[ruby-core:92899] [Ruby trunk Bug#15890] psych.so is not deterministic

[ruby-core:92899] [Ruby trunk Bug#15890] psych.so is not deterministic

[tropikhajma]

Issue #15890 has been reported by hajma (hajma hajma).

----------------------------------------
Bug #15890: psych.so is not deterministic
https://bugs.ruby-lang.org/issues/15890

* Author: hajma (hajma hajma)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
psych.so is not binary identical across builds (it's hash changes), as the order of its sources is random.

You probably want to add a sort to
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/ext/psych/extconf.rb#L16
just like it's at
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/lib/mkmf.rb#L2230



-- 
https://bugs.ruby-lang.org/

[ruby-core:92927] [Ruby trunk Bug#15890] psych.so is not deterministic

[merch-redmine]

Issue #15890 has been updated by jeremyevans0 (Jeremy Evans).

Assignee set to hsbt (Hiroshi SHIBATA)

Psych is a default gem, it is managed on GitHub.  I've added a pull request to implement this: https://github.com/ruby/psych/pull/403. Assigning this to hsbt as he is a psych maintainer and has done most of the recent maintenance.

For what it is worth, while deterministic builds increase assurance by decreasing randomness, they decrease security by giving more knowledge to the attacker.  I think it would be worthwhile to support a mode that randomly ordered all object files when linking for all ruby shared objects.  However, that is a separate issue, and I will add a different feature request for that if I have time to implement it.

----------------------------------------
Bug #15890: psych.so is not deterministic
https://bugs.ruby-lang.org/issues/15890#change-78302

* Author: hajma (hajma hajma)
* Status: Open
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version: 
* ruby -v: 
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
psych.so is not binary identical across builds (it's hash changes), as the order of its sources is random.

You probably want to add a sort to
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/ext/psych/extconf.rb#L16
just like it's at
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/lib/mkmf.rb#L2230



-- 
https://bugs.ruby-lang.org/

[ruby-core:92928] [Ruby trunk Bug#15890] psych.so is not deterministic

[merch-redmine]

Issue #15890 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Open to Closed

hsbt merged the pull request, so this can be closed.

----------------------------------------
Bug #15890: psych.so is not deterministic
https://bugs.ruby-lang.org/issues/15890#change-78303

* Author: hajma (hajma hajma)
* Status: Closed
* Priority: Normal
* Assignee: hsbt (Hiroshi SHIBATA)
* Target version: 
* ruby -v: 
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
psych.so is not binary identical across builds (it's hash changes), as the order of its sources is random.

You probably want to add a sort to
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/ext/psych/extconf.rb#L16
just like it's at
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/lib/mkmf.rb#L2230



-- 
https://bugs.ruby-lang.org/