Why does it matter? In fact, security people often argue that the binaries should vary, to make it harder to use certain attacks?
Why does it matter? In fact, security people often argue that the binaries should vary, to make it harder to use certain attacks?-rob
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Inside Google the build system assumes all output is identical and each artifact's digest is used as cache keys. The build tools people take this very seriously.
This is well explained in the Google Engineering Tools blog:
http://google-engtools.blogspot.com/
This is well explained in the Google Engineering Tools blog:
http://google-engtools.blogspot.com/
--- SER
--
This is well explained in the Google Engineering Tools blog:
http://google-engtools.blogspot.com/
We have a giant source repo that contains most of everything (search, MapReduce, self-driving-cars, etc.) It has a top-level directory "third_party" for outside code which we didn't write. Some people elsewhere call this "vendor". Each third_party directory contains metadata about where it came from, its license, etc. Our build system even enforces licenses. (You can see some discussion of this at e.g. https://sites.google.com/site/skiadocs/developer-documentation/contributing-code/how-to-upstream-a-google3-third_party-patch-to-the-skia-repo)
I do a similar thing in my side project ... you can see my third_party directory at http://camlistore.org/code/?p=camlistore.git;a=tree at the bottom. That means I can sync to any point in time in the project's history and get the same build as it built on that date.