Reproducible builds bug reported to Rust compiler as https://github.com/rust-lang/rust/issues/97955
Jelle van der Waa
jelle at vdwaa.nl
Sat Jun 11 09:39:53 UTC 2022
On 10/06/2022 19:55, Richard Purdie wrote:
> On Fri, 2022-06-10 at 13:52 -0400, David A. Wheeler wrote:
>> All, FYI:
>> The current LLVM-based Rust compiler generates builds that
>> aren't (easily) reproducible, at least in part because full paths
>> to the source code is in the panic and debug strings recorded in
>> the generated executable. I was made aware of this via bunny's
>> "Rust: A Critical Retrospective" <https://www.bunniestudios.com/blog/?p=6375>.
Yes, this is the case if you share a debug build with someone. I'd say
this not that bad. GCC by default also suffers from this issue, just
make any debug build and the path will be included:
[jelle at t14s][/tmp/dontincludethisdir]%gcc -lhidapi-hidraw
-I/usr/include/hidapi -ggdb ../foo.c -o test
[jelle at t14s][/tmp/dontincludethisdir]%strings test| grep dontincl
In practice you want to reproduce a production release builds which
strip this information.
>> I've filed this as a bug report to the Rust compiler developers:
>> Filing a bug report is obviously not the same as getting it fixed.
>> But filing a bug report to the right place *is* a good first step.
>> If you know of other build tools where this is a problem, I encourage
>> filing bug reports with them too.
> Interestingly we haven't see that in Yocto Project and we do have some
> rust libraries in our system. That suggests it can be done through
> configuration somehow...
On Arch Linux Rust packages are reproducible as they all use a the same
build env and directory. So in practice I think this issue is less
impactful then how it sounds in the blog post.
Example of reproduced packages on Arch Linux
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the rb-general