wormhole icon indicating copy to clipboard operation
wormhole copied to clipboard

Published 20 hours ago verified publisher icon wormhole-foundation

Build reproducibility and pinning

Open leoluk opened this issue 3 years ago • 2 comments

  • [x] We need to make sure that all external dependencies we pull in are pinned to exact version such that it doesn't randomly start failing or become compromised.
  • [ ] If it's easy to do, builds should be byte-by-byte reproducible.

leoluk avatar Aug 24 '20 09:08 leoluk

Builds are now as reproducible as the toolchains allows. All build dependencies are deterministic and pinned.

leoluk avatar Jan 19 '21 17:01 leoluk

https://github.com/solana-labs/rust-bpf-sysroot/pull/5

https://github.com/solana-labs/solana/issues/12232#issuecomment-770129883

leoluk avatar Jan 30 '21 16:01 leoluk

@kcsongor can you verify that we're doing reproducible builds for solana?

aadam-10 avatar Nov 21 '22 17:11 aadam-10

We are now, the solana builder docker image is based on a prebuilt image: https://github.com/wormhole-foundation/wormhole/blob/40dfe0244413bac12fd8655bb64e032b48b9efd3/solana/Dockerfile#L1-L2 the rest is locked cargo dependencies https://github.com/wormhole-foundation/wormhole/blob/40dfe0244413bac12fd8655bb64e032b48b9efd3/solana/Dockerfile#L33-L37

kcsongor avatar Nov 21 '22 18:11 kcsongor