wormhole
wormhole copied to clipboard
Build reproducibility and pinning
- [x] We need to make sure that all external dependencies we pull in are pinned to exact version such that it doesn't randomly start failing or become compromised.
- [ ] If it's easy to do, builds should be byte-by-byte reproducible.
Builds are now as reproducible as the toolchains allows. All build dependencies are deterministic and pinned.
https://github.com/solana-labs/rust-bpf-sysroot/pull/5
https://github.com/solana-labs/solana/issues/12232#issuecomment-770129883
@kcsongor can you verify that we're doing reproducible builds for solana?
We are now, the solana builder docker image is based on a prebuilt image: https://github.com/wormhole-foundation/wormhole/blob/40dfe0244413bac12fd8655bb64e032b48b9efd3/solana/Dockerfile#L1-L2 the rest is locked cargo dependencies https://github.com/wormhole-foundation/wormhole/blob/40dfe0244413bac12fd8655bb64e032b48b9efd3/solana/Dockerfile#L33-L37