How about using a different toolchain? (eg: gcc vs clang). Or even different ver... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

sreevisakh on Aug 5, 2020 | parent | context | favorite | on: You don’t need reproducible builds

How about using a different toolchain? (eg: gcc vs clang). Or even different versions of a toolchain? Or a dependency that has to be downloaded? Being able to build consistently requires way more effort than just following professional practices. One method I know is to pin everything that goes into a build - source, dependencies, toolchains, configurations and environment.

Results of non-consistent build can be as simple as a difference in performance. But it could also be a malware injected through the compiler.

AlexTWithBeard on Aug 5, 2020 [–]

Yes, yes and yes. The toolchain and the dependencies should be pinned.

Otherwise sooner or later you'll hit the customer's issue that you won't be able to reproduce - until you realize it's some subtle bug in the specific version of your compiler.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact