We currently distribute binary releases that people can use to download and install MacVim. We should add reproducible builds so that the binary we release is deterministic and reproducible and can be easily built on a local machine by any third party in an identical fashion.
Some motivations include the fact that supply chain attacks are real and while MacVim is unlikely a high-value target, it's still useful to reduce the likelihood of such problem happening to begin with. Also, with the deprecation of the macos-12 GitHub Action runner we will need to find another way to build the legacy MacVim binaries (either via a custom VM, or another CI service like Circle CI), and it would be nice to have some standard way to compare the generated artifacts and to have trust in the process working.
Note that we distribute signed apps, which is signed by a private key that only the maintainer controls, so it's impossible to have an artifact (MacVim.app) that can be compared bit-by-bit to a local build. We will need to provide a script that could strip the app signature before comparing.
Related:
We currently distribute binary releases that people can use to download and install MacVim. We should add reproducible builds so that the binary we release is deterministic and reproducible and can be easily built on a local machine by any third party in an identical fashion.
Some motivations include the fact that supply chain attacks are real and while MacVim is unlikely a high-value target, it's still useful to reduce the likelihood of such problem happening to begin with. Also, with the deprecation of the macos-12 GitHub Action runner we will need to find another way to build the legacy MacVim binaries (either via a custom VM, or another CI service like Circle CI), and it would be nice to have some standard way to compare the generated artifacts and to have trust in the process working.
Note that we distribute signed apps, which is signed by a private key that only the maintainer controls, so it's impossible to have an artifact (MacVim.app) that can be compared bit-by-bit to a local build. We will need to provide a script that could strip the app signature before comparing.
SOURCE_DATE_EPOCHto make builds not dependent on date/time.Related: