Reproducible builds for GNU/Linux #335
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While most of the prerequisite work needed to achieve reproducible/deterministic builds on GNU/Linux was already completed with #329, this PR provides an additional hook in the
make_appimagescript that normalizes the file-permissions of resource files inside the AppDir directory. This results in deterministic AppImage builds across a wider range of hosts; assuming a recent release of Docker is installed and properly configured, runningmake in-containerinside the Gridsync the source tree at a specific git revision will now result in a bit-for-bit identical AppImage outputs across differing underlying hosts (specifically Debian 10, Fedora 32, Ubuntu 20.04, Ubuntu 20.10, and Ubuntu 18.04, in my testing).One exception to this appears to be with GitHub Actions' older OS images: while the build output of the
ubuntu-latest/ubuntu-20.04environment appears to consistently match that of the others I've tested locally, GitHub Actions'ubuntu-18.04environment produces an altogether different output than any others -- due, perhaps, to some Azure-specific environmental factors that introduce additional variance into some part of the build process. It is hardly worth trying to debug this, however, since theubuntu-latest/ubuntu-20.04outputs can already be independently verified against a fairly wide range of common GNU/Linux environments (and, besides, an environment that compiles software in ways that differ from the others is one that shouldn't be depended upon in the first place; being able to identify -- and avoid -- non-deterministic GNU/Linux build environments is precisely the purpose of this PR).