oven-sh/bun

compiling `bun_shim_impl.exe` is not reproducible / can triggers anti-virus

Open

#12.738 aberto em 23 de jul. de 2024

Ver no GitHub
 (2 comments) (0 reactions) (0 assignees)Rust (4.486 forks)batch import
choregood first issue

Métricas do repositório

Stars
 (90.348 stars)
Métricas de merge de PR
 (Mesclagem média 1d 17h) (357 fundiu PRs em 30d)

Description

dumpbin /all .\zig-out\bun_shim_impl.exe > out2.txt

Dump of file .\zig-out\bun_shim_impl.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               3 number of sections
        6674BAC3 time date stamp Thu Jun 20 16:26:59 2024
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses

That is a timestamp embedded in the file. ......... yeah unfortunate.

I know that the Zig compiler has tests that make sure that compiling itself is reproducible, so this has to be possible.

Then, once bun_shim_impl.exe has a static hash, we should add an assertion that the hash continues to stay the same.

After all of that is done, this binary will have a stable hash and can be properly added to anti-virus exclusion lists. It's been brought to my attention that this executable trips a Malwarebytes heuristic. We cannot possibly fix that if each build of Bun from CI changes this file.

For the rest of us, AV seems pretty friendly to this exe, as I have not seen anything flag it yet.

Guia do colaborador