vault-csi-provider icon indicating copy to clipboard operation
vault-csi-provider copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

feat: add bunch of ldflags for reproducibility

Open developer-guy opened this issue 3 years ago • 9 comments
trafficstars

Signed-off-by: Batuhan Apaydın [email protected] cc: @tomhjp 🙋🏻‍♂️

developer-guy avatar Feb 11 '22 14:02 developer-guy

Hi @developer-guy, please can you include some documentation and rationale in the Makefile for those options?

tomhjp avatar Feb 11 '22 14:02 tomhjp

Hello @tomhjp, I found this:

  • -trimpath: increases build reproducibility. Per default full file paths are added to the go binary so two users will very likely have different binaries build even though the code is the same. Important for Reproducible Builds so full build paths and module paths are not embedded.
  • -w: No DWARF (reduces binary size)
  • -s: No symbol table (even less binary size)
  • -znow and -zrelro: Hardening, adds runtime costs. See https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
  • -buildmode=pie: enables PIE compilation for binary harderning.
  • -mod=readonly: ensure the module files are not updated in any go actions.
  • -modcacherw: is not important, but it ensures that go modules creates a write-able path. Default is read-only.
> https://giters.com/ansible/receptor/issues/398

developer-guy avatar Feb 11 '22 17:02 developer-guy

And also a bunch of useful articles about reproducible builds for Go binaries:

  • https://hackernoon.com/building-reproducible-verifiable-binaries-with-golang
  • https://words.filippo.io/reproducing-go-binaries-byte-by-byte/

developer-guy avatar Feb 11 '22 17:02 developer-guy

We reduced the binary size up to 4MB 📉

Screen Shot 2022-02-11 at 21 42 01

Screen Shot 2022-02-11 at 21 41 14

developer-guy avatar Feb 11 '22 18:02 developer-guy

Generally speaking; go and build flags is a rabbit hole since Go is unable to parse cli flags and env flags correctly. There is also a difference between hardening flags (PIE and RELRO) and reproducible builds flags. Setting trimpath and unsetting buildid is enough.

thanks to @Foxboron

developer-guy avatar Feb 11 '22 19:02 developer-guy

kindly ping @tomhjp

developer-guy avatar Feb 15 '22 19:02 developer-guy

kindly ping @tomhjp 🙋🏻‍♂️

developer-guy avatar Feb 23 '22 18:02 developer-guy

Hi @developer-guy, please can you put the reasoning in the code alongside/just before the usage?

  • -buildid= - I'm not convinced the need for this one is proven. It's set to a hash of the build inputs - that could be stable. Unfortunately I don't have the bandwidth to run experiments around this one
  • -s -w - I'm fine with this
  • -trimpath LGTM
  • -mod=readonly LGTM
  • -modcacherw - needs more justification. What paths? And why is it important that they're writeable?

I'm happy to land this either with just the ones that are definitely ok, or you're welcome to argue your case :)

tomhjp avatar Feb 25 '22 14:02 tomhjp

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Mar 12 '22 18:03 hashicorp-cla