Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121822 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 10870 invoked from network); 28 Nov 2023 17:28:21 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 28 Nov 2023 17:28:21 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 91C8B18003C for ; Tue, 28 Nov 2023 09:28:28 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_40,DMARC_MISSING, SPF_HELO_NONE,SPF_NEUTRAL autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from scarlet.netpirates.net (scarlet.netpirates.net [188.94.27.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 28 Nov 2023 09:28:27 -0800 (PST) Received: from p579cd66e.dip0.t-ipconnect.de ([87.156.214.110] helo=[192.168.178.29]) by scarlet.netpirates.net with esmtpsa (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (Exim 4.96.2) (envelope-from ) id 1r81sg-003clI-1a for internals@lists.php.net; Tue, 28 Nov 2023 18:28:18 +0100 Message-ID: Date: Tue, 28 Nov 2023 18:28:18 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: internals@lists.php.net Autocrypt: addr=sebastian@php.net; keydata= xsFNBFPKGuYBEADld84J8vRx8qXekzk+K/u5rWYkiHRtx/TGvSI/luOfuJR7O7jheTwXJPqW JvA3K3B4zMpp4+QllPhO+Q//oRIguKrju8jcEdIDSFznv1ugza9nknmmuWwRh0mN1sP4FkHp q5zLVyfTJHmvKcJYoLbXSEEba+jdz5HGt1MQz4bXKQHZAu9PyG1YFQTOftHJeY8ezJ1IP7V+ +Jf0E3DmxpqeT3si3TPWkHeiZnyNvArWpOp2dX89q9DgBskW4i0F4JsxaYk7zIsG6qMj/kEK NUpnGq9MBpsWhq8VwJgJ74he+9ZDCjs9Gjb/7wmiSYR6BYuzuoAE0/Cr2G87IuWH+8hJtQZG ufQtYLqogjjpoKto4c1j3mfI9uJpqn8sjma4yegAlz8RYM2SX78YDeAcShYK22wK4T+410dP R+M8TezUWh5jPATs+OZe6HxNz5qETkolZ6pt1gCHoAkNSmE+Gz56JjTLARFPPMmcqTzYNJTm ecLOX591oQnS2ATheqcE4sH2LZ7e0oxO8yBAM4Vp63RHadA2w+b3G5eogan3p1hi6+ubX2/A JC3+1a8JmhQ8Yi6ELEDgoyx9rg7oCxMo2FPnGt16JNoEIMdLTLuFNAITFHkFvJc7O3/GKeKg qeehnuNYCoqOOpbFfeFI7jiBR5+xmu6swPo4qBnqVBfOkgOF1QARAQABzSZTZWJhc3RpYW4g QmVyZ21hbm4gPHNlYmFzdGlhbkBwaHAubmV0PsLBdwQTAQoAIQUCU8ohfwIbAwULCQgHAwUV CgkICwUWAwIBAAIeAQIXgAAKCRBKo5QIY3LCCuriEACebMROhtB/mMRqvcUjlslQaAJVfcZC x+/BSaWrk9lNgWLpS81zsRqDIC+IA/5rB6udh2q277KSy//39Pt6DxO5YeHEnjjuq9eFY/5n nSXUyT+MacvJZTJD7QA2jbO0oKKkSr2CkddkU56dthQmVshxAvo0H0BkJ81RRA6OpMhiSieL GcoIIy5HOCEeuqvfdv6Rchngfdyvp39r9bx7B8r1LdvRAvLzfHkQelOr3syXx8yinxeFjAR+ TKZoynp2J7TfNMEurowt4afu9BLOd52WwAWFnmHGKtIzrYjylTOiVodbSzhm0XGjjbHhexZT xHCHEbEDUtNRttXRYtvSp7R1+V7cLuosAsddDf3ltg9v3XHQhtYUyDJgrhFBYg2bVebQinCd y51UEO2Svgm7o6Rt/Kuq7cd8ncOpr7xUEnat5N5dniLlvGqBWbngRvAhsOeIiEexrHcQdL25 X4/AE9/zFZOOsAGNK37pHTOrY2YELyrbMA5FhTiZ/uxX/6FGKoRtuikpZiW729IbTkYV17ZL xrLWVAeAkaP5S1hvfsDzTDMfX+WfjD1fZUVKAVVmZpW6u/LGTEtGW6NdSYPbLYF2VTTfpOPz LKDDwKJVLMNnozixegIIvN2PVp8adm1IxlrPwDhhB+nsidfK4Skaq2vnwJaepqBSwshFAH7g sqh/E87BTQRTyhrmARAAy5t+TIp3d3aIo6lHZXKF/zxggVY/WBezb7HcFmC5Su/dTueCm6nw xcR2KGcrVMCIQrchEYLpOl6fPHVeTIbXOhjlaZzOQ9tovjxMFQCnZ/6WO6pF/ZrVbW3i2JGM Q8LwM2sLe7sadq/Np1OGSXCDRld3nx0ph8DvAImVSe4R7QAUeg8VeIbmS1szc02glOLx9Lbq S0sbrhTtlsTzH6o2olP36u+zbDAXNLs1CPmS6O9ZfMdBPhT3znNwbHlgbC61b5G4EG4LinJz KuQifAOmZ57lD2RXP+svS2adKqODPowpbUGCs7ntRt+sNgNiMusFW38BBIYGTu9vM0HwsaLk YjujB5ldHyCPLIIC/8ue0AeOScycSiqgr0VBQmaLKKggSdQczE5/jqFVz9Xg77eebsx4JMys XK9oEDdG6Ceh2SOMl+8blNh4c52laIstDXnGu6fQMwr8pjHB9LHrmjna/IOHMUs1eW3Oj9eL MFWmHgjUWd165+xkrYKqJ3Oy4YMrBCD710vzDaCTkAEu5AlhOL/5vOVSMYPEMViStbq2FYG7 QaC50gp5t5809Ws4bKtFFnVoK6OYRytnIWA2+xCfXDOG3MNrY1NuWNEvI9pmn+1pTo5zgjf2 qrm0E+kKL6aox+ReQu1/b4m0DOf00TwuKliNMq1pU70T/Pm7LAOGdnEAEQEAAcLBXgQYAQoA CQUCU8oa5gIbDAAKCRBKo5QIY3LCCuqtD/d9V22bY+oUfgn2CABSO2Lvq+9FTvEAYnBAZ9Gj SCKVH2gJ3rETcnjpdjLdgZg4fGJpNNehu0w4rLgUi7UyKWFLe+p84bnyDdZNuUqXtOHfHsoA xausTz1MAxEeZ6aDPkpuztC4BMWuLn6V2NkZ9gS4qniZQ5D8GJT+UpP5LFW08Kae9/5exme+ JlCiUUCDgtn1QSzKkYz60aRg7f3WpqRSg2Y1uuSRE/QCV3/iU0FXm3pneShAWQvtGqQYE9HG pZu2qG8sgns+fFqnqLHW7kr6w4EUATCEOKQ9bfH6lV9bKxsMp1XGUfdeR+AJO8Q6kn8VzYT9 plnCHJ99kOsIZVDcydY1ew3enpKnvFvIlpH40guJfDWLkWbE5vQy8Y4gWGQaBiVGhusJ0M5E LT+vMlu7eSJSvBOSVzxKml7xwjlsvGmlVE8bL4Tu/rZfDTN5RIDzCDTy4bJAzZxtESIpELrm olu4v74XqfjPyZ7pCF7jflon6qGisYGL4J5f4UxQI8nM8YtXCheIs2y91D+xWOCwXdaJkXW3 c6IbxleFXOqskgdqrI601WXgluFM1vKp/Nm8s7RgxCKegvlw7xb4LQ385jqTMxxKlyKI6LMj dLczkUKzLZbl+eQq5Qcj1+vNRTzlzEJXq/UuJu6xDE/TQbFhnHBNpuSxFq2buB9pLkO9 Reply-To: internals@lists.php.net Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Reproducible Builds From: sebastian@php.net (Sebastian Bergmann) I recently watched a video [1] that once again brought the topic of reproducible builds [2] to my attention. I believe that reproducible builds are becoming more and more important and that the build of the PHP interpreter/runtime should become reproducible. Right now, compiling the same version of PHP's C sources in the same environment (using the same compiler, against the same dependencies, etc.) produces a different binary every time. "Different" meaning that the built artifacts, the "php" executable for the CLI SAPI, for example, are not bit-by-bit identical. One obvious reason why this is the case is the fact that we use __DATE__ and __TIME__ in a couple of places. These preprocessor macros are expanded by the C compiler at compile-time to the current date and time. They are used in sapi/cli/php_cli.c, for instance, so that the output of "php -i" contains the date and time when the executable was compiled. I have not yet checked whether usage of the __DATE__ and __TIME__ macros is the only thing that makes the compilation of PHP irreproducible, but no longer using them would be a good start on the path towards reproducible builds. While we could probably replace __DATE__ and __TIME__ with SOURCE_DATE_EPOCH [3] [4], I cannot help but wonder whether having the date and time when the executable was built in the executable is actually useful. How attached are we to having the date and time of the build in the output of phpinfo(), "php -i", etc.? AFAIK, the topic of reproducible builds was brought up in 2017 for the first, and before this email only, time [5]. There was a PR [6] that was merged into PHP 7.1 which introduced the use of SOURCE_DATE_EPOCH to define PHP_BUILD_DATE in configure.ac. Today, when I grep for SOURCE_DATE_EPOCH on the master branch, I do not find any usage of SOURCE_DATE_EPOCH anymore. Or PHP_BUILD_DATE, for that matter. -- [1] https://media.ccc.de/v/camp2023-57236-reproducible_builds_the_first_ten_years [2] https://reproducible-builds.org/ [3] https://reproducible-builds.org/specs/source-date-epoch/ [4] https://reproducible-builds.org/docs/source-date-epoch/ [5] https://externals.io/message/101327#101327 [6] https://github.com/php/php-src/pull/2965