Hi, currently Rust builds are not reproducible, at least in part because the full path to the source code is recorded in the produced executable (such as in the panic and debug strings). Could this be fixed so that builds can be much more easily reproduced on other computers?
Here's the background. One of Rust's general advantages is countering bugs that can lead to security vulnerabilities. However, for security it's very valuable to be able to have reproducible builds. With reproducible builds, others can verify that rebuilding on a different computer with the same tools will produce the same result, countering subverted and malicious builds. This is not an idle concern; the attack on SolarWinds Orion, which got a lot of press, was due to a subverted build environment.
Rust: A Critical Retrospective has nice things to say about Rust, but it also notes some current problems with its implementation. One of the problems with Rust it reports is that "builds are not reproducible between different computers... I think this is primarily because Rust pulls in the full path to the source code as part of the panic and debug strings that are built into the binary."
This problem is easily verified. E.g., I used this code in `src/main.rs``:
Hi, as mentioned above the --remap-path-prefix solves this problem and has been used to great effect in build systems that rely on reproducibility (Bazel, Nix) to work at all. There are efforts to teach cargo about it here. With that in mind this issue doesn't appear to track anything actionable, so I'll close it.
Hi, currently Rust builds are not reproducible, at least in part because the full path to the source code is recorded in the produced executable (such as in the panic and debug strings). Could this be fixed so that builds can be much more easily reproduced on other computers?
Here's the background. One of Rust's general advantages is countering bugs that can lead to security vulnerabilities. However, for security it's very valuable to be able to have reproducible builds. With reproducible builds, others can verify that rebuilding on a different computer with the same tools will produce the same result, countering subverted and malicious builds. This is not an idle concern; the attack on SolarWinds Orion, which got a lot of press, was due to a subverted build environment.
Rust: A Critical Retrospective has nice things to say about Rust, but it also notes some current problems with its implementation. One of the problems with Rust it reports is that "builds are not reproducible between different computers... I think this is primarily because Rust pulls in the full path to the source code as part of the panic and debug strings that are built into the binary."
This problem is easily verified. E.g., I used this code in `src/main.rs``:
... and on MacOS ran:
Note: On MacOS, "/Users" is equivalent to "/home" on most Linux/Unix systems.
I expected an empty result (no lines produced), because full paths (such as /User, /usr/, /home, /bin, etc.) shouldn't be in the generated executable.
Instead of the expected empty list, I received this long list:
This is with
rustc --version --verbose:Thank you!
The text was updated successfully, but these errors were encountered: