amazon-ecr-credential-helper
amazon-ecr-credential-helper copied to clipboard
Produce reproducible builds
Go has long had issue with reproducible builds due to embedding build path information into the artifacts (see https://github.com/golang/go/issues/16860). Go 1.13 added -trimpath
to strip that data, which should make reproducible builds easier.
Reproducible builds help users have confidence that the binaries match the source code.
Reproducible builds are a goal of Debian (and the existing amazon-ecr-credential-helper package fails to build reproducibly). They've also been asked for in https://github.com/awslabs/amazon-ecr-credential-helper/issues/184.
https://github.com/golang/go/issues/33772 appears to still be an issue for Go 1.13 (see https://github.com/golang/go/issues/34326 for when the fix is backported).
Shellcode.
$ podman run --rm -t -w $(pwd) -v $(pwd):$(pwd):Z,ro \
registry.salsa.debian.org/reproducible-builds/diffoscope gdnf520 gdnf521
...
│ The File Name Table (offset 0x1a):
│ Entry Dir Time Size Name
│ 1 0 0 0 <autogenerated>
│ - 2 0 0 0 /snap/go/5759/src/internal/cpu/cpu.go
│ - 3 0 0 0 /snap/go/5759/src/internal/cpu/cpu_amd64.go
│ - 4 0 0 0 /snap/go/5759/src/internal/cpu/cpu_x86.go
│ + 2 0 0 0 /usr/lib/golang/src/internal/cpu/cpu.go
│ + 3 0 0 0 /usr/lib/golang/src/internal/cpu/cpu_amd64.go
│ + 4 0 0 0 /usr/lib/golang/src/internal/cpu/cpu_x86.go
│
...
$ go version gdnf520
gdnf520: go1.14.3
$ dnf-go-gui git:(master) ✗ go version gdnf521
gdnf521: go1.14.2