Reproducible builds bug reported to Rust compiler as

Jelle van der Waa jelle at
Sat Jun 11 09:39:53 UTC 2022


On 10/06/2022 19:55, Richard Purdie wrote:
> On Fri, 2022-06-10 at 13:52 -0400, David A. Wheeler wrote:
>> All, FYI:
>> The current LLVM-based Rust compiler generates builds that
>> aren't (easily) reproducible, at least in part because full paths
>> to the source code is in the panic and debug strings recorded in
>> the generated executable. I was made aware of this via bunny's
>> "Rust: A Critical Retrospective" <>.

Yes, this is the case if you share a debug build with someone. I'd say 
this not that bad. GCC by default also suffers from this issue, just 
make any debug build and the path will be included:

[jelle at t14s][/tmp/dontincludethisdir]%gcc -lhidapi-hidraw 
-I/usr/include/hidapi -ggdb ../foo.c -o test
[jelle at t14s][/tmp/dontincludethisdir]%strings test| grep dontincl

In practice you want to reproduce a production release builds which 
strip this information.

>> I've filed this as a bug report to the Rust compiler developers:
>> Filing a bug report is obviously not the same as getting it fixed.
>> But filing a bug report to the right place *is* a good first step.
>> If you know of other build tools where this is a problem, I encourage
>> filing bug reports with them too.
> Interestingly we haven't see that in Yocto Project and we do have some
> rust libraries in our system. That suggests it can be done through
> configuration somehow...

On Arch Linux Rust packages are reproducible as they all use a the same 
build env and directory. So in practice I think this issue is less 
impactful then how it sounds in the blog post.

Example of reproduced packages on Arch Linux



Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the rb-general mailing list