oven-sh/bun

compiling `bun_shim_impl.exe` is not reproducible / can triggers anti-virus

Open

#12,738 opened on Jul 23, 2024

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Rust (90,348 stars) (4,486 forks)batch import
choregood first issue

Description

dumpbin /all .\zig-out\bun_shim_impl.exe > out2.txt

Dump of file .\zig-out\bun_shim_impl.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               3 number of sections
        6674BAC3 time date stamp Thu Jun 20 16:26:59 2024
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses

That is a timestamp embedded in the file. ......... yeah unfortunate.

I know that the Zig compiler has tests that make sure that compiling itself is reproducible, so this has to be possible.

Then, once bun_shim_impl.exe has a static hash, we should add an assertion that the hash continues to stay the same.

After all of that is done, this binary will have a stable hash and can be properly added to anti-virus exclusion lists. It's been brought to my attention that this executable trips a Malwarebytes heuristic. We cannot possibly fix that if each build of Bun from CI changes this file.

For the rest of us, AV seems pretty friendly to this exe, as I have not seen anything flag it yet.

Contributor guide

Tech stack
rust
Domain
build systemci cd
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
basic understanding of binary compilationfamiliarity with CI/CD
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
The issue is about removing timestamps from the compiled bun shim impl.exe to achieve reproducible builds. Investigation should focus on the Zig build configuration and the compiler flags used. Look into how the Zig compiler's ' strip' or reproducibility flags work, and examine the CI pipeline (likely GitHub Actions) to see where this executable is built. The goal is to ensure that the binary hash remains consistent across builds. Additionally, consider adding an assertion in the CI to verify the hash. Reference the Zig compiler's own tests for reproducibility as a model.
compiling `bun_shim_impl.exe` is not reproducible / can triggers anti-virus · oven-sh/bun#12738 | Good First Issue