mirror of
https://github.com/dashpay/dash.git
synced 2024-12-26 04:22:55 +01:00
aec7441ac2
751549b52a9a4cd27389d807ae67f02bbb39cd7f contrib: guix: Additional clarifications re: substitutes (Carl Dong) cd3e947f50db7cfe05c05b368c25742193729a62 contrib: guix: Various improvements. (Carl Dong) 8dff3e48a9e03299468ed3b342642f01f70da9db contrib: guix: Clarify SOURCE_DATE_EPOCH. (Carl Dong) 3e80ec3ea9691c7c89173de922a113e643fe976b contrib: Add deterministic Guix builds. (Carl Dong) Pull request description: ~~**This post is kept updated as this project progresses. Use this [latest update link](https://github.com/bitcoin/bitcoin/pull/15277#issuecomment-497303718) to see what's new.**~~ Please read the `README.md`. ----- ### Guix Introduction This PR enables building bitcoin in Guix containers. [Guix](https://www.gnu.org/software/guix/manual/en/html_node/Features.html) is a transactional package manager much like Nix, but unlike Nix, it has more of a focus on [bootstrappability](https://www.gnu.org/software/guix/manual/en/html_node/Bootstrapping.html) and [reproducibility](https://www.gnu.org/software/guix/blog/tags/reproducible-builds/) which are attractive for security-sensitive projects like bitcoin. ### Guix Build Walkthrough Please read the `README.md`. [Old instructions no. 4](https://github.com/bitcoin/bitcoin/pull/15277#issuecomment-497303718) [Old instructions no. 3](https://github.com/bitcoin/bitcoin/pull/15277#issuecomment-493827011) [Old instructions no. 2](https://github.com/bitcoin/bitcoin/pull/15277#issuecomment-471658439) <details> <summary>Old instructions no. 1</summary> In this PR, we define a Guix [manifest](https://www.gnu.org/software/guix/manual/en/html_node/Invoking-guix-package.html#profile_002dmanifest) in `contrib/guix/manifest.scm`, which declares what packages we want in our environment. We can then invoke ``` guix environment --manifest=contrib/guix/manifest.scm --container --pure --no-grafts --no-substitutes ``` To have Guix: 1. Build an environment containing the packages we defined in our `contrib/guix/manifest.scm` manifest from the Guix bootstrap binaries (see [bootstrappability](https://www.gnu.org/software/guix/manual/en/html_node/Bootstrapping.html) for more details). 2. Start a container with that environment that has no network access, and no access to the host's filesystem except to the `pwd` that it was started in. 3. Drop you into a shell in that container. > Note: if you don't want to wait hours for Guix to build the entire world from scratch, you can eliminate the `--no-substitutes` option to have Guix download from available binary sources. Note that this convenience doesn't necessarily compromise your security, as you can check that a package was built correctly after the fact using `guix build --check <packagename>` Therefore, we can perform a build of bitcoin much like in Gitian by invoking the following: ``` make -C depends -j"$(nproc)" download && \ cat contrib/guix/build.sh | guix environment --manifest=contrib/guix/manifest.scm --container --pure --no-grafts --no-substitutes ``` We don't include `make -C depends -j"$(nproc)" download` inside `contrib/guix/build.sh` because `contrib/guix/build.sh` is run inside the container, which has no network access (which is a good thing). </details> ### Rationale I believe that this represents a substantial improvement for the "supply chain security" of bitcoin because: 1. We no longer have to rely on Ubuntu for our build environment for our releases ([oh the horror]( |
||
|---|---|---|
| .. | ||
| builders | ||
| hosts | ||
| packages | ||
| patches | ||
| .gitignore | ||
| config.guess | ||
| config.site.in | ||
| config.sub | ||
| description.md | ||
| funcs.mk | ||
| Makefile | ||
| packages.md | ||
| README.md | ||
Usage
To build dependencies for the current arch+OS:
make
To build for another arch/OS:
make HOST=host-platform-triplet
For example:
make HOST=x86_64-w64-mingw32 -j4
A prefix will be generated that's suitable for plugging into Dash's configure. In the above example, a dir named x86_64-w64-mingw32 will be created. To use it for Dash:
./configure --prefix=`pwd`/depends/x86_64-w64-mingw32
Common host-platform-triplets for cross compilation are:
x86_64-w64-mingw32for Win64x86_64-apple-darwin19for macOSarm-linux-gnueabihffor Linux ARM 32 bitaarch64-linux-gnufor Linux ARM 64 bitriscv32-linux-gnufor Linux RISC-V 32 bitriscv64-linux-gnufor Linux RISC-V 64 bitarmv7a-linux-androidfor Android ARM 32 bitaarch64-linux-androidfor Android ARM 64 biti686-linux-androidfor Android x86 32 bitx86_64-linux-androidfor Android x86 64 bit
The paths are automatically configured and no other options are needed unless targeting Android.
Install the required dependencies: Ubuntu & Debian
For macOS cross compilation
sudo apt-get install curl librsvg2-bin libtiff-tools bsdmainutils cmake imagemagick libcap-dev libz-dev libbz2-dev python3-setuptools libtinfo5
Note: You must obtain the macOS SDK before proceeding with a cross-compile.
Under the depends directory, create a subdirectory named SDKs.
Then, place the extracted SDK under this new directory.
For more information, see SDK Extraction.
For Win64 cross compilation
- see build-windows.md
For linux (including i386, ARM) cross compilation
Common linux dependencies:
sudo apt-get install make automake curl g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch bison
For linux ARM cross compilation:
sudo apt-get install g++-arm-linux-gnueabihf binutils-arm-linux-gnueabihf
For linux AARCH64 cross compilation:
sudo apt-get install g++-aarch64-linux-gnu binutils-aarch64-linux-gnu
For linux RISC-V 64-bit cross compilation (there are no packages for 32-bit):
sudo apt-get install g++-riscv64-linux-gnu binutils-riscv64-linux-gnu
RISC-V known issue: gcc-7.3.0 and gcc-7.3.1 result in a broken test_dash executable (see https://github.com/bitcoin/bitcoin/pull/13543),
this is apparently fixed in gcc-8.1.0.
Dependency Options
The following can be set when running make: make FOO=bar
- SOURCES_PATH
- downloaded sources will be placed here
- BASE_CACHE
- built packages will be placed here
- SDK_PATH
- Path where sdk's can be found (used by macOS)
- FALLBACK_DOWNLOAD_PATH
- If a source file can't be fetched, try here before giving up
- NO_QT
- Don't download/build/cache qt and its dependencies
- NO_QR
- Don't download/build/cache packages needed for enabling qrencode
- NO_ZMQ
- Don't download/build/cache packages needed for enabling zeromq
- NO_WALLET
- Don't download/build/cache libs needed to enable the wallet
- NO_BDB
- Don't download/build/cache BerkeleyDB
- NO_SQLITE
- Don't download/build/cache SQLite
- NO_UPNP
- Don't download/build/cache packages needed for enabling upnp
- NO_NATPMP
- Don't download/build/cache packages needed for enabling NAT-PMP
- DEBUG
- disable some optimizations and enable more runtime checking
- HOST_ID_SALT
- Optional salt to use when generating host package ids
- BUILD_ID_SALT
- Optional salt to use when generating build package ids
- FORCE_USE_SYSTEM_CLANG
- (EXPERTS ONLY) When cross-compiling for macOS, use Clang found in the
system's
$PATHrather than the default prebuilt release of Clang from llvm.org. Clang 8 or later is required.
Additional targets
download: run 'make download' to fetch all sources without building them
download-osx: run 'make download-osx' to fetch all sources needed for macOS builds
download-win: run 'make download-win' to fetch all sources needed for win builds
download-linux: run 'make download-linux' to fetch all sources needed for linux builds
Android
Before proceeding with an Android build one needs to get the Android SDK and use the "SDK Manager" tool to download the NDK and one or more "Platform packages" (these are Android versions and have a corresponding API level).
In order to build ANDROID_API_LEVEL (API level corresponding to the Android version targeted, e.g. Android 9.0 Pie is 28 and its "Platform package" needs to be available) and ANDROID_TOOLCHAIN_BIN (path to toolchain binaries depending on the platform the build is being performed on) need to be set.
API levels from 24 to 29 have been tested to work.
If the build includes Qt, environment variables ANDROID_SDK and ANDROID_NDK need to be set as well but can otherwise be omitted.
This is an example command for a default build with no disabled dependencies:
ANDROID_SDK=/home/user/Android/Sdk ANDROID_NDK=/home/user/Android/Sdk/ndk-bundle make HOST=aarch64-linux-android ANDROID_API_LEVEL=28 ANDROID_TOOLCHAIN_BIN=/home/user/Android/Sdk/ndk-bundle/toolchains/llvm/prebuilt/linux-x86_64/bin
Other documentation
- description.md: General description of the depends system
- packages.md: Steps for adding packages