[PHP-DEV] Reproducible Builds

Tue, 28 Nov 2023 09:28:33 -0800

I recently watched a video [1] that once again brought the topic of reproducible builds [2] to my attention.
I believe that reproducible builds are becoming more and more important and that the build of the PHP interpreter/runtime should become reproducible. 


Right now, compiling the same version of PHP's C sources in the same 
environment (using the same compiler, against the same dependencies, etc.) 
produces a different binary every time. "Different" meaning that the built 
artifacts, the "php" executable for the CLI SAPI, for example, are not 
bit-by-bit identical.



One obvious reason why this is the case is the fact that we use __DATE__ 
and __TIME__ in a couple of places. These preprocessor macros are expanded 
by the C compiler at compile-time to the current date and time. They are 
used in sapi/cli/php_cli.c, for instance, so that the output of "php -i" 
contains the date and time when the executable was compiled.



I have not yet checked whether usage of the __DATE__ and __TIME__ macros 
is the only thing that makes the compilation of PHP irreproducible, but no 
longer using them would be a good start on the path towards reproducible 
builds.



While we could probably replace __DATE__ and __TIME__ with 
SOURCE_DATE_EPOCH [3] [4], I cannot help but wonder whether having the 
date and time when the executable was built in the executable is actually 
useful. How attached are we to having the date and time of the build in 
the output of phpinfo(), "php -i", etc.?



AFAIK, the topic of reproducible builds was brought up in 2017 for the 
first, and before this email only, time [5]. There was a PR [6] that was 
merged into PHP 7.1 which introduced the use of SOURCE_DATE_EPOCH to 
define PHP_BUILD_DATE in configure.ac. Today, when I grep for 
SOURCE_DATE_EPOCH on the master branch, I do not find any usage of 
SOURCE_DATE_EPOCH anymore. Or PHP_BUILD_DATE, for that matter.


--

[1] 
https://media.ccc.de/v/camp2023-57236-reproducible_builds_the_first_ten_years

[2] https://reproducible-builds.org/
[3] https://reproducible-builds.org/specs/source-date-epoch/
[4] https://reproducible-builds.org/docs/source-date-epoch/
[5] https://externals.io/message/101327#101327
[6] https://github.com/php/php-src/pull/2965

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php























					Reply via email to