Tooling for reproducible builds when developing soroban smart contracts

[tamirms]

What problem does your feature solve?

It is not clear how I can do reproducibly build soroban smart contracts. This feature is necessary to have for blockchain explorers which can verify that a soroban smart contract on chain matches a given Rust source code.

While working on https://github.com/stellar/starbridge/pull/102 , I would have liked to have a reproducible build for my bridge contract so that I could check in the contract wasm into the repo (the wasm is necessary for running integration tests) while also having a CI workflow which would ensure that the checked in wasm was consistent with the Rust source code files.

What would you like to see?

https://docs.multiversx.com/developers/reproducible-contract-builds/ suggests offering Docker images which build smart contracts.

What alternatives are there?

I don't know.

[leighmcculloch]

So far I've noticed we appear to get reproducible builds for the most part because we're targeting the wasm platform. I'm not sure if that is happenstance in just the cases I've experienced or if there is any guarantee of this.

Technically proc-macros run on the host platform, and so that's one area where we might get discrepancies, although still unlikely.

I think this is something that we can tackle when the first code verification website/platform is built. Best case the rust compiler gets us this almost for free with wasm builds. Worst case we do as you suggest and everyone builds on a single common Docker image.

@graydon is that a fair assessment do you think?

[tamirms]

@leighmcculloch the wasm I built locally was different from what was built in github actions. I remember using the same version of rust locally as what was installed in the Github action. I will try to reproduce this issue and share more details