
Reproducing Go binaries byte by byte - FiloSottile
https://blog.filippo.io/reproducing-go-binaries-byte-by-byte/
======
stirner
> Note: the default GOROOT, the one that the compiler will use if the
> environment variable is not set, must also match, since it will be copied
> into binaries

This seems worrisome for the privacy of builders. What if someone wishing to
stay anonymous built and distributed a Go binary from a system where GOROOT
included their home directory and revealed their identity? Am I
misinterpreting something?

~~~
niftich
Yes, it's worrisome. An issue like this was brought up on golang-nuts in 2014
[1]; the response from the devs was that this behavior is intentional [2], and
they note that this happens with other compilers as well.

I'm attempting to say this without sounding facetious: it's generally bad for
privacy if you install tools and compilers to a personally-identifiable path,
compile programs from personally-identifiable directories, perhaps using
personally-identifiable accounts. Using generic paths (which is in this case
the Go default), generically-named work directories, and generic-sounding user
accounts is a viable mitigation, that has been used by many programmers who
get burned by this from various environments.

As you suggest, perhaps there's an education gap here, because this is well-
known by security professionals and intelligence services (like the CIA [3]),
and less well-known by developers. Furthermore, most of these privacy-leaking
behaviors are being (re-)discovered or discussed as a part of the
'reproducible builds' movement (like this one) to attempt to identify context-
specific behavior, rather than a concentrated approach about privacy in
particular.

[1] [https://groups.google.com/forum/#!topic/golang-
nuts/oVDD8oPv...](https://groups.google.com/forum/#!topic/golang-
nuts/oVDD8oPvDIY)

[2] [https://groups.google.com/d/msg/golang-
nuts/oVDD8oPvDIY/fQ_r...](https://groups.google.com/d/msg/golang-
nuts/oVDD8oPvDIY/fQ_r_gECFbUJ)

[3]
[https://wikileaks.org/ciav7p1/cms/page_27721733.html](https://wikileaks.org/ciav7p1/cms/page_27721733.html)

~~~
laumars
The devs were right that this does happen with other compilers as well and has
been an issue with a great many compilers across a great many languages for as
long as I can recall (I remember tearing Windows binaries apart in the 90s to
glean information about the developers environment).

Thankfully this is less of an issue these days due to the proliferation of
containerisation technologies and automated build pipelines, meaning the build
system can be completely separated from developers working environment (eg a
Jenkins box)

