.lock and docker build, no need to resort to nix?
• build artifacts that make the resulting binary not identical, this requires to investigate into rustc itself.

[tomtau]

deterministic build dependencies, I think this one is a non-issue with Cargo.lock and docker build, no need to resort to nix?

There's still a more to that:

1. not sure if any of the Rust dependencies do something funky non-deterministic in their build.rs (especially if they are "*-sys" crates where they build some non-Rust code)
2. external Git dependencies should be vendored-in and maintain, as the current setup makes it non-reproducible: e.g. just now https://github.com/crypto-com/chain/issues/1030 as external repos may be deleted, force-pushed etc.
3. docker image itself may be non-deterministic (e.g. with "apt update")

Anyway, this issue is complex and perhaps may be labelled as Epic and broken down into all things required for making it happen