Rust
Rust is a general-purpose programming language with emphasis on performance, type safety, concurrency, and memory safety. It references build dependencies through cryptographic hashes recorded in dependency lockfiles. Programs written in Rust are often already reproducible by default, given the original build toolchain is version-matched and build paths are normalized, but this page documents some common issues you may encounter.
Dependency Lockfiles
Some distributions (like Arch Linux, Alpine and Homebrew) rely on the upstream
project to commit a dependency lockfile into the repository. In the Rust
ecosystem, this file is called Cargo.lock.
Usually this file is automatically respected by cargo build and cargo build
--release, but if it can’t satisfy the dependencies in the corresponding
Cargo.toml, cargo may re-resolve the dependency tree using the latest
semver-compatible versions available, which are going to be different in the
future.
To disable this behavior and instead insist on an error, use:
cargo build --locked
Not all distributions use the dependency lockfile, the Debian project is using their own dependency resolver and .buildinfo files.
Diffing the Build Directory
If you encounter an unreproducible binary, you can usually track down the
problem to a specific binary by running diffoscope on the target/
directory1.
cargo build --release && mv target target.1
cargo build --release && mv target target.2
diffoscope --html diff.html --exclude-directory-metadata=yes target.1/ target.2/
You can ignore the file .rustc_info.json as well as the files in
.fingerprint/2.
If you see a difference in e.g. target.1/release/libfoo.rlib that is a strong
indicator the problem is in the foo crate and you can focus your
investigation there.
Build Scripts (build.rs)
See stable outputs3.
Embedded Build Time
It is very uncommon for Rust programs to record the date and time the binary
has been compiled. If you still need the current time for some reason during
the compile, it is recommended to check if the SOURCE_DATE_EPOCH environment
variable is set, and only read the current system time if it is not set.
The SOURCE_DATE_EPOCH
environment variable has it’s own documentation page that also contains Rust
example code.
rust-embed
The popular crate rust-embed contains
macros to embed additional files into the compiled binary. This is often used
to bundle web assets. By default, it also records the filesystem metadata of
those files, including the modification time.
This can be turned off using the deterministic-timestamps feature.
[dependencies]
rust-embed = { version = "8.5.0", features = ["deterministic-timestamps"] }
Footnotes
Introduction
- Which problems do Reproducible Builds Solve?
- Definitions
- History
- Why reproducible builds?
- Making plans
- Academic publications
Achieve deterministic builds
Managing variance
- Variations in the build environment
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Stripping of unreproducible information
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- Rust
- JVM
- Helm
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
