-
-
Notifications
You must be signed in to change notification settings - Fork 938
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brainstorming: Running reproducible-build checks just before publishing #2666
Comments
@Dentrax This is cool! |
Hi @Dentrax, very cool idea. I am not sure about the exact purpose of this. Do you want to make goreleaser build reproducible binaries or do you want to test go programs for reproducible builds via goreleaser? The second one is very very difficult. If we speak about the latter, we have to address a few issues:
The reproducible builds crew wrote a few tools for this purpose: https://reproducible-builds.org/tools/
I am not 100% sure if goreleaser wants to go this path. If goreleaser really wants to do this, I would suggest adding it as a plugin, because this might be a bigger project. Also, there are nicer tools for testing reproducibility such like reprotest, diffoscope or rebuilderd I am by far, away from being an expert on this topic. So I might be totally wrong, too :D Let's invite @kpcyrd to this thread. @kpcyrd might know more. |
I think @shibumi summarized it very well, if you want to detect possible problems you could use:
This would:
To implement this:
You'd need to consider that the system you're rebuilding on might be using a different operating system, different version of goreleaser, a different go compiler or also different binutils. This is a problem you can't solve with "build multiple times on the same computer and see if the result is always the same", you need some kind of plan on how to setup a similar environment. Linux distributions generally approach this problem with buildinfo files (which is kind of SBOM) and I wrote about using docker for this. |
Thanks for such great explanations! I clearly understood the concerns and pretty much the idea. One point that I have been wondering:
I slightly confused here. Please correct my if I'm wrong: To verify my build is reproducible, I have to use the same environment to compile source. If goreleaser use Linux ARM v7 with Go 1.17 to build my source, then I need to recompile the source using exactly the same environment, which is linux, armv7 and Go 1.17. I should do this operation on the same and different physical computer. Eventually, I expect the all checksums are exactly the same, right? This is where we see that this is a problem that is not so easy to solve. I think we should find a way out to create different build environments in automated way. Simply creating a pipeline build matrix on GitHub would not provide that build consistency and truth? |
If the idea is to create reproducible builds, goreleaser can already do this For instance, goreleaser builds themselves are reproducible: That's after building 2 times with The keypoints are here: https://goreleaser.com/customization/build/?h=repro#reproducible-builds Verifying the builds are reproducible would be a bit out of scope I think... one can use In any case, will open a PR to cosign doing the necessary changes... |
The other bits were already there, just go mod proxy was missing |
closing as explained on previous comments. Thanks for the writeup @Dentrax ! |
For someone who is stopping by here, want to drop the following repo as a reference: https://github.com/capnspacehook/gorepro |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Reopening so that people who have ideas on this can contribute! |
it was already closed as wontfix though 🤔 and the issue is locked... did something change? whats the goal? |
Oh, I was on mobile and thought that it closed by stale bot. My bad. 🤞 |
no prob! |
Is your feature request related to a problem? Please describe.
Several days ago, @naveensrinivasan created something noticeable sigstore/cosign#1019 issue to cosign. This project has been using goreleaser. So, we (@developer-guy @erkanzileli) decided to move the discussion here for further details and make some brainstorming: "What kind of automated action would have we take in the GoReleaser to avoid this inconsistency?"
Let's have in mind that GoReleaser already have a support for deterministic / reproducible builds if IIUC: 0d4f605 1 The motivation behind is this issue is extending the power of this deterministic builds:
Describe the solution you'd like
I think we should run this tests just BEFORE publishing pipeline. That said, we better NOT to publish (sending the release) across distribution platforms in case any tests fails. So, here is a small user story that defines what tests mean actually and referencing to:
As a builder (i.e., user, developer, maintainer, etc.),
I want to build the entire project using a build system that provided by project (i.e., makefile, justfile, custom shell script automation, etc.),
So that I can compare the checksum of the output binary against the binary that I downloaded from releases page
Between the
Signing
andPublish
stages, we can consider bring brand-new friend to platter of the pipelines; something like:check
,sanity
, etc. (This one might be not necessary since we can run this tests end of theBuild
stage) to addReproducible test
pipe. Here are my two cents:High-level Overview
^ Et voilà!
Trade-off warning: We probably build the projects twice as much. One by from GoReleaser and one by from custom build system; and each combination of:
PROS:
CONS:
Describe alternatives you've considered
Since GoReleaser already have a support for deterministic builds, are we still willing to add post-checks? Would it bring unnecessary complex? Overengineering?
If we already use custom build system or scripts in the repository, would not it is that easy to entry point of build system to
builds
stage like the following spec:PROS:
CONS:
Additional context
Any feedback would be greatly appreciated!
cc: @cpanato @shibumi @dekkagaijin
Footnotes
https://github.com/goreleaser/goreleaser/blob/master/www/docs/customization/build.md#reproducible-builds ↩
https://www.kernel.org/doc/html/latest/kbuild/reproducible-builds.html#reproducible-builds ↩
The text was updated successfully, but these errors were encountered: