New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ContinuousIntegrationBuild=true produces nondeterministic source paths by default #55860
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
I think that ContinuousIntegrationBuild is used in Microsoft.Managed.Core.targets which comes from Roslyn. |
@tmat is this the right place for the issue? |
I'm not sure what the ask is. Setting |
The SDK doesn't know what that directory is. The directory containing the solution does not need to contain all the source files. |
Where does that come from? The issue is that without using any of the |
The project can set BTW, the paths are not irrelevant even when the source files are embedded in the PDB. The paths can still be used by the program via |
@tmat should the SDK have that concept though? Seems like determinism as a concept does not require SourceLink. And if the paths are different between builds, then it's not deterministic since the paths are local machine paths. I do think this should be an SDK concept. |
Indeed, determinism doesn't require Source Link. Setting |
I guess what I'm looking for is a "secure by default" "it just works" mechanism. |
It sounds like this should be moved to https://github.com/dotnet/sdk? |
That's why I said the SDK could either:
If I haven't referenced a provider-specific SourceLink package, the notion of a source control repository is irrelevant for the purposes of build determinism. All that matters is that paths are deterministic between builds. |
This is not sufficient. Source files may contain |
I see. So no matter what the default SourceRoot strategy is (including not having a default), files could end up outside it. You've also raised the point that original file paths get embedded via CallerFileNameAttribute which is a good one. (NuGet Package Explorer might be able to heuristically check this with decent accuracy by scanning for absolute paths in the metadata string heap and then scanning all method bodies for Can the SDK provide build-time warnings if absolute source paths don't leak into the outputs, and maybe sensible defaults that cover the 99% case of all source files being under the solution directory tree or already accounted for by SDK SourceRoot items? |
Just to be clear - the compiler applies PathMap on these paths. PathMap is set based on SourceRoots.
The compiler could (the SDK does not know all the paths) but it wouldn't be by default since that would be a breaking change. Perhaps it could be by default for new TFMs. What are we actually trying to address here? I don't think most customers care about the paths. I believe we have guidelines on authoring high quality packages. Those guidelines include requirement to have Source Link. Once you reference a Source Link package the SourceRoots are automatically set. |
@tmat We don't need SourceLink, that's not what's required for a high quality package -- what is required is access to the full source. When |
I see, so it's just the The SDK could then include |
Closing this issue as we've seen no reply to the request for more information. If you are able to get the requested information, please add it to the issue and we will retriage it. |
This is going to be fun. |
Wanted to ping on this issue. What are the next steps here? Unclear from the convo if we believe this is an SDK issue or something we should be mitigating in the compiler. |
As noted in my comment I think we may need to enhance |
Consider the case where the |
Yeah. After trimming each path we could prefix it with |
I think this is an SDK bug. The workaround is either to add a specific SourceLink provider package reference (which may be redundant and may even be problematic or impossible) or to add a
<SourceRoot Include="$(SolutionDir)" />
item or similar. The actual directory does not matter so long as it contains all source files not already covered by a SourceRoot item.Without the workaround, you can see absolute paths leaking from the CI image, and NuGet Package Explorer also flags the resulting assembly as failing the determinism check:
Using the workaround, determinism is achieved:
If no specific SourceLink provider package is referenced in a project, the SDK should add a SourceRoot directory by default containing all source files. This should work the same way whether or not the project is even contained in a source-control repository of any kind. Alternatively, source files outside the solution directory should not be mapped and should cause build warnings when ContinuousIntegrationBuild=true.
The text was updated successfully, but these errors were encountered: