-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Builds using Go from nixpkgs are not bitwise identical to builds using official Go releases #125198
Comments
I just noticed this today as well, trying to get reproducible builds with Go working. I can reproduce with nixpkgs 6933d06, using the |
To be fair, this issue doesn’t break build reproducibility per se but ignores that the rest of the world uses official Go releases. So it’s almost impossible to reproduce Nixpkgs-Go-built binaries using standard toolchain and vice versa. That said, a gentle ping to @zowoq since you are the last committer. |
I think the best course would be to leave go1.16 in nixpkgs as is and instead start using the official builds for the upcoming go1.17 release. |
Unfortunately some of the patches that we apply aren't really well documented (https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/compilers/go/1.16.nix), specifically things like the SSL Cert patching - I'll go history diving soon if nobody gets to it before me - hopefully we can move closer to upstream source at least. |
I'm doing a quick read through of patches made on non-test files and I think I only see 2 things:
I went through history and seems like the first ever SSL patching were done in 1.7, which is understandable as upstream hard-coded the paths. However, starting 1.9, upstream supports overriding the paths through As for MIME Type and P.S. — I'm realizing that there are more non-test patches that we make, such as |
|
This change invokes bash interpreter directly on make.bash script. This allows using overrideAttrs with dontPatch set to true (but also doCheck set to false for Go 1.17) as a workaround for issue NixOS#125198. pkgs.go.overrideAttrs (prev: { dontPatch = true; }) pkgs.go_1_19.overrideAttrs (prev: { dontPatch = true; }) pkgs.go_1_18.overrideAttrs (prev: { dontPatch = true; }) pkgs.go_1_17.overrideAttrs (prev: { dontPatch = true; doCheck = false; })
Describe the bug
Programs built using Go 1.16.4 from nixpkgs are not bitwise identical to builds using official Go releases.
To Reproduce
Run the following steps on macOS, some Linux distro, Windows, etc. with Go 1.16.4 installed from official releases. E.g. download using
Then repeat the same steps using Go 1.16.4 from nixpkgs.
Ensure that Go builds are reproducible
Set up a simple Go module.
Run
go build
and verify checksum.Expected behavior
SHA sum is the same across all machines. Installing Go using Nix should not change that.
Actual behavior
When using Go 1.16.4 from nixpkgs the SHA sum is different.
At least for a simple “hello world” only Go Build ID is different. Edit: looking at the patches, that’s not limited to just build ID since there are some minor changes in standard library.
See also
golang/go#34186and https://github.com/golang/go/blob/3b770f2ccb1fa6fecc22ea822a19447b10b70c5c/src/cmd/go/internal/work/buildid.go#L22-L93Notify maintainers
I don’t think I should ping everyone in teams.golang.members.
The text was updated successfully, but these errors were encountered: