fix: turn off build IDs for reproducibility #7982
Conversation
There was a problem hiding this comment.
Hi @Rexogamer, thanks for submitting this PR as well as providing some context.
Could you please specify what's the exact problem that this PR tries to solve?
Looks like react-native uses the same flags but passes --build-id instead of --build-id=none: https://github.com/facebook/react-native/blob/87749470ccf596c5b3bc06fe46ba3239b684fd1b/packages/react-native/ReactAndroid/src/main/jni/CMakeLists.txt#L33
I think we can skip the comment and leave only the add_link_options(-Wl,--build-id) part if that helps.
| // Turn off build IDs for reproducibility (ensuring the same code will produce the same bundle when built) | ||
| // See https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds/RB-Hints-for-Developers#no-funny-build-time-generated-ids | ||
| // for more information | ||
| add_link_options( | ||
| -Wl,--build-id=none | ||
| ) |
There was a problem hiding this comment.
| // Turn off build IDs for reproducibility (ensuring the same code will produce the same bundle when built) | |
| // See https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds/RB-Hints-for-Developers#no-funny-build-time-generated-ids | |
| // for more information | |
| add_link_options( | |
| -Wl,--build-id=none | |
| ) | |
| add_link_options(-Wl,--build-id) |
| // Turn off build IDs for reproducibility (ensuring the same code will produce the same bundle when built) | ||
| // See https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds/RB-Hints-for-Developers#no-funny-build-time-generated-ids | ||
| // for more information | ||
| add_link_options( | ||
| -Wl,--build-id=none | ||
| ) |
There was a problem hiding this comment.
| // Turn off build IDs for reproducibility (ensuring the same code will produce the same bundle when built) | |
| // See https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds/RB-Hints-for-Developers#no-funny-build-time-generated-ids | |
| // for more information | |
| add_link_options( | |
| -Wl,--build-id=none | |
| ) | |
| add_link_options(-Wl,--build-id) |
|
the comments were added based on the feedback on the RNGH PR, but I don't mind removing them if you'd prefer that. the links explain the issue but tl;dr these build IDs mean the app provides a different output when compiled, even if everything code-wise is the same. this causes issues for apps that want to be "reproducible" (i.e. when built, they'll be identical if the code is the same - which can help to determine whether the app has been secretly tampered with or similar). the core line is strange - I ultimately left it alone for my patching because I got everything working without needing to touch it, but I too am curious if there's any reason they chose to include it. |
|
Thanks for additional explanation. I don't see a reason why third-party libs should use |
|
I'll mark this as a draft and see if there's a reason why RN sets this flag |
|
update: facebook/react-native#53089 has been merged, so this PR probably isn't needed? |
2 participants
Summary
see https://gitlab.com/IzzyOnDroid/repo/-/wikis/Reproducible-Builds/RB-Hints-for-Developers#no-funny-build-time-generated-ids for context.
see also software-mansion/react-native-gesture-handler#3602
Test plan
I've used these changes for a while with my own app.