Is there a correct way to verify the source code of a blessed replica proposal now that the binaries are using compression?
For proposal 54964 , the git commit is: 0ef2aebde4ff735a1a93efa342dcf966b6df5061 , and the release_package_sha256_hex hash specified in the proposal is
When I checkout the ic repo at the commit: 0ef2aebde4ff735a1a93efa342dcf966b6df5061 and build the code with the build commands in the readme, the build is successful but the hashes are different than the one in the proposal
How can I verify the source code of the replica?
The canister module GZip compression that I implemented recently is not related to this issue.
When I try to build the IC OS image from the same commit, I get yet another hash:
$ git status
HEAD detached at 0ef2aebd
$ ./gitlab-ci/tools/docker-run ./gitlab-ci/tools/build-ic
There might be an issue with the build reproducibility; I asked our release engineers for clarification.
Thanks, If I remember correct it is the extracted root.img file that is different.
I’m seeing the same thing when building for proposal 56257
the proposal hash is
at commit 3ad313dcda03e2db45e81d02c5f931fdf3bf5bc1
When I checkout 3ad313dcda03e2db45e81d02c5f931fdf3bf5bc1 and build on my machine:
@levi do you still see issues with reproducibility?
@sat 2e16bb didn’t match, 3d6fc11 matched, 07954f didn’t match, dcb2d23 matched, and c273e3a matched.
@sat 60222 commit: e7b57fc9
$ git status
HEAD detached at e7b57fc9 nothing to commit, working tree clean
@levi reproducibility is hard…
Our IDX team made some changes recently, so that might be why the last few releases worked better.
Would be awesome if you could continue checking in the future and ping me (DM is great) or respond to the announcement message if you get a mismatch.
For each release our team does multiple (say 5 or so) fully independent builds to verify reproducibility. But it’s still not a proof that there won’t be a mismatch in some case or on some system.
Sure, I’ll post on the new replica threads if there’s a mismatch .
Thanks for doing the hard (but critical) work of replica verification!