rattler-build icon indicating copy to clipboard operation
rattler-build copied to clipboard
verified publisher icon prefix-dev

Reproducibility: control "tools" as well

Open wolfv opened this issue 2 years ago • 2 comments

We currently use some system tools:

  • install_name_tool on macOS for changing @rpath after building
  • patchelf on Linux to change RPATH after building

These tools could potentially influence how reproducible the final binaries are. Ideally we get rid of these third-party tools and implement the functionality natively in Rust but that is no small feat. In the meantime it might be good to install them into their respective virtual environments and use them with a very specific version / lockfile and store that alongside the rendered recipe.

wolfv avatar Oct 11 '23 07:10 wolfv

In fact, there is apparently a difference between cctools (from conda-forge) install_name_tool and Apple's version. The cctools one does automatic codesigning after modifying the binary.

wolfv avatar Nov 22 '23 07:11 wolfv

First steps have been done and we have a system_tools section now in the recipe that records the versions of tools used. It might still be better and more appropriate to install these tools globally into their own environment though.

wolfv avatar Feb 07 '24 08:02 wolfv