Reproducible builds

[guseggert]

Currently, two builds on identical source trees result in different CIDs because of at least two issues (possibly more):

• The dist.json and build-info files contain dates + timestamps
• We don't strip timestamps from file metadata when archiving them, and the gzip header also contains a timestamp, causing their bytes to be different even though the contents are the same

From spot-checking a build, the binaries themselves are identical once they are extracted from the archive.

[guseggert]

Two examples that contain identical source code:

• /ipfs/bafybeihlvvrmxwpdwsksy7lqdm63jfenuekfzxyn74oymd2xpg5w6k5pjy/go-ipfs/v0.11.0-rc2
• /ipfs/bafybeie5tqusm4kdnssq2mzkzgvh3ltt46lupuqkplbft6ylnysq4czkde/go-ipfs/v0.11.0-rc2

[guseggert]

see also ipfs/kubo#7848

[lidel]

Related: https://warpforge.io was announced during IPFS Camp this year:

We’re offering software build tools for language-agnostic, hermetic builds, for developer productivity, security, and sanity. It’s tooling for developers. It’s open source. It gives reproducible environments, so you can do reproducible work

Warpforge — Hashes go in, hashes come out, exec in the middle! - Eric Evenchick:

Warpforge is a tool for building software and creating data pipelines, founded in content addressable primitives and aimed at happily operating in a decentralized environment — both in the sense of “on laptops as well as in datacenters”, as well as in the sense of “I share build instructions with friends, and we don’t need a monorepo to coordinate”. Along the way, we put may IPLD datastructures to use to obtain our goals — including some data structures which are used to create local solutions to the infamous decentralized naming problem. This talk was given at IPFS Camp 2022 in Lisbon, Portugal.

Feels like something worth evaluating for "dist.ipfs.tech 2.0"