from Hacker News

Three Pillars of Reproducible Builds

by spatten on 3/8/22, 7:19 PM with 14 comments

• by FartyMcFarter on 3/9/22, 8:28 AM

  One of the most fun non-determinism bugs I have worked on was the result of using an associative container with the key type being a pointer (like a std::map<void*, int> or similar), and then iterating over this container.

  Since the order and value of dynamically allocated pointers is non-deterministic, this resulted in diverging behaviour at some point.

  Better be sure that all your tools used during the build don't do this kind of thing as well.

• by pabs3 on 3/9/22, 7:14 AM

  These three aren't enough, you also need to take care of not storing build timestamps, hostnames, timezones, sorting and more:

  https://reproducible-builds.org/docs/

• by jiehong on 3/8/22, 10:11 PM

  On the JVM, maven doesn’t make this particularly easy.

  It’s possible to try to store dependencies locally instead of shared in a global m2 repository, but it’s difficult to stop maven from adding the current time in jars or wars…

  It’s as if all the default settings are the opposite of what they should be for reproducible builds.

  Any idea if there is a project to try to improve things with maven or with another JVM tool? (Grade, sbt, etc.)

• by cies on 3/9/22, 10:18 AM

  How can you discuss this w/o mentioning Nix (or the likes)?

• by _3u10 on 3/9/22, 4:10 AM

  I guess any stubs the compiler adds will also have to be reproducible, big whoop.