11 votes

Perfectly reproducible, verified Go toolchains

1 comment

  1. first-must-burn
    Link
    This article is very detailed and interesting, but here is a quote I think will be relevant to people who don't want to read all the gory details: And this: In addition to explaining all the ins...

    This article is very detailed and interesting, but here is a quote I think will be relevant to people who don't want to read all the gory details:

    Removing these relevant inputs made it possible to cross-compile a Go toolchain from a different system without any loss in functionality. That in turn improved the supply chain security of the Go toolchain: we can now build Go toolchains for all target systems using a trusted Linux/x86-64 system, instead of needing to arrange a separate trusted system for each target. As a result, Go 1.21 is the first release to include posted binaries for all systems at go.dev/dl/

    And this:

    It’s not enough to make Go toolchains reproducible once. We want to make sure they stay reproducible, and we want to make sure others can reproduce them easily.

    To keep ourselves honest, we now build all Go distributions on both a trusted Linux/x86-64 system and a Windows/x86-64 system. Except for the architecture, the two systems have almost nothing in common. The two systems must produce bit-for-bit identical archives or else we do not proceed with the release.

    In addition to explaining all the ins and outs of the non-determinism they removed, they go on to give an case study verifying the binaries being published by the Ubuntu distribution using a MacOS tool chain and no Ubuntu tools or OS at all.

    Pretty fascinating overall. Work like this is one of the reasons I intend to continue to improve my Go dev skills.

    7 votes