From: merch-redmine@... Date: 2019-06-02T04:09:49+00:00 Subject: [ruby-core:92927] [Ruby trunk Bug#15890] psych.so is not deterministic Issue #15890 has been updated by jeremyevans0 (Jeremy Evans). Assignee set to hsbt (Hiroshi SHIBATA) Psych is a default gem, it is managed on GitHub. I've added a pull request to implement this: https://github.com/ruby/psych/pull/403. Assigning this to hsbt as he is a psych maintainer and has done most of the recent maintenance. For what it is worth, while deterministic builds increase assurance by decreasing randomness, they decrease security by giving more knowledge to the attacker. I think it would be worthwhile to support a mode that randomly ordered all object files when linking for all ruby shared objects. However, that is a separate issue, and I will add a different feature request for that if I have time to implement it. ---------------------------------------- Bug #15890: psych.so is not deterministic https://bugs.ruby-lang.org/issues/15890#change-78302 * Author: hajma (hajma hajma) * Status: Open * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) * Target version: * ruby -v: * Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- psych.so is not binary identical across builds (it's hash changes), as the order of its sources is random. You probably want to add a sort to https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/ext/psych/extconf.rb#L16 just like it's at https://github.com/ruby/ruby/blob/6a5e89e23c433199f926d757481bc3c29fce7854/lib/mkmf.rb#L2230 -- https://bugs.ruby-lang.org/ Unsubscribe: