Geth Rebuild: Reproducibility Case Study in Go

Vivi Andersson vivia at kth.se
Tue Nov 12 11:32:11 UTC 2024 

Hi All,

I recently worked on reproducibility for the Ethereum client Geth 
<https://github.com/ethereum/go-ethereum/> and wanted to share some 
insights from this work.


Although the Go toolchain provides reproducibility primitives, achieving 
fully reproducible builds in practice is still challenging.

In our work with Geth, we found three primary reasons for this:

 1.

    *CGO Complexity*
    Integrating C code in Go introduces complexity, here resulting in
    unreproducible builds. Specifically, we’ve observed inconsistent
    build IDs (|.note.go.buildid| and |.note.gnu.build-id|), likely due
    to system-specific paths.

 2.

    *Project-Specific Build Configurations*
    Custom build scripts and environment settings can create subtle
    issues. For instance, inconsistencies arise when embedding metadata
    with |-ldflag -X|, or when shared build states affect the |go
    buildinfo| across jobs.

 3.

    *Software Bugs*
    As known, reproducibility efforts also reveal software bugs. We
    identified two ones: an issue
    <https://github.com/golang/go/issues/67011> with Go’s |trimpath|
    command and a bug
    <https://travis-ci.community/t/travis-uses-unexpected-ubuntu-distribution>
    in the Travis CI client leading to inconsistent GCC versions when
    building.


For details, see *Chapter 5* in Geth Rebuild: Verifiable Builds for Go 
Ethereum 
<https://www.diva-portal.org/smash/record.jsf?pid=diva2%3A1908608&dswid=445>.


*Takeaway:*

The reproducibility effort in Go still requires manual intervention and 
community support to succeed, despite the existing primitives.

In my experience, ease of adoption for developers is essential for 
reproducible builds to be implemented as a security mechanism. 
Therefore, it would be valuable to explore the broader reproducibility 
state and remaining challenges to reproducible builds in Go, eg. through 
a Go-specific rebuilder project.


Any thoughts are welcome!

-- 
Vivi Andersson
PhD Student, Department of Theoretical Computer Science
KTH Royal Institute of Technology
Stockholm, Sweden
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20241112/40895d5d/attachment.htm>

More information about the rb-general mailing list