Reproducible builds bug reported to Rust compiler as https://github.com/rust-lang/rust/issues/97955

Jelle van der Waa jelle at vdwaa.nl
Sat Jun 11 09:39:53 UTC 2022 

Hey,

On 10/06/2022 19:55, Richard Purdie wrote:
> On Fri, 2022-06-10 at 13:52 -0400, David A. Wheeler wrote:
>> All, FYI:
>>
>> The current LLVM-based Rust compiler generates builds that
>> aren't (easily) reproducible, at least in part because full paths
>> to the source code is in the panic and debug strings recorded in
>> the generated executable. I was made aware of this via bunny's
>> "Rust: A Critical Retrospective" <https://www.bunniestudios.com/blog/?p=6375>.

Yes, this is the case if you share a debug build with someone. I'd say 
this not that bad. GCC by default also suffers from this issue, just 
make any debug build and the path will be included:

[jelle at t14s][/tmp/dontincludethisdir]%gcc -lhidapi-hidraw 
-I/usr/include/hidapi -ggdb ../foo.c -o test
[jelle at t14s][/tmp/dontincludethisdir]%strings test| grep dontincl
/tmp/dontincludethisdir

In practice you want to reproduce a production release builds which 
strip this information.

>> I've filed this as a bug report to the Rust compiler developers:
>> https://github.com/rust-lang/rust/issues/97955
>>
>> Filing a bug report is obviously not the same as getting it fixed.
>> But filing a bug report to the right place *is* a good first step.
>> If you know of other build tools where this is a problem, I encourage
>> filing bug reports with them too.
> 
> Interestingly we haven't see that in Yocto Project and we do have some
> rust libraries in our system. That suggests it can be done through
> configuration somehow...

On Arch Linux Rust packages are reproducible as they all use a the same 
build env and directory. So in practice I think this issue is less 
impactful then how it sounds in the blog post.

Example of reproduced packages on Arch Linux

alacritty: https://reproducible.archlinux.org/api/v0/builds/283483/log
cargo-edit: https://reproducible.archlinux.org/api/v0/builds/271622/log

Greetings,

Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220611/1b558bcb/attachment.sig>

More information about the rb-general mailing list