#31691: Go ldflags should set static build ID --------------------------------------+-------------------------- Reporter: JeremyRand | Owner: tbb-team Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-rbm | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by JeremyRand): > Interesting. I wonder why we have not hit that issue yet. I'm not 100% sure why Tor hasn't had problems with it; I can confirm that Namecoin is definitely having problems with it when using Tor's rbm projects; see https://github.com/namecoin/ncdns-repro/issues/57 . I can think of 2 plausible explanations for this: 1. Namecoin exercises cgo-related code paths in more interesting ways than Tor does, so maybe the build ID happens to be reproducible in Tor's setup when not using cgo in the ways that Namecoin does. 2. Namecoin uses `go install` to build the final binaries, whereas Tor uses `go install` only to build libraries and `go build` to build the final binaries, so maybe the build ID happens to be reproducible in Tor's setup when using `go build`, and possibly either the build ID isn't embedded into libraries at all, or no one has checked the libraries for reproducibility issues since the final executable output is still reproducible. That said, the build ID is almost definitely nonreproducible even in Tor's usage when comparing rbm-built binaries to non-rbm-built binaries, because the build ID is partially dependent on the build path, which is consistent inside rbm but won't be consistent elsewhere. So, fixing this is useful to make it easier to audit the reproducibility of Tor's binaries via build platforms other than rbm (in addition to the fact that it seems to be needed for downstream projects like Namecoin to be reproducible at all, for some reason). -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31691#comment:4> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs