[Makefile] Support reproducible builds #406
Conversation
It's bad form to embed timestamps in binaries as it prevents reproducible builds of the resulting binary. The Reproducible Builds project defines SOURCE_DATE_EPOCH to help reproduce binaries by allowing the date format to be overridden. This patch adds support for this for GNU and BSD date. Go 1.13 introduces `-trimpath` which strips build paths from all compiled binaries. This enables people to reproduce the distributed cli binary without having to recreate the build path. https://reproducible-builds.org/specs/source-date-epoch/ https://reproducible-builds.org/docs/build-path/ Signed-off-by: Morten Linderud <morten@linderud.pw>
Foxboron
force-pushed
the
morten/fix-reproducible
branch
from
39c69f3
to
1b70090
Compare
|
thanks! I like this but it's my first time looking at the reproducible build stuff. Is it the case using SOURCE_DATE_EPOCH is only useful when paired with it being present in the env at build time? In other words, merging this will not lead to reproducible builds until we also tweak our automated build process? |
|
The idea behind Currently distribution package managers and reproduction toolchains record and replay If you are interested how this work downstream I did write a little about it in November for Arch Linux; https://linderud.dev/blog/reproducible-arch-linux-packages/ |
| @@ -2,15 +2,21 @@ BUILD_FILES = $(shell go list -f '{{range .GoFiles}}{{$$.Dir}}/{{.}}\ | |||
| {{end}}' ./...) | |||
|
|
|||
| GH_VERSION ?= $(shell git describe --tags 2>/dev/null || git rev-parse --short HEAD) | |||
| DATE_FMT = +%Y-%m-%d | |||
| ifdef SOURCE_DATE_EPOCH | |||
| BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)") | |||
There was a problem hiding this comment.
Why the final date -u "$(DATE_FMT)" fallback, which doesn't seem to respect SOURCE_DATE_EPOCH?
There was a problem hiding this comment.
It's taken verbatim from the reproducible builds efforts; https://reproducible-builds.org/docs/source-date-epoch/
My guess it's a guard regarding a future date regressions. I can go ask the community for a better detail or dig up some change logs if that desirable.
EDIT: Heh. I realized that it is indeed noted on the webpage 😄
There was a problem hiding this comment.
Thanks for looking that up!
It's bad form to embed timestamps in binaries as it prevents
reproducible builds of the resulting binary.
The Reproducible Builds project defines SOURCE_DATE_EPOCH to help
reproduce binaries by allowing the date format to be overridden. This
patch adds support for this for GNU and BSD date.
Go 1.13 introduces
-trimpathwhich strips build paths from allcompiled binaries. This enables people to reproduce the distributed cli
binary without having to recreate the build path.
https://reproducible-builds.org/specs/source-date-epoch/
https://reproducible-builds.org/docs/build-path/
Signed-off-by: Morten Linderud morten@linderud.pw