New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reproducible builds #28987
Comments
Actually, ignore reproducing the same build as the travis builder, we don't even reproduce the same build on the same system: root@208cb9fcfa68:/go-ethereum# rm ./build/bin/geth
root@208cb9fcfa68:/go-ethereum# CI=true TRAVIS=true TRAVIS_COMMIT="fe91d476ba3e29316b6dc99b6efd4a571481d888" go run ./build/ci.go install -dlgo ./cmd/geth
gotool.go:96: -dlgo version matches active Go version 1.21.6, skipping download.
>>> /usr/local/go/bin/go build -ldflags "-X github.com/ethereum/go-ethereum/internal/version.gitCommit=fe91d476ba3e29316b6dc99b6efd4a571481d888 -X github.com/ethereum/go-ethereum/internal/version.gitDate=20240213 -extldflags '-Wl,-z,stack-size=0x800000'" -tags urfave_cli_no_docs,ckzg -trimpath -v -o /go-ethereum/build/bin/geth ./cmd/geth
root@208cb9fcfa68:/go-ethereum# md5sum ./build/bin/geth
1337ffaed216a31fa9a77caf138f642f ./build/bin/geth
root@208cb9fcfa68:/go-ethereum# rm ./build/bin/geth
root@208cb9fcfa68:/go-ethereum# CI=true TRAVIS=true TRAVIS_COMMIT="fe91d476ba3e29316b6dc99b6efd4a571481d888" go run ./build/ci.go install -dlgo ./cmd/geth
gotool.go:96: -dlgo version matches active Go version 1.21.6, skipping download.
>>> /usr/local/go/bin/go build -ldflags "-X github.com/ethereum/go-ethereum/internal/version.gitCommit=fe91d476ba3e29316b6dc99b6efd4a571481d888 -X github.com/ethereum/go-ethereum/internal/version.gitDate=20240213 -extldflags '-Wl,-z,stack-size=0x800000'" -tags urfave_cli_no_docs,ckzg -trimpath -v -o /go-ethereum/build/bin/geth ./cmd/geth
root@208cb9fcfa68:/go-ethereum# md5sum ./build/bin/geth
4e5180c9678db91d506e223c9a25838a ./build/bin/geth |
If we disable the C building, then we get reliable builds on a single machine
|
Got a report that these paths are present in the output:
This works when imported as a library too
I don't see these paths in the output binary
|
Hi, Running this: wget https://gethstore.blob.core.windows.net/builds/geth-linux-amd64-1.13.15-c5ba367e.tar.gz
tar -xvf geth-linux-amd64-1.13.15-c5ba367e.tar.gz
cd geth-linux-amd64-1.13.15-c5ba367e
grep -a 'home/travis' geth | strings I get four occurrences of full Travis paths in the bundle:
Which are part of the read-only data.
Here are some files to reproduce more descriptive diffs using diffoscope. |
Right. And here's how it looks against a newer binary (
|
@vivi365 made a great finding here: golang/go#67011, Following that example, I did the same (but with First dockerfile,
results in
For
This is good, now it stripped the path So seems that particular bug is only present in ubuntu. We should bump the CI-builders. |
Reproducible builds
This is a little investigation into "do we have reproducible builds in geth?".
A reproducible build means that one can replicate locally a build made on e.g. a build-server.
That is, produce an exact matching binary. This is very useful to verify the integrity
of the build-servers: any remote machine can be used to watch over the builds.
The Go compiler is, supposedly, reproducible. However, go-ethereum is not pure go
c
compiler, thus we need to ensure the same compiler is usedTesting
First, I downloaded the latest build from our downloads-page. The downloads-page
lists the checksum as
8d5e138dc3eb7b08cde48966aee0ea79
(note:md5
is not a securecryptographic hash, but we also provide detached signatures, which offers much
better security in verifying integrity).
I then tried to create a docker container replicating the enviromment used. Details gleaned from the downloaded file:
The
.travis.yml
also gives us some hints:Dockerfile attempt
Using a dockerfile like this:
In order to make the docker-version bundle the git data, we set the
TRAVIS
,CI
env variables. Seeinternal/build/env.go
for reasons.The two builds are not exactly alike in size:
Content-wise:
VS
The text was updated successfully, but these errors were encountered: