How to Add a New Project within Reproducible Builds

Hervé Boutemy hboutemy at apache.org
Tue Nov 15 01:12:14 UTC 2022 

> > It would really have been nice to have you at Reproducible Builds Summit
> > last week in our "language packaging" track: we had many ecosystems, and
> > we saw that we were missing a few ones like .NET. I hope we'll have you
> > next year :)
> Sad we missed this. Definitely would be interested in participating next
> year. I can talk endlessly about all the fun we've had tracking down
> sources of non-determinism in our tooling and all the tools we've invested
> in to make this easy in the compiler. :)

the both interesting and hard sides of Reproducible Builds is that each 
ecosystem deep expertise is different (and there are many ecosystems), but it's 
useful to find common higher level aspects and ways to share them

F2F meetings give an opportunity to do more than what is possible with email


> > Is there some publicly visible documentation on this?
> 
> There are a couple of items we've written about this:
> 
> - This doc describes all of the inputs that contribute to a deterministic
> build. Essentially if these item are the same, then the output should be
> the same.
> https://github.com/dotnet/roslyn/blob/main/docs/compilers/Deterministic%20I
> nputs.md - This describes the history of why the compiler has a
> /deterministic switch vs. always having this behavior (it's on by default
> in .NET SDK)
> https://blog.paranoidcoding.com/2016/04/05/deterministic-builds-in-roslyn.h
> tml
> 
> If there was a different style of doc you're looking for please let me know.

this (with previous answers on scope) is the type of info I was looking for, 
thanks a lot

FYI, I'm working on the JVM side and I put down the summary in
https://reproducible-builds.org/docs/jvm/

Perhaps previous answers would be useful to store in an equivalent .NET page.


> > Does this reproducible builds scenario cover NuGet packages output?
> 
> I believe there are still date issues that cause NuPkg to be
> non-deterministic. The support was added but then removed because it broke
> tools that looked at dates (sigh). This is the issue tracking.
> 
> https://github.com/NuGet/Home/issues/8601

I see: the key question of defining a deterministic timestamp in a build is 
always hard. In the JVM ecosystem, Maven and Gradle chose different strategies 
to achieve that

Do you envision an equivalent of Reproducible Central some time in the future?
= https://github.com/jvm-repo-rebuild/reproducible-central#readme

I suppose in .NET case it would be for NuGet Gallery.

FYI, during last Reproducible Builds Summit, we started to think at the same 
for PyPI and npmjs, without going very far: having checked Reproducible Builds 
for binaries in public registries is hard...

In Reproducible Builds community, we also have many Linux distributions: I 
don't know if there is a distro that packages some .NET content, then would be 
interested in getting their packages updated to be reproducible (maybe it's 
already done, like it's done for some Python packages)


Regards,

Hervé

> 
> -- 
> jaredpar
> https://twitter.com/jaredpar
> 
> 
> From: rb-general <rb-general-bounces at lists.reproducible-builds.org> on
> behalf of Hervé Boutemy <hboutemy at apache.org> Sent: Friday, November 11,
> 2022 12:48 AM
> To: General discussions about reproducible builds
> <rb-general at lists.reproducible-builds.org> Subject: Re: How to Add a New
> Project within Reproducible Builds
>  
> [You don't often get email from hboutemy at apache.org. Learn why this is
> important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> Hi Adrian,
> 
> > We’re looking to submit .NET SDK.
> 
> It would really have been nice to have you at Reproducible Builds Summit
> last week in our "language packaging" track: we had many ecosystems, and we
> saw that we were missing a few ones like .NET. I hope we'll have you next
> year :)
> > For all of our core scenarios this is a
> > fully reproducible toolset. This is true out of the box with no real
> > configuration changes needed. There is one caveat though: some less
> > mainline scenarios are not reproducible at the moment (e.g. AOT). I’ve
> > added Jared Parsons to this thread who is the lead engineer (and has also
> > joined the rb-general list) and can answer any follow-up questions.
> 
> I have a few questions on the currently achieved status and eventually
> remaining tasks (planned or not) in the .NET ecosystem
> 
> IIUC, this is about .NET compiler producing binaries in a reproducible way =
> executing the compiler twice from the same source code gives the same
> binary output?
> Is there a minimum .NET SDK required?
> Is there some publicly visible documentation on this?
> 
> Does this reproducible builds scenario cover NuGet packages output?
> 
> Regards,
> 
> Hervé

More information about the rb-general mailing list