Deterministic build?
See original GitHub issueIt seems like we can specify a specific git revision in fips.yml
with rev
when we import dependencies, but the dependencies of the imported library is up to the library’s fips.yml
.
Is there a good way to ensure specific reversions so that we can get deterministic build if needed?
For example in Rust, Cargo.lock
file maintains a snapshot of dependency versions https://github.com/rust-lang-nursery/rls/blob/master/Cargo.lock and it’s encurraged to check-in Git repository for reproduciability.
Issue Analytics
- State:
- Created 6 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
An introduction to deterministic builds with C/C++ - Conan Blog
A deterministic build is a process of building the same source code with the same build environment and build instructions producing the ...
Read more >Deterministic build systems — reproducible-builds.org
The basics on how to make a build system deterministic can be summarized as: Ensure stable inputs. Ensure stable outputs. Capture as little...
Read more >Reproducible builds - Wikipedia
Reproducible builds, also known as deterministic compilation, is a process of compiling software which ensures the resulting binary code can be reproduced.
Read more >Deterministic builds - The Chromium Projects
A deterministic build is not something that happens naturally. It needs to be done. Swarming knows the relationship between an isolated test and...
Read more >Deterministic Builds - Continuous Integration - CircleCI
A deterministic build is one that can be run “live” at commit time, tomorrow, and even next month and end with the exact...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yes I agree that a proper snapshot file would be better, especially together with “fips update” (which may be does the wrong thing at the moment). fips.yml is currently hardcoded, but I think the lock-file should not be a plain copy of fips.yml. fips.yml is more like a general project-config file, for instance besides imports (and exports) you can also put general values in there which can then be read by custom verb- or code-generator scripts.
It should be possible to override ‘sub-dependencies’ by listing them with their required versions in your top-level fips.yml before the dependency which imports those sub-dependencies.
Basically, fips should resolve dependencies in the order they are listed in fips.yml, depth-first, and it will not touch dependency-directories that already exists.
It’s a bit more work than the automatic lock-file snapshotting, but it should allow for the same level of control. If you try this let me know if this works, I did some changes to the dependency resolution fairly recently to ensure the right import-order, but the whole thing is a bit more complex than I’d like, there may be subtle bugs in it.