问题
I work in a very regulated environment where we need to be able to produce identical binary input give the same source code every time be build out products. We currently use an ancient version of g++ that has been patched to not write anything like a date/time in the resulting binaries that would change from build to build, but I would like to update to g++ 4.7.2. Does anyone know of a patch, or have suggestions of what I need to look for to take two identical pieces of source code and produce identical binary outputs?
回答1:
We also depend on bit-identical rebuilds, and are using gcc-4.7.x.
Besides setting PWD=/proc/self/cwd and using -frandom-seed=<input-file-name>, there are a handful of patches, which can be found in svn://gcc.gnu.org/svn/gcc/branches/google/gcc-4_7 branch.
回答2:
The Debian Reproducible builds project attempts to standardize Debian packages byte-by-byte, and has received a Linux Foundation grant in 2016.
While this may include more than compilation, you should have a look at it.
It also pointed me to this article, which adds the following points to what @Employed said:
- put the source in a fixed folder (e.g.
/tmp/build) to deal with__FILE__ - for
__DATE__,__TIME__,__TIMESTAMP__:- libfaketime : https://github.com/wolfcw/libfaketime
- override those macros with
-D -Wdate-timeor-Werror=date-time: warn or fail if either__TIME__,__DATE__or__TIMESTAMP__are is used. The Linux kernel 4.4 uses it by default.
- use the
Dflag withar, or use https://github.com/nh2/ar-timestamp-wiper/tree/master to wipe stamps -fno-guess-branch-probability: older manual versions say it is a source of non-determinism, but not anymore. Not sure if this is covered by-frandom-seedor not.
Buildroot has a BR2_REPRODUCIBLE option which may give some ideas on the package level, but it is far from complete at this point.
Related threads:
- https://superuser.com/questions/639351/does-recompiling-a-program-produce-a-bit-for-bit-identical-binary
- https://www.quora.com/What-can-be-the-possible-reasons-for-the-object-code-of-an-unchanged-C-file-to-change-on-recompilation
回答3:
Use of the 'DATE' macro makes the build non-deterministic
来源:https://stackoverflow.com/questions/14653874/how-to-produce-deterministic-binary-output-with-g