Replies: 5 comments 7 replies
-
|
I have scores of my own tools in nuget.org, so this seems like something I should learn. What exactly does "NuGet.org will use deterministic builds metadata for validating packages" mean? My view of nuget.org is a secure file server. When I upload a .nupkg and .snupkg to nuget.org, I've already made sure I did the build in a standardized virtual OS environment, already did my exhaustive tests to know that it works, and checked via a round trip fetch gives the same file. Doesn't nuget.org keep checksums on the files I uploaded, doesn't it disallow for these files to be mutated by someone, and the files in an msbuild or dotnet install are validated with a checksum with those critical tools? Nuget does not have my sources, nor does it know my build env or how I do the build. |
Beta Was this translation helpful? Give feedback.
-
|
As you mentioned, "build in a standardized virtual OS environment" part is up to the developer. NuGet.org does not prevent anyone from building and publishing a package from a source other than the one provided in the metadata. Microsoft wants to change it for at least Open Source projects with a combination of SourceLink and Deterministic Builds. In the future, NuGet.org will be able to read package's metadata and verify that it was built from the specified source. |
Beta Was this translation helpful? Give feedback.
-
|
I use nuget to create artifacts when I release since I can't figure it out locally. haha |
Beta Was this translation helpful? Give feedback.
-
|
The enabling of Deterministic Builds should be quite easy:
The package does not necessarily need to be built in CI, |
Beta Was this translation helpful? Give feedback.
-
|
I'm trying to see how this prevents some typical blunders I might make. So, I wanted to see if this helps solve something I learned 40 years ago: the need to build in a standard environment directly from version control in order to actually have a "reproducible build". I created a library from scratch (
Can a deterministic NET build prevent unchanged files from being used in building a .nupkg that I updated to nuget.org? What am I missing here? |
Beta Was this translation helpful? Give feedback.
-
|
I believe .NET SDK does not warn you about some blunders you've described (yet). What .NET SDK deterministic builds does already is the following:
The NuGet.org server will be able to read SourceLink information and compiler flags, reproduce builds, and check that published assemblies are byte-wise identical. The verified packages will get some special trusted status on NuGet.org. So, for now you can think about deterministic builds in .NET SDK not as a tool to help you avoid some blunders while developing locally, but as an attempt to create a subset of trusted verifiable packages in the NuGet ecosystem. A side note about SourceLink. It also helps consumers to debug library code, since SourceLink adds links to the original source files in debug symbols. Visual Studio (and I believe Rider too) can automatically download source files from repository when stepping into SourceLink-enabled library's code. Here is an article on this feature: https://devblogs.microsoft.com/dotnet/improving-debug-time-productivity-with-source-link/ |
Beta Was this translation helpful? Give feedback.
-
I think there is a bit of a misconception here. Deterministic builds is simply the property that given the same input a build tool will produce the same output (byte for byte). This is the default for .NET SDK style projects as it's an inherent property of the C# compiler. This thread seems to be concerned more with reproducible builds. That is effectively the ability for two different developers or environments to get the same output (byte for byte) for a given build. That relies on the underlying build tool being deterministic. But it is primarily concerned with making sure the inputs to the build are the same in both cases. For compilers that typically comes down to path normalization, ensuring you have the same compiler, etc ...
Nothing is needed to enable deterministic roslyn builds. That is the default. |
Beta Was this translation helpful? Give feedback.
-
|
Smells like OSGI ;-)
… Le 19 janv. 2022 à 04:21, Gleb Krasilich ***@***.***> a écrit :
I believe .NET SDK does not warn you about some blunders you've described (yet). What .NET SDK deterministic builds does already is the following:
Enables deterministic compilation for Roslyn compiler as described here <https://github.com/dotnet/roslyn/blob/main/docs/compilers/Deterministic%20Inputs.md>.
Embeds compiler flags into assembly metadata. In other words, resulting assembly will contain the full information about how it was built (the full list of parameters passed to Roslyn's csc.exe).
Checks that SourceLink information is well-formed.
The NuGet.org server will be able to read SourceLink information and compiler flags, reproduce builds, and check that published assemblies are byte-wise identical. The verified packages will get some special trusted status on NuGet.org.
So, for now you can think about deterministic builds in .NET SDK not as a tool to help you avoid some blunders while developing locally, but as an attempt to create a subset of trusted verifiable packages in the NuGet ecosystem.
A side note about SourceLink. It also helps consumers to debug library code, since SourceLink adds links to the original source files in debug symbols. Visual Studio (and I believe Rider too) can automatically download source files from repository when stepping into SourceLink-enabled library's code. Here is an article on this feature: https://devblogs.microsoft.com/dotnet/improving-debug-time-productivity-with-source-link/ <https://devblogs.microsoft.com/dotnet/improving-debug-time-productivity-with-source-link/>
—
Reply to this email directly, view it on GitHub <#3498 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZNQJBDXN7YNXW6KRXL4LTUWYU4RANCNFSM5MHF5Z3A>.
You are receiving this because you are subscribed to this thread.
|
Beta Was this translation helpful? Give feedback.
-
|
Adding to my confusion, I read the information on the C# compiler deterministic builds. https://github.com/dotnet/roslyn/blob/main/docs/compilers/Deterministic%20Inputs.md But, then I try to verify the claim Even after adding several permuations of the element Sure, I do get an identical .dll if I do a
Is there an example that demonstrates identical dll's built for the same source on two different paths? |
Beta Was this translation helpful? Give feedback.
-
The full path of source files in the build is part of the deterministic input to a compilation. Hence the expectation is building the same code at different root locations will produce different output. If it produced the same output that would be a bug.
This likely means you've setup the This goes through extensive testing in our repositories. The entire Roslyn code base is built using the latest compiler on different drives using path map and verifies that every assembly is byte for byte identical. This happens on every PR into the compiler.
When doing a deterministic build time stamps are not used. Yes the PE file format has an explicit location for timestamps but in determinitsic mode we write a determistic value to that field which is not a real timestamp.
https://gist.github.com/jaredpar/c07ab29a4f323aef9386a80559bf2d78 That is a log of my powershell console doing the following:
|
Beta Was this translation helpful? Give feedback.
-
|
@jaredpar Thanks for the info Jared. This helps a lot. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, I can't duplicate this. I even created the same directory structure--paying close attention to every character in the path, executed exactly the same commands (esp. |
Beta Was this translation helpful? Give feedback.
-
The original discussion: https://groups.google.com/g/antlr-discussion/c/DAuWTC1tmrE/m/atKoQx2bAQAJ
Beta Was this translation helpful? Give feedback.
All reactions