Reproducible builds?

(Will Wilson) #1

The dream is that typing ‘make’ at a given source version will produce byte-for-byte identical versions of all the build artifacts. I don’t think we’re there yet. So I guess this is a few questions:

(1) Are container builds deterministic? Will running ‘docker build’ on the dockerfile twice produce the same container? I think the answer used to be ‘yes’, but is now ‘no’, since some non-pinned dependencies have crept into the apt install line:

(2) If container builds are non-deterministic, would the FDB team consider pushing an “official” FDB development container to some public docker registry?

(3) Given a container, are builds of the native code within that container deterministic? Is the GCC version we use in the cross-compiler modern enough for that to even be possible? Are there other blockers to it?

Thanks guys!

(Ewan Higgs) #2

No. It hits the network and none of the files pulled down are checked for an etag.

AFAIK, deterministic container builds usually means that given a tagged container image, is the fdb build itself reproducible?