Bug #15890
closed
psych.so is not deterministic
Description
psych.so is not binary identical across builds (it's hash changes), as the order of its sources is random.
You probably want to add a sort to
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/ext/psych/extconf.rb#L16
just like it's at
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/lib/mkmf.rb#L2230
Updated by jeremyevans0 (Jeremy Evans) almost 6 years ago
- Assignee set to hsbt (Hiroshi SHIBATA)
Psych is a default gem, it is managed on GitHub. I've added a pull request to implement this: https://github.com/ruby/psych/pull/403. Assigning this to hsbt as he is a psych maintainer and has done most of the recent maintenance.
For what it is worth, while deterministic builds increase assurance by decreasing randomness, they decrease security by giving more knowledge to the attacker. I think it would be worthwhile to support a mode that randomly ordered all object files when linking for all ruby shared objects. However, that is a separate issue, and I will add a different feature request for that if I have time to implement it.
Updated by jeremyevans0 (Jeremy Evans) almost 6 years ago
- Status changed from Open to Closed
hsbt merged the pull request, so this can be closed.