Deterministic compilation
Deterministic compilation, also known as reproducible builds, is a process of compiling software which ensures the resulting binary code can be reproduced. Source code compiled using deterministic compilation will always output the same binary.[1][2]
Deterministic compilation can act as part of a chain of trust;[1] the source code can be signed, and deterministic compilation can prove that the binary was compiled from trusted source code.
Methods
For the compilation process to be deterministic, the input to the compiler must be the same, regardless of the build environment used. This typically involves stripping variables that may change, such as timestamps, locales, and paths.
Build systems, such as Bazel, can be used to automate a deterministic build process.
References
- 1 2 "reproducible-builds.org". reproducible-builds.org. Archived from the original on 20 May 2016. Retrieved 22 August 2016.
Reproducible builds are a set of software development practices which create a verifiable path from human readable source code to the binary code used by computers....build system needs to be made entirely deterministic: transforming a given source must always create the same result.
- ↑ Ratliff, Emily (4 April 2016). "Establishing Correspondence Between an Application and its Source Code | SecurityWeek.com". www.securityweek.com. SecurityWeek. Archived from the original on 20 September 2016. Retrieved 22 August 2016.