Reproducible builds for native compiled binaries #16860
Conversation
Library/Homebrew/shims/super/cc
Outdated
| # Ideally this would be -ffile-prefix-map, but that requires a minimum of GCC 8, LLVM Clang 10 or Apple Clang 12 | ||
| # and detecting the version dynamcally based on what `HOMEBREW_CC` may have been rewritten to point to is awkward |
There was a problem hiding this comment.
We could just take a page from a configure script and see if passing the flag doesn't error...
There was a problem hiding this comment.
Probably don't want to do that on every cc run and doing it once is tricky because HOMEBREW_CC can and does change during the build (e.g. swift wrapper).
I guess ideally what we'd do is query all compiler versions ahead of time and check the appropriate one within the shim. Not really sure...
There was a problem hiding this comment.
Hmmm, yea. What cases will doing this for macOS with Xcode >= 12 cause problems?
There was a problem hiding this comment.
That's probably OK for clang on macOS, though it's a bit messier on the GCC side (in particular Linux) where we technically still support GCC 4.9 and later in brew and you can have multiple installed.
| @@ -310,6 +311,9 @@ class Cmd | |||
| args += path_flags("-isystem", isystem_paths) + path_flags("-I", include_paths) | |||
| # Add -nostdinc when building against glibc@2.13 to avoid mixing system and brewed glibc headers. | |||
| args << "-nostdinc" if @deps.include?("glibc@2.13") | |||
| # Ideally this would be -ffile-prefix-map, but that requires a minimum of GCC 8, LLVM Clang 10 or Apple Clang 12 | |||
| # and detecting the version dynamcally based on what `HOMEBREW_CC` may have been rewritten to point to is awkward | |||
| args << "-fdebug-prefix-map=#{formula_buildpath}=." if formula_buildpath | |||
There was a problem hiding this comment.
Any particular reason why we want . here?
There was a problem hiding this comment.
No real reason - this can be anything we want it to be. Though an empty string doesn't seem to work.
Debian uses .. If we want more info we could add the formula name or something, though you probably know that from the binary name itself.
Smaller paths in theory will reduce binary size too
There was a problem hiding this comment.
Great work @Bo98! One small typo fix needed then good to ship.
Bo98
force-pushed
the
reproducible-builds
branch
from
cb59314
to
5582849
Compare
This makes Clang, GCC and ld64 produce reproducible builds, for at least simple cases. It tells them to strip out build prefixes, which we randomise on each build.
This also drops support for Xcode < 7.3, which include Clang compilers which don't support this flag. El Capitan users are able to run Xcode up to 8.2.1, so this hopefully regresses nobody.
This doesn't cover
__FILE__substitutions should any build tools pass absolute paths to the compiler. This can be fixed by-ffile-prefix-mapbut this is only supported on GCC 8, LLVM Clang 10 and Apple Clang 12, and trying to detect these dynamically is awkward at best.To be clear: this doesn't guarantee the same build output across different compiler/linker versions so we're not getting
allbottles from this.