arcade icon indicating copy to clipboard operation
arcade copied to clipboard
verified publisher icon dotnet

New SDL requirement: Enable deterministic builds

Open GrabYourPitchforks opened this issue 6 months ago • 7 comments

A new SDL requirement recently came online requiring us to produce deterministic builds for our managed assemblies. This caused a bunch of alerts to light up across Arcade's internal repo health dashboard.

In theory this should be a simple matter of adding <Deterministic>true</Deterministic> to the shared .props file under our source directory.

More info:

  • https://learn.microsoft.com/dotnet/csharp/language-reference/compiler-options/code-generation#deterministic
  • https://aka.ms/liquid?share=17264 (MSFT internal)

Figured we could start in this repo and squash the alerts here, then track the binaries flowing to other repos and see if the alerts start disappearing.

GrabYourPitchforks avatar Jun 16 '25 23:06 GrabYourPitchforks

A tangential concern about nuget packages, not the managed assemblies:

I have found that the MSBuild Tasks implemented in this repo (such as https://github.com/dotnet/arcade/blob/main/src/Microsoft.DotNet.NuGetRepack/tasks/src/ReplacePackageParts.cs and https://github.com/dotnet/arcade/blob/main/src/Microsoft.DotNet.NuGetRepack/tasks/src/UpdatePackageVersionTask.cs) mutate existing nuget packages as part of the VMR build. The mutation changes are not deterministic. In fact, when run against a nuget package already built in <Deterministic>true</Deterministic> mode, they actually undo the deterministic-ness.

omajid avatar Jul 19 '25 01:07 omajid

@omajid Do you have an example of the diffs that are showing up?

Btw, good to see you found https://github.com/NuGet/Home/issues/8601. This issue overall was blaring warning lights from long ago deep in my head and I had to go hunting for it.

mmitche avatar Jul 21 '25 18:07 mmitche

I built a custom SDK which enables deterministic mode. Then I used it to build the VMR in source-build mode twice. Running diffoscope against the two SDKs shows things like:

Image

I am working on a fix (or hack, I guess) for this. WIP (doesn't even build) is here: https://github.com/omajid/dotnet-dotnet/commits/reproducible/

omajid avatar Jul 22 '25 01:07 omajid

Actually most of the blame for Microsoft.DotNet.ILCompiler.nupkg non-determinism is the arcade/src/Microsoft.DotNet.Build.Tasks.Packaging/src/NuGetPack.cs task.

omajid avatar Jul 24 '25 15:07 omajid

@GrabYourPitchforks @mmitche I'm going to reach out to the two of you about deterministic pack.

zivkan avatar Jul 28 '25 21:07 zivkan

Any chance you can loop me in too? I would like to understand any constraints/limitations that are in play. Thanks!

omajid avatar Jul 28 '25 21:07 omajid

In theory this should be a simple matter of adding <Deterministic>true</Deterministic> to the shared .props file under our source directory.

FYI, I have been told that this is already the default: https://github.com/dotnet/dotnet/pull/1618#issuecomment-3117400680

omajid avatar Jul 28 '25 22:07 omajid