Software:Deterministic compilation

From HandWiki

Deterministic compilation, also known as reproducible builds, is a process of compiling software which ensures the resulting binary code can be reproduced. Source code compiled using deterministic compilation will always output the same binary.[1][2] Deterministic compilation can act as part of a chain of trust;[1] the source code can be signed, and deterministic compilation can prove that the binary was compiled from trusted source code.

Methods

For the compilation process to be deterministic, the input to the compiler must be the same, regardless of the build environment used. This typically involves stripping variables that may change, such as timestamps, locales, and paths.

Build systems, such as Bazel and Gitian[3], can be used to automate a deterministic build process.

History

One of the first projects to promote reproducible builds was the Bitcoin project with Gitian. Later, in 2013, the Tor (anonymity network) project started using Gitian for their reproducible builds [4]

References

  1. 1.0 1.1 "reproducible-builds.org". https://reproducible-builds.org. "Reproducible builds are a set of software development practices which create a verifiable path from human readable source code to the binary code used by computers....build system needs to be made entirely deterministic: transforming a given source must always create the same result." 
  2. Ratliff, Emily (4 April 2016). "Establishing Correspondence Between an Application and its Source Code | SecurityWeek.com". SecurityWeek. http://www.securityweek.com/establishing-correspondence-between-application-and-its-source-code. 
  3. "Gitian: a secure software distribution method" (in en). https://gitian.org/. 
  4. Deterministic Builds Part Two: Technical Details. October 04, 2013

External links