Deterministic builds

Erik Cederstrand erik at
Fri Dec 9 11:32:30 UTC 2011

Hi all,

I've been working on a project to make it possible to produce deterministic builds with FreeBSD. By this I mean building a FreeBSD distribution twice from the same code base and having all files in the two distributions match by md5 sum. Currently, this is not the case.

My main goal for this project is to be able to see exactly which files are affected between two revision, in terms of actual functionality.

There are different ways of defining deterministic builds. My first attempt works when the SVN revision and SRCDIR is the same, but build timestamp, OBJDIR and DESTDIR are different. Here is a patch for current (r228312): This is my first attempt at a patch for the build infrastructure, so be warned  :-)

To try the patch, you must be running 9.0 or later, since the build relies on the '-D' flag being available in ar(1) and ranlib(1) (ar is not a build dependency). I have only tested this with GCC, not Clang.

To build deterministically, you need to put WITH_DETERMINISTIC="YES" in both make.conf and from the command-line. I can't work out why both are necessary.

Main features of the patch:
* Change ARFLAGS to add '-D' where ARFLAGS are hard-coded
* Adds a RANLIBFLAGS variable
* Remove '-g' from C/C++ debug clags where it is hard-coded
* Strips binaries for debug info which contains file paths
* Adds -frandom-seed to CXXFLAGS so the random seed in C++ binaries is constant
* Changes sendmail config file headers to be generic
* Changes to create a generic vers.c file

Currently missing and untested is building with different user logins, different hostnames, different revisions (where e.g. only a comment is changed), different SRCDIRs and probably other things I haven't thought of. Also, I have only done rudimentary runtime testing.

Here is the script I have used to build and test:

I'd be very grateful for any comments on the approach and the patch.


More information about the freebsd-current mailing list