When building libc.a in different machines with identical configuration, I get a different results.
It seems that the problem is the order in which the archive is created (I see some wildcard in the Makefile, but adding $(sort ) to them is not enough).
As a result, a Firefox with WASI sandbox cannot be built in a reproducible way.
Reproducibility matters to several projects, like Debian or Tor Browser (disclosure: I am a Tor Browser developer).
As a workaround, I created a Python script to re-create libc.a, but I wonder if something can be done to create libc.a deterministically in the first place (maybe some tweaks to the Makefile are enough).
Please notice that extracting libc.a with llvm-ar x libc.a and then creating it again with a sorted input list does not work, because the archive currently contains two errno.o, and also some object files without a name.
When building
libc.ain different machines with identical configuration, I get a different results.It seems that the problem is the order in which the archive is created (I see some
wildcardin theMakefile, but adding$(sort )to them is not enough).As a result, a Firefox with WASI sandbox cannot be built in a reproducible way.
Reproducibility matters to several projects, like Debian or Tor Browser (disclosure: I am a Tor Browser developer).
As a workaround, I created a Python script to re-create
libc.a, but I wonder if something can be done to createlibc.adeterministically in the first place (maybe some tweaks to theMakefileare enough).Please notice that extracting
libc.awithllvm-ar x libc.aand then creating it again with a sorted input list does not work, because the archive currently contains twoerrno.o, and also some object files without a name.