Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reproducible Builds #156

Closed
tri-adam opened this issue Sep 28, 2021 · 0 comments · Fixed by #157
Closed

Reproducible Builds #156

tri-adam opened this issue Sep 28, 2021 · 0 comments · Fixed by #157
Labels
v2 Affects v2 API

Comments

@tri-adam
Copy link
Member

Reproducible builds are important as they provide an independently-verifiable path from source to binary code (ref).

The goreleaser configuration follows some of the recommendations for reproducible builds available here. We do not currently make use of the -trimpath flag, though arguably formal releases are always built by continuous integration, and thus use a consistent directory structure.

On the other hand the mage build is not currently reproducible, as demonstrated by running the build twice from the same commit:

$ mage install
$ sha256sum ~/go/bin/siftool 
d959a6f5bc4e17353df582ce60b5ae5cb2a50a85210c9e6f061a25774c54c348  /home/adam/go/bin/siftool
$ mage install
$ sha256sum ~/go/bin/siftool 
f6a1b211003de62897ebc0fb476694945a81b9bdfa31d027670caaf96047a200  /home/adam/go/bin/siftool

I think it might make sense to make the siftool build reproducible, and unify the build flags used between goreleaser and mage.
@tri-adam tri-adam added the v2 Affects v2 API label Sep 28, 2021
@tri-adam tri-adam mentioned this issue Sep 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v2 Affects v2 API
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Reproducible Builds
1 participant
@tri-adam