Mixxx

reproducible builds

Bug #1740695 reported by Be on 2017-12-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mixxx	New	Wishlist	Unassigned

Bug Description

We distribute binaries that are downloaded millions of times. We should be able to be certain that the binaries have not been compromised. We can only be sure if our builds are 100% reproducible: https://reproducible-builds.org/

Be (be.ing) on 2017-12-31

Changed in mixxx:
milestone:	none → 2.2.0
importance:	Undecided → Medium

Revision history for this message

Sébastien BLAISOT (sblaisot) wrote on 2017-12-31:

100% bit-to-bit reproductible build under windows using MSVS seems an impossible goal because the executable itself contain (at least) the build date.

Revision history for this message

Be (be.ing) wrote on 2017-12-31:

Someone made tool to fix that: https://github.com/jasonwhite/ducible

Revision history for this message

Sébastien BLAISOT (sblaisot) wrote on 2018-01-01:

Here are the things I can think of :

* we will need to set buildtime=0 for scons to avoid including the build date/time in the executable
https://github.com/mixxxdj/mixxx/blob/master/src/util/version.cpp#L152,L154

* We will need to fix that: https://github.com/mixxxdj/mixxx/blob/master/src/SConscript#L59

* We need to ensure that third-party code (like included libs, qt, etc...) all have reproducible builds (remember that at least windows builds are statically linked)

* This should be seen as reproductible executables, not reproductible packages, because packaging (under windows) necessarily add some random stuff like unique GUIDs that are based on the building machine id + date/time : https://github.com/mixxxdj/mixxx/blob/master/src/SConscript#L684,L692
Uniqueness across builds is mandatory here to ensure proper upgrade path between versions.

Revision history for this message

RJ Skerry-Ryan (rryan) wrote on 2018-05-27:

I'm all for reproducible builds, but this is feasible for 2.2? It's quite a big project -- particularly b/c our dependencies need to be reproducible and we have a lot of dependencies.

Be (be.ing) on 2018-05-27

Changed in mixxx:
milestone:	2.2.0 → none

Daniel Schürmann (daschuer) on 2020-05-10

Changed in mixxx:
importance:	Medium → Wishlist

Revision history for this message

Swiftb0y (swiftb0y) wrote on 2022-10-08:

Mixxx now uses GitHub for bug tracking. This bug has been migrated to:
https://github.com/mixxxdj/mixxx/issues/9039

lock status:

Metadata changes locked and limited to project staff

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-mixxxdj-mixxx #9039
[open feature] Edit

Bug watches keep track of this bug in other bug trackers.