From c06b054f4ec19e77ce92df2fe30a4bab5b8e0ea7 Mon Sep 17 00:00:00 2001
From: Andrey Gruzdev <agruzdev1@gmail.com>
Date: Wed, 13 Mar 2024 16:40:45 +0100
Subject: [PATCH] add ensuring wasm reproducibility section

---
 neps/nep-0330.md | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/neps/nep-0330.md b/neps/nep-0330.md
index 5aa33b663..41645ec20 100644
--- a/neps/nep-0330.md
+++ b/neps/nep-0330.md
@@ -56,8 +56,8 @@ type Standard {
 }
 
 type BuildInfo {
-    build_environment: string, // reference to a reproducible build environment docker image, e.g., "docker.io/sourcescan/cargo-near@sha256:bf488476d9c4e49e36862bbdef2c595f88d34a295fd551cc65dc291553849471" or something else pointing to the build environment. When using a Docker image as a reference, it's important to specify the digest of the image to ensure reproducibility, since a tag could be reassigned to a different image.
-    source_code_snapshot: string, // reference to the source code snapshot that was used to build the contract, e.g., "git+https://github.com/near/cargo-near-new-project-template.git#9c16aaff3c0fe5bda4d8ffb418c4bb2b535eb420" or "ipfs://<ipfs-hash>". It is important to have Cargo.lock inside the source code snapshot to ensure reproducibility.
+    build_environment: string, // reference to a reproducible build environment docker image, e.g., "docker.io/sourcescan/cargo-near@sha256:bf488476d9c4e49e36862bbdef2c595f88d34a295fd551cc65dc291553849471" or something else pointing to the build environment.
+    source_code_snapshot: string, // reference to the source code snapshot that was used to build the contract, e.g., "git+https://github.com/near/cargo-near-new-project-template.git#9c16aaff3c0fe5bda4d8ffb418c4bb2b535eb420" or "ipfs://<ipfs-hash>".
     contract_path: string|null, // relative path to contract crate within the source code, e.g., "contracts/contract-one". Often, it is the root of the repository, so can be omitted. 
     build_command: string[], // the exact command that was used to build the contract, with all the flags, e.g., ["cargo", "near", "build", "--no-abi"].
 }
@@ -69,6 +69,16 @@ In order to view this information, contracts must include a getter which will re
 function contract_source_metadata(): ContractSourceMetadata {}
 ```
 
+### Ensuring WASM Reproducibility
+
+#### Build Environment Docker Image
+
+When using a Docker image as a reference, it's important to specify the digest of the image to ensure reproducibility, since a tag could be reassigned to a different image.
+
+#### Cargo.lock
+
+It is important to have `Cargo.lock` inside the source code snapshot to ensure reproducibility. Example: https://github.com/near/core-contracts.
+
 ## Reference Implementation
 
 As an example, consider a contract located at the root path of the repository, which was deployed using the `cargo near deploy --no-abi` and environment docker image `sourcescan/cargo-near@sha256:bf488476d9c4e49e36862bbdef2c595f88d34a295fd551cc65dc291553849471`. Its latest commit hash is `9c16aaff3c0fe5bda4d8ffb418c4bb2b535eb420`, and its open-source code can be found at `https://github.com/near/cargo-near-new-project-template`. This contract would then include a struct with the following fields: