nimbus-eth1 icon indicating copy to clipboard operation
nimbus-eth1 copied to clipboard

Published 20 hours ago verified publisher icon status-im

reproducible builds

Open stefantalpalaru opened this issue 5 years ago • 3 comments

https://en.wikipedia.org/wiki/Reproducible_builds

https://reproducible-builds.org/

The first step is to lock down dependencies to specific commits. An experiment using Git submodules is available here and it locks down everything, including the compiler's "csources" and Nimble: https://github.com/status-im/nimbus/tree/submodules

Relevant workflows: https://github.com/status-im/nimbus/tree/submodules#git-submodule-workflow

TODO: investigate why the Nimbus binary changes between builds.

stefantalpalaru avatar Feb 13 '19 01:02 stefantalpalaru

Consecutive Nimbus builds are identical, after https://github.com/status-im/nim-eth/pull/7

TODO:

  • add a CI test for that
  • take control of the Nim cache dir (the one where generated C files are placed and reused) to avoid relying on the compiler's cache invalidation algorithm

stefantalpalaru avatar Feb 15 '19 17:02 stefantalpalaru

Custom "nimcache" directory added to the project's root.

Simple reproducibility test added to our CI pipelines - it just rebuilds "nimbus" and compares its checksum to that of the previous build. Turns out it fails on Windows, due to a timestamp inserted by default in some PE header: https://blogs.msdn.microsoft.com/oldnewthing/20180103-00/?p=97705

Fortunately, there's a linker flag to disable that: https://wiki.debian.org/ReproducibleBuilds/TimestampsInPEBinaries

What remains to be done is standardising the build environments - easy for Linux, by using an OS image, harder for macOS and Windows. Besides toolchain versions, we need to worry about absolute paths ending up in the resulting binaries - like those inserted for error messages:

C:\Users\user\Desktop\status\nimbus-submodules\nimbus\nimbus.nim(67, 11) `contains(trieDB, toOpenArray(canonicalHeadHashKey().data, 0,
                            int(canonicalHeadHashKey().dataEndPos)))`

You can follow the CI tests in this PR: https://github.com/status-im/nimbus/pull/231

I think the 32-bit Windows checksum comparison is failing because of the old Mingw-w64 version available. I tested it on a 32-bit Windows 7 instance with Mingw-w64 8.1.0 and it passes. Hopefully, they'll provide a newer version: https://github.com/appveyor/ci/issues/2754#issuecomment-464494351

stefantalpalaru avatar Feb 17 '19 18:02 stefantalpalaru

It seems that standardising the build environment on macOS and Windows is done by replacing it with Linux and cross-compiling there: https://reproducible-builds.org/docs/proprietary-os/

Some incomplete notes on Mingw-w64 cross-compilation: https://sourceforge.net/p/mingw-w64/wiki2/CrossQuickstart/

The big picture, so far: each official release comes with binaries, a build image and instructions to reproduce those binaries.

stefantalpalaru avatar Feb 18 '19 16:02 stefantalpalaru