Make build reproducible

[debfx]

bam uses the C macros DATE and TIME, This makes it impossible to create reproducible (bitwise identical) binaries.

In src/cache.c, would it be enough to use BAM_VERSION_STRING_COMPLETE instead for the cache file header?

[matricks]

The version string isn't sufficient as then you can move cache-file between systems, need to check pointer size, endianess etc as well. The cache file should be bound to the executable and thats why I used the DATE and TIME macros. Helps during development if you do changes as well.

Is there a problem that you can't compile identical executables?

On 2015-04-26 18:36, Felix Geyer wrote:

bam uses the C macros DATE and TIME, This makes it impossible to create reproducible (bitwise identical) binaries.

In src/cache.c, would it be enough to use BAM_VERSION_STRING_COMPLETE instead for the cache file header?

Reply to this email directly or view it on GitHub [1].

*

Links:

[1] https://github.com/matricks/bam/issues/65

[debfx]

The idea is to be able to verify that a particular binary is really built from the source code. See https://wiki.debian.org/ReproducibleBuilds/About#Why_do_we_want_reproducible_builds.3F

To achieve that you can't store build timestamps in the binary. That will result in a different binary for every build.

[matricks]

Fair point. I'll look into it.

On 2015-04-27 20:49, Felix Geyer wrote:

The idea is to be able to verify that a particular binary is really built from the source code. See https://wiki.debian.org/ReproducibleBuilds/About#Why_do_we_want_reproducible_builds.3F [1]

To achieve that you can't store build timestamps in the binary. That will result in a different binary for every build.

Reply to this email directly or view it on GitHub [2].

*

Links:

[1] https://wiki.debian.org/ReproducibleBuilds/About#Why_do_we_want_reproducible_builds.3F [2] https://github.com/matricks/bam/issues/65#issuecomment-96777630

[matricks]

This should be fixed with 0.5.0.