Project

General

Profile

Actions
Copy link

Bug #15890

closed

psych.so is not deterministic

Added by hajma (hajma hajma) almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Assignee:
hsbt (Hiroshi SHIBATA)
Target version:
-
ruby -v:
Backport:
2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
[ruby-core:92899]

Description

psych.so is not binary identical across builds (it's hash changes), as the order of its sources is random.

You probably want to add a sort to
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/ext/psych/extconf.rb#L16
just like it's at
https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/lib/mkmf.rb#L2230

Actions
Copy link
 #1 [ruby-core:92927]

Updated by jeremyevans0 (Jeremy Evans) almost 5 years ago

  • Assignee set to hsbt (Hiroshi SHIBATA)

Psych is a default gem, it is managed on GitHub. I've added a pull request to implement this: https://github.com/ruby/psych/pull/403. Assigning this to hsbt as he is a psych maintainer and has done most of the recent maintenance.

For what it is worth, while deterministic builds increase assurance by decreasing randomness, they decrease security by giving more knowledge to the attacker. I think it would be worthwhile to support a mode that randomly ordered all object files when linking for all ruby shared objects. However, that is a separate issue, and I will add a different feature request for that if I have time to implement it.

Actions
Copy link
 #2 [ruby-core:92928]

Updated by jeremyevans0 (Jeremy Evans) almost 5 years ago

  • Status changed from Open to Closed

hsbt merged the pull request, so this can be closed.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0