Some 2.35.0 release assets are not reproducible

Question

Some 2.35.0 release assets are not reproducible

Closed this issue a month ago · 4 comments

I was trying to create reproducible builds for mold, and noticed that the release assets mold-2.35.0-{riscv64,s390x,x86_64}-linux.tar.gz from release 2.35.0 are different from the ones created in the "Build all tarballs" CI run. (The aarch64, arm, ppc64le tarballs are identical and reproducible, though.) Is that intentional? And if so, can you share what was changed? Thanks!

$ sha256sum ci-artifacts/*.tar.gz
321e28e981ad0ea9a14e429f077a736813c7d7f36adbe871010bb45c7f09af23  ci-artifacts/mold-2.35.0-aarch64-linux.tar.gz
4a482902ccd5f81948163c45cf0a3b9b28d2131dee6b1396a3ba6b39ab6a1f8d  ci-artifacts/mold-2.35.0-arm-linux.tar.gz
a3b9305992033dace45539684d90c4f0754067907bb8a5b3d97b238e9c528a78  ci-artifacts/mold-2.35.0-ppc64le-linux.tar.gz
743dbde7dfbfc7361648b0f0b54a5f5ac022f9197af2d513a3f351744bb952a3  ci-artifacts/mold-2.35.0-riscv64-linux.tar.gz
e75b4fec9f20c2a72ba71e2f877343ee02422cb836fd90dbfdf0f26d0ca70a5d  ci-artifacts/mold-2.35.0-s390x-linux.tar.gz
c16db5a14a9c5ccc5f59b83efd825ae32390be5f73a4b16dfd6d55ad16430486  ci-artifacts/mold-2.35.0-x86_64-linux.tar.gz
$ sha256sum release-assets/*.tar.gz
321e28e981ad0ea9a14e429f077a736813c7d7f36adbe871010bb45c7f09af23  release-assets/mold-2.35.0-aarch64-linux.tar.gz
4a482902ccd5f81948163c45cf0a3b9b28d2131dee6b1396a3ba6b39ab6a1f8d  release-assets/mold-2.35.0-arm-linux.tar.gz
a3b9305992033dace45539684d90c4f0754067907bb8a5b3d97b238e9c528a78  release-assets/mold-2.35.0-ppc64le-linux.tar.gz
55e588776237b45745a3ae440811c50d8bcd949ac53fbddb8ac5be6f808018a9  release-assets/mold-2.35.0-riscv64-linux.tar.gz
9de3db738e12e8973294aca8ca7d1a8dde1edfb901d4a39a51c00030b2c12788  release-assets/mold-2.35.0-s390x-linux.tar.gz
91a24cbf508aa8c50731dc4fb6cf5b5e09f186008029b3ab95bcd98b2b9a7972  release-assets/mold-2.35.0-x86_64-linux.tar.gz

Answer 1 · 2024-12-08T12:43:01.000Z

Hmm, that's totally unexpected. Let me rebuild the tarballs to see that the hash will randomly change.

Answer 2 · 2024-12-08T12:49:40.000Z

This release was built with --icf=safe, and it looks like that option is the source of the randomness. It's not limited to mold itself, but in general that option makes output indeterministic. Let me fix that.

Answer 3 · 2024-12-08T12:53:15.000Z

FWIW, my builds were all identical to the CI-produced ones, so that may not be a problem with ICF?

321e28e981ad0ea9a14e429f077a736813c7d7f36adbe871010bb45c7f09af23  mold-2.35.0-aarch64-linux.tar.gz
4a482902ccd5f81948163c45cf0a3b9b28d2131dee6b1396a3ba6b39ab6a1f8d  mold-2.35.0-arm-linux.tar.gz
a3b9305992033dace45539684d90c4f0754067907bb8a5b3d97b238e9c528a78  mold-2.35.0-ppc64le-linux.tar.gz
743dbde7dfbfc7361648b0f0b54a5f5ac022f9197af2d513a3f351744bb952a3  mold-2.35.0-riscv64-linux.tar.gz
e75b4fec9f20c2a72ba71e2f877343ee02422cb836fd90dbfdf0f26d0ca70a5d  mold-2.35.0-s390x-linux.tar.gz
c16db5a14a9c5ccc5f59b83efd825ae32390be5f73a4b16dfd6d55ad16430486  mold-2.35.0-x86_64-linux.tar.gz

Answer 4 · 2024-12-08T12:55:41.000Z

I don't know, but CI is as an environment a bit special. IIRC, it has only two cores. So the randomness may be limited on CI. The fact that you could reproduce my tarballs is good, as it is a proof that my builds were built from the corresponding source tree, though.