Latest Results
Merge 'Fix lack of reproducibility in builds' from Mike Marcacci
With this change, when `SOURCE_DATE_EPOCH` is set:
- `GIT_COMMIT_HASH` is set to `None`. This is critical in projects that
commit artifact manifests alongside their source.
- `BUILT_TIME_SQLITE` uses the `SOURCE_DATE_EPOCH`
Additionally:
- A new `pure-rust-crypto` feature allows a user to opt into the `pure-
rust` feature on aegis for targets that would otherwise use its C-based
toolchain with `-mtune=native`.
- Uses `BTreeMap` instead of `HashMap` in the `match_ignore_ascii_case`
macro to ensure deterministic binary ordering.
This also drops two dependencies that were underutilized:
- `built`
- `chrono`
Turso was not fully respecting SOURCE_DATE_EPOCH, producing
nondeterministic binaries.
I used Claude Code (Opus 4.6, 1M context) to find the source of
nondeterminism in my project. Here was the initial prompt:
> We went to great lengths to ensure our builds were reproducible across
host platforms when creating the server/etc, and tried to expand upon
those for our client apps.
>
> The most recent commit accepts the auto-generated artifact-
manifest.json from CI. Unfortunately, the resulting re-run of CI
resulted in different hashes:
>
> << a bunch of hashes >>
>
> Run locally, we get even different hashes (see staged changes). Note
that the local run produced the same hashes when run twice, although it
was able to use cache.
>
> It appears that the CLI likely has some form of nondeterminism – or
perhaps incorporates other context (the git hash or the manifest file
itself) that it shouldn't.
>
> Debug this.
Once it narrowed the issue to Turso, I had it find the source of
nondeterminism within this codebase, which it found extremely fast by
honing in on the `built` crate. Its initial stab at a fix produced
correct behavior but a hard-to-follow diff, which I had it rework.
Through follow-up tests using my fork on diverse hardware, I found
another source of nondeterminism, and source of cross-compilation
inconsistency:
- the use of HashMap in proxies resulting in nondeterministic ordering
in the resulting binary
- the aegis crate compiled without its `pure-rust` feature can produce
different binaries based on the machine used for compilation
The final PR is a combination of Claude's contributions and manual
changes.
Reviewed-by: Mikaël Francoeur (@LeMikaelF)
Closes #6137 Latest Branches
0%
0%
0%
eidola-ai:reproducible-builds © 2026 CodSpeed Technology