Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cirrus: Test each project for reproducibility #102

Open
JeremyRand opened this issue Mar 29, 2021 · 1 comment
Open

Cirrus: Test each project for reproducibility #102

JeremyRand opened this issue Mar 29, 2021 · 1 comment

Comments

@JeremyRand
Copy link
Member

Based on past experience, I don't think anyone at Tor is auditing their intermediate projects for reproducibility. Making Cirrus test these projects' reproducibility would be highly useful.
@JeremyRand
Copy link
Member Author

Basically this could be done by the following logic:

When we check whether an output file already exists (when deciding whether to build it), we also check whether ${OUTPUT_FILE.sha256.1} exists. If we are to build the output file and the sha256.1 file doesn't exist, then we build the output file (this is the first run), and save its hash to the sha256.1 file. If the sha256.1 file does exist, then we build the output file again (this is the second run), and compare the output file's hash to the sha256.1 file. If it matches, we delete the sha256.1 file and proceed as usual to the next project. If it doesn't match, we fail the build (meaning the binary won't get saved to the cache).

Note that the download task will delete any stray sha256.1 files that are leftover, so we can't rely on them being present from previous builds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JeremyRand