search

hyperboria / bugs

Peer-to-peer IPv6 networking, secure and near-zero-conf.
154 stars 17 forks source link

Reproducible builds #170

Closed kpcyrd closed 6 years ago

kpcyrd commented 6 years ago

Archlinux is testing all packages to determine if it's possible to reproducible the binary packages, this is needed so external entities can rebuild the package to confirm the binary hasn't been tampered with during the build.

The tests for cjdns are currently failing. I've prepared a reduced testbed that builds cjdroute from scratch twice and compares the binary:

reprotest -vv --host-distro="arch" --vary=-all --store-dir=artifacts/ 'node ./node_build/make.js' cjdroute

The resulting binaries are currently very different (even with disabled variations). I know some places that cause non-determinism, but I'd appreciate some more eyes on this.

kpcyrd commented 6 years ago

Using the current crashey:

#!/bin/sh
VARY="+all,-domain_host,-kernel,-build_path"
reprotest -vv --vary="$VARY" \
    --source-pattern '.git admin benc client contrib crypto dht doc exception interface io memory net node_build node_modules subnode switch test tools tunnel util wire' \
    'SOURCE_DATE_EPOCH=`git show -s --format=%ct` node ./node_build/make.js' \
    cjdroute

reports

[...]
Build completed successfully, type ./cjdroute to begin setup.
Total build time: 36795ms.
INFO:reprotest:build successful, copying artifacts
INFO:reprotest:copying /tmp/reprotest.JgLvhx/artifacts-experiment-1/ back from virtual server's /tmp/tmp5syw9dbt/experiment-1
INFO:reprotest:Running diffoscope: ['diffoscope', '--exclude-directory-metadata', '/tmp/tmp5syw9dbt/control', '/tmp/tmp5syw9dbt/experiment-1']
 |#################################################################################################################################################################################################################################|  100%  None  Time: -1 day, 22:00:01 
INFO:reprotest:No differences between /tmp/tmp5syw9dbt/control, /tmp/tmp5syw9dbt/experiment-1
=======================
Reproduction successful
=======================
No differences in ./cjdroute
d416e41c7a3e21e1336bc389429a773c52ca8af3782610290defaf55fc870e4c  ./cjdroute
However, other factors may still make the build unreproducible; try re-running with --vary=+all.

I'm going to wait for the next release to check if this is going to satisfy the tests.reproducible-builds.org build.

kpcyrd commented 6 years ago

We've successfully passed the reproducible-builds.org test:

reproducible