Re: Identical binaries from same source code

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

<snamds@xxxxxxxxx> wrote:
Right. In that case, I don't think the question as originally asked
would actually help you. It doesn't help for you to be able to rebuild
the same source to the same binaries multiple times if the homologating
company then uses a different mechanism to compile your code.

This is not a problem. We provide the compiler and method of
compilation to the homologation company. They first validate the
method of compilation.

In that case, would it be possible to have a cache of source code +
binaries, so that it always consults the cache before bothering to
build at all?

The best way of making sure that you get the same result is not to
rebuild unnecessarily :)

I do understand that that may not be feasible, however.

Now, three questions arise:

1) If you send the same source to the homologating company twice, do
*they* end up with the same binaries?
2) Are they happy to share their homologation methods with you?

1 and 2 -> Yes, because of my prior explanation.

3) If you can produce the same binary as the homologation company,
doesn't that defeat the purpose of the legislation? I would expect the
point to be similar to crypto-signing - e.g. to guarantee that the
homologation company has the original source code.

No, because we must explain what we have post changed in the binary
and they validate the method. The don't have to believe in what we
say, they can check the method.

I'm sure this is the way we must do things. The problem is that this
is our first project with C#. Before, with C++ we only had to clear
the timestamp of the binary.

The CLI spec gives details of the PE format, but it's possible that
there are some implementation-specific fields that are being generated
every time.

By the way, I wouldn't set the GUIDs and times to zero - I'd choose
appropriate values and always reuse those.

Note that if you sign your assemblies, all of this editing will
probably (hopefully, even) invalidate the signature - in which case the
suggestion at the top of this post is probably the only practical one.


Would it be possible to make the CRC comparison ignore specific parts
of the binaries, so long as you could explain that they don't affect
the behaviour of the code? That way we wouldn't need to work out what
values to use for the new binaries, just reasons why they're not
important.

--
Jon Skeet - <skeet@xxxxxxxxx>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
World class .NET training in the UK: http://iterativetraining.co.uk
.

Relevant Pages

  • Re: Identical binaries from same source code
    ... I have to homologate my binaries so I need them to be byte-per-byte ... identical after each compilation (if the source code is the same, ... I need to do that automatically for generic binaries of .NET. ... If the source code doesn't change, and you want the same binary as you originally built, surely it would be easier to just keep a copy of the original binary so that you don't have to rebuild it? ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: [Full-Disclosure] THCIISSLame exploit
    ... The whole idea was binaries vs source code. ... problem with people releasing exploits. ... Yes, but you are able to compile the exploit code yourself, are you not? ...
    (Full-Disclosure)
  • [Full-Disclosure] viruses being sent to list
    ... First Amendment defines free speech. ... Therefore binaries do not belong to full disclosure. ... Source code postings are exempt from litigation because of the ... 3., Filters only deal with binaries, not source code. ...
    (Full-Disclosure)
  • RE: Possible gpl problem?
    ... distribution at all can acquire the source code. ... discriminate on the basis of who is trying to enforce the agreement. ... If I say "any third party may hire my services for $200/hr", ... the binaries knows how to obtain the source code. ...
    (Linux-Kernel)
  • Re: Possible gpl problem?
    ... are selling GPL licensed software. ... licensed software are entitled to a copy of the source of the binaries ... have to give source to those who receive binaries. ... If you ever distribute binaries _without_ source code, ...
    (Linux-Kernel)