Skip to content

Commit 3918552

Browse files
authored
Merge pull request #30187 from travisdowns/td-hermetic
bazel: make build byte-for-byte reproducible
2 parents 487beed + 5f19753 commit 3918552

5 files changed

Lines changed: 42 additions & 1 deletion

File tree

MODULE.bazel.lock

Lines changed: 7 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

bazel/repositories.bzl

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,8 @@ def data_dependency():
133133
http_archive(
134134
name = "openssl",
135135
build_file = "//bazel/thirdparty:openssl.BUILD",
136+
patches = ["//bazel/thirdparty:openssl-reproducible-buildinf.patch"],
137+
patch_args = ["-p1"],
136138
sha256 = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736",
137139
strip_prefix = "openssl-3.5.6",
138140
url = "https://vectorized-public.s3.amazonaws.com/dependencies/openssl-3.5.6.tar.gz",

bazel/thirdparty/hwloc.BUILD

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,17 @@ configure_make(
3333
# Build a static library
3434
"--disable-shared",
3535
"--enable-static",
36+
37+
# Use a fixed runstatedir so the autoconf-derived path doesn't embed
38+
# the sandbox directory into compiled objects.
39+
"--runstatedir=/var/run/hwloc",
3640
],
3741
env = {
3842
"HWLOC_BUILD_JOBS": "$(BUILD_JOBS)",
43+
# Remap the sandbox root in __FILE__ expansions so that inlined
44+
# headers (helper.h, plugins.h) produce deterministic assert strings.
45+
"CFLAGS": "-ffile-prefix-map=$$EXT_BUILD_ROOT=.",
46+
"CXXFLAGS": "-ffile-prefix-map=$$EXT_BUILD_ROOT=.",
3947
},
4048
lib_source = ":srcs",
4149
out_binaries = [
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
diff --git a/util/mkbuildinf.pl b/util/mkbuildinf.pl
2+
index abcdef1..1234567 100644
3+
--- a/util/mkbuildinf.pl
4+
+++ b/util/mkbuildinf.pl
5+
@@ -11,6 +11,16 @@ use warnings;
6+
my $platform = pop @ARGV;
7+
my $cflags = join(' ', @ARGV);
8+
$cflags =~ s(\\)(\\\\)g;
9+
+
10+
+# Strip sandbox/build-root absolute paths so the output is reproducible
11+
+# across different Bazel output bases and sandbox instances. Note: the
12+
+# cflags modified here are only embedded as a diagnostic string (shown by
13+
+# `openssl version -a`), not used for actual compilation.
14+
+my $ebr = $ENV{'EXT_BUILD_ROOT'} // '';
15+
+if ($ebr ne '') {
16+
+ $cflags =~ s/\Q$ebr\E\/?/./g;
17+
+}
18+
+
19+
$cflags = "compiler: $cflags";
20+
21+
# Use the value of the envvar SOURCE_DATE_EPOCH, even if it's

bazel/thirdparty/openssl.BUILD

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,10 @@ configure_make(
6767
}),
6868
env = {
6969
"OPENSSL_BUILD_JOBS": "$(BUILD_JOBS)",
70+
# Pin the build timestamp to epoch 0 for reproducible builds.
71+
# Without this, mkbuildinf.pl embeds the current time into
72+
# crypto/buildinf.h.
73+
"SOURCE_DATE_EPOCH": "0",
7074
},
7175
lib_source = ":srcs",
7276
out_binaries = [

0 commit comments

Comments
 (0)