Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Epic: Support reproducible builds #1506

Open
8 tasks
ychin opened this issue Oct 22, 2024 · 0 comments
Open
8 tasks

Epic: Support reproducible builds #1506

ychin opened this issue Oct 22, 2024 · 0 comments
Labels
Epic Large tasks to be split up into smaller chunks Infrastructure Non-app infrastructure issues, e.g. CI

Comments

@ychin
Copy link
Member

ychin commented Oct 22, 2024

We currently distribute binary releases that people can use to download and install MacVim. We should add reproducible builds so that the binary we release is deterministic and reproducible and can be easily built on a local machine by any third party in an identical fashion.

Some motivations include the fact that supply chain attacks are real and while MacVim is unlikely a high-value target, it's still useful to reduce the likelihood of such problem happening to begin with. Also, with the deprecation of the macos-12 GitHub Action runner we will need to find another way to build the legacy MacVim binaries (either via a custom VM, or another CI service like Circle CI), and it would be nice to have some standard way to compare the generated artifacts and to have trust in the process working.

Note that we distribute signed apps, which is signed by a private key that only the maintainer controls, so it's impossible to have an artifact (MacVim.app) that can be compared bit-by-bit to a local build. We will need to use a script to resign the app to an ad-hoc signature (basically a signature without any cryptographic proof that is used for local compiles) before comparing.

  • Use relative paths for debug symbols and reproducible linker flags when building Vim
  • Use SOURCE_DATE_EPOCH to make builds not dependent on date/time.
  • Add documentation, and refactor build scripts (also necessary when adding another CI system) to make it more easily to build locally with the same flags.
  • Add CI output artifacts that contain necessary environment info.
  • Add script to re-sign with ad-hoc signature and compare the results.
  • CI test to validate reproducible builds.
  • Test in older versions of Xcode to make sure didn't break anything.

Related:

  • Add support for exporting dSYM files as part of build steps. These contain debug symbols and help diagnose crash issues for users. Make sure to use relative paths as it's necessary for reproducibility.
@ychin ychin added Infrastructure Non-app infrastructure issues, e.g. CI Epic Large tasks to be split up into smaller chunks labels Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Epic Large tasks to be split up into smaller chunks Infrastructure Non-app infrastructure issues, e.g. CI
Projects
None yet
Development

No branches or pull requests

1 participant