Type Safe Languages & Predictable Builds

G5 Cyber Security

2 months ago

TL;DR

Yes, several type safe languages offer deterministic compilers. This means given the same input code and compiler version, you’ll *always* get the same output binary (or compiled result). Rust, Haskell, and PureScript are excellent choices. Determinism is crucial for reproducible builds, supply chain security, and reliable deployments.

Understanding the Problem

A deterministic compiler produces identical outputs from identical inputs. Non-deterministic compilers can vary output due to factors like timestamps, build order dependencies, or internal state. This makes it hard to verify software integrity and creates problems for automated builds.

Solution: Languages with Deterministic Compilers

Rust

Type Safety: Strong static typing prevents many errors at compile time.
Determinism: Rust’s compiler is designed to be deterministic. The build process relies on clearly defined inputs and avoids external factors that could cause variations. The cargo package manager helps manage dependencies in a predictable way.
Example (Cargo Build):
```
cargo build --release
```
This command, with the same Rust version and project files, will always produce the same release binary.

Haskell

Type Safety: Haskell is renowned for its strong static typing and purity.
Determinism: The Glasgow Haskell Compiler (GHC) can be configured for deterministic builds. This often involves setting specific flags to control build order and avoid time-dependent behaviour.
Example (Stack Build):
```
stack build --flag +deterministic
```
Using the Stack build tool with the +deterministic flag helps ensure consistent results. You may also need to pin dependency versions in your stack.yaml file.

PureScript

Type Safety: PureScript is a strongly typed language that compiles to JavaScript.
Determinism: PureScript’s compiler, psc, aims for deterministic builds. Dependency management with spago contributes to reproducibility.
Example (Spago Build):
```
spago build
```
Similar to Rust and Haskell, using the same version of spago and project files will yield consistent JavaScript output.

Other Considerations:

Dependency Management: Regardless of the language, pinning dependency versions is *critical*. Use package managers (like Cargo, Stack, or Spago) to specify exact versions instead of ranges. This prevents unexpected updates from changing build outputs.
Build Environment: Use containerisation (e.g., Docker) to create a consistent build environment. This eliminates variations caused by different operating systems or installed software.
Compiler Version: Always specify the exact compiler version used for builds. Avoid using ‘latest’ tags as they can introduce non-determinism.

Verifying Determinism

Binary Comparison: After each build, compare the generated binary (or compiled output) with a known good version using tools like diff or checksums (e.g., SHA256).
Reproducible Builds Project: Explore resources from the Reproducible Builds project for more advanced techniques and tooling.