Commandments of reproducible builds
- Thou shall not record the name of thy maker nor the place of thy making (username, hostname)
- Thou shall not record the date nor time of thy making, unless you respect the holy SDE spec (date time)
- Thou shall not use memory without initialization or use memory addresses to decide outcomes (ASLR)
- Thou shall do all your work in order - not use filesystem-readdir-order nor random order of hash elements
- Thou shall not (gamble and) record random numbers (UUID, private/public key, hash-seed, ASLR)
- Thou shall only do one thing at a time or ensure races do no harm (parallelism)
- Thou shall not look at build machine processor capabilities (CPU)
- Thou shall not look at build machine benchmarks for optimizations
- Thou shall be careful with profile-guided-optimization for it can amplify any sin (non-determinism)
- Thou shall keep your workspace environment clean of timezones, locales and umasks or ensure they do no harm
- Thou shall allow for offline builds (aka “vendoring” as servers can be down, contents can change)
- If Thou publishst binaries, Thou shall take note of your build inputs
License: CC-BY-SA 4.0
Introduction
Achieve deterministic builds
- Commandments of reproducible builds
- Variations in the build environment
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Stripping of unreproducible information
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Verification
Specifications
Follow us on Twitter @ReproBuilds, Mastodon @[email protected] & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info
