Crystal: Add a compile-time flag to strip paths from the binary.

Created on 10 Feb 2020  路  8Comments  路  Source: crystal-lang/crystal

Currently, binaries can't be build as reproducible.
For example, build this code in two different directory.

require "yaml"

yaml = <<-YAML
foo: 123
YAML

struct Test
  YAML.mapping(
    bar: Int32
  )
end

Test.from_yaml yaml

You get different binaries with different hash sums.
Missing yaml attribute: bar .... to Int32 failed, at /home/user/tmp/src/main.cr:4:3:98 - this path should be stripped from binary file.
Even if you move all code into method and add rescue to catch all exceptions.

picture MrSorcus

Most helpful comment

On the other hand... https://banzaicloud.com/blog/go-1-13-favorite-features/

So I think this is probably good, but it's very low priority.

picture asterite on 11 Feb 2020
1 👍1

All 8 comments

These paths are debug information. You can skip that with --no-debug compiler flag. But then you're obviously lacking debug information, which might not be a perfect solution.
So yeah, in order to be reproducible, a binary must be built from the same working directory path.
IMO that seems like a legitimate requirement.
Why is that an issue to you?

straight-shoota picture straight-shoota on 10 Feb 2020

Alternatively, you could use the strip utility (or similar tools) to remove debug information from an executable. That has a similar effect (and some other consequences as well). Maybe that could be useful to you, for example to build and distribute with debug information, but calculate hashs of the stripped binary. Of course that inserts strip as a component into the reproducibility tool chain.

straight-shoota picture straight-shoota on 10 Feb 2020

These paths are debug information. You can skip that with --no-debug compiler flag. But then you're obviously lacking debug information, which might not be a perfect solution.
So yeah, in order to be reproducible, a binary must be built from the same working directory path.
IMO that seems like a legitimate requirement.
Why is that an issue to you?

Maybe i'm doing something wrong, but paths still exists even with --no-debug.
crystal build --release --no-debug main.cr - still contain paths.
I just get a warning, when packaging script with PKGBUILD.

==> WARNING: Package contains reference to $srcdir
usr/bin/main
MrSorcus picture MrSorcus on 10 Feb 2020

I see. That seems to be from the message of a TypeCastError which includes the source location. This message i created by the compiler explicitly and not subject to --no-debug (which AFAIK is finally handled by LLVM).

straight-shoota picture straight-shoota on 10 Feb 2020

For example if you compile a go program the same happens, the path is there in the binary.

Is there a use case for this?

asterite picture asterite on 11 Feb 2020

For example if you compile a go program the same happens, the path is there in the binary.

Is there a use case for this?

Only reproducible builds i assume.
And maybe if path contains sensitive data (like user's name) somebody can brute-force a password for this user on build server. Haha.

MrSorcus picture MrSorcus on 11 Feb 2020
👍1

On the other hand... https://banzaicloud.com/blog/go-1-13-favorite-features/

So I think this is probably good, but it's very low priority.

asterite picture asterite on 11 Feb 2020
1 👍1

A trivial solution would be to use only paths relative to CRYSTAL_PATH.

straight-shoota picture straight-shoota on 11 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pbrusco picture pbrusco  路  3Comments
lbguilherme picture lbguilherme  路  3Comments
oprypin picture oprypin  路  3Comments
Papierkorb picture Papierkorb  路  3Comments
asterite picture asterite  路  3Comments