introduce explicit --reproducible mode

Author: Mrmaxmeier

crates/bridge_core/src/lib.rs

@@ -247,11 +247,18 @@ impl<'a> CoreBridgeLauncher<'a> {
         }
     }
 
-    /// Configure filesystem emulation settings. These default to an "accurate"
-    /// view of the provided IO subsystem, but can be restricted to provide
-    /// reproducible file modified timestamps or hide absolute paths.
-    pub fn with_fs_emulation_settings(&mut self, settings: FsEmulationSettings) -> &mut Self {
-        self.filesystem_emulation_settings = settings;
+    /// While absolute paths are useful (for SyncTeX and external tools that
+    /// resolve paths to TeX sources), we can disable them for reproducibility.
+    pub fn with_expose_absolute_paths(&mut self, expose_absolute_paths: bool) -> &mut Self {
+        self.filesystem_emulation_settings.expose_absolute_paths = expose_absolute_paths;
+        self
+    }
+
+    /// Ditto for file modification timestamps. In reproducible mode, we return
+    /// the configured build time (i.e. `SOURCE_DATE_EPOCH`) instead of the
+    /// modification timestamp reported by the IO subsystem.
+    pub fn with_mtime_override(&mut self, mtime_override: Option<i64>) -> &mut Self {
+        self.filesystem_emulation_settings.mtime_override = mtime_override;
         self
     }
 
@@ -803,15 +810,15 @@ impl Default for SecuritySettings {
 /// underlying IO subsystem and have options that stub the respective IO
 /// functions with fake / stable values.
 #[derive(Clone, Debug)]
-pub struct FsEmulationSettings {
+struct FsEmulationSettings {
     /// While absolute paths are useful (for SyncTeX and external tools that
     /// resolve paths to TeX sources), we can disable them for reproducibility.
-    pub expose_absolute_paths: bool,
+    expose_absolute_paths: bool,
 
     /// Ditto for file modification timestamps. In reproducible mode, we return
     /// the configured build time (i.e. `SOURCE_DATE_EPOCH`) instead of the
     /// modification timestamp reported by the IO subsystem.
-    pub mtime_override: Option<i64>,
+    mtime_override: Option<i64>,
 }
 
 impl Default for FsEmulationSettings {

docs/src/ref/v1cli.md

@@ -49,16 +49,18 @@ The following are the available flags.
 | `-c`  | `--chatter <LEVEL>`       | How much chatter to print when running [default: default]  [possible values: default, minimal] |
 |       | `--format <PATH>`         | The name of the "format" file used to initialize the TeX engine [default: latex]               |
 | `-h`  | `--help`                  | Prints help information                                                                        |
-|       | `--hide <PATH>...`        | Tell the engine that no file at `<PATH>` exists, if it tries to read it                          |
+|       | `--hide <PATH>...`        | Tell the engine that no file at `<PATH>` exists, if it tries to read it                        |
 | `-k`  | `--keep-intermediates`    | Keep the intermediate files generated during processing                                        |
-|       | `--keep-logs`             | Keep the log files generated during processing                                                |
-|       | `--makefile-rules <PATH>` | Write Makefile-format rules expressing the dependencies of this run to <PATH>                  |
+|       | `--keep-logs`             | Keep the log files generated during processing                                                 |
+|       | `--makefile-rules <PATH>` | Write Makefile-format rules expressing the dependencies of this run to `<PATH>`                |
 | `-C`  | `--only-cached`           | Use only resource files cached locally                                                         |
 | `-o`  | `--outdir <OUTDIR>`       | The directory in which to place output files [default: the directory containing INPUT]         |
 |       | `--outfmt <FORMAT>`       | The kind of output to generate [default: pdf]  [possible values: pdf, html, xdv, aux, format]  |
 |       | `--pass <PASS>`           | Which engines to run [default: default]  [possible values: default, tex, bibtex_first]         |
 | `-p`  | `--print`                 | Print the engine's chatter during processing                                                   |
+|       | `--reproducible`          | Ensure deterministic builds                                                                    |
 | `-r`  | `--reruns <COUNT>`        | Rerun the TeX engine exactly this many times after the first                                   |
 |       | `--synctex`               | Generate SyncTeX data                                                                          |
+|       | `--untrusted`             | Input is untrusted: disable all known-insecure features                                        |
 | `-V`  | `--version`               | Prints version information                                                                     |
 | `-w`  | `--web-bundle <URL>`      | Use this URL find resource files instead of the default                                        |

docs/src/v2cli/build.md

@@ -50,7 +50,7 @@ cause it to look for that file in the online support bundle.
 The `--print` option (or `-p` for short) will cause the engine to print the
 regular terminal output of the TeX engine. This output is similar to, but not
 identical to, the contents of the log file. By default, this output is only
-printed if the engine encounteres a fatal error.
+printed if the engine encounters a fatal error.
 
 The `--open` option will open the built document using the system handler.
 
@@ -64,4 +64,10 @@ be easy to forget to use this option; in cases where untrusted inputs are a
 genuine concern, we recommend setting the environment variable
 `TECTONIC_UNTRUSTED_MODE` to a non-empty value. This has the same effect as the
 `--untrusted` option. Note, however, that a hostile shell user can trivially
-clear this variable.
+clear this variable.
+
+The `--reproducible` option ensures a fully deterministic build environment.
+The most notable difference is a static document build time (`\today`), which can
+be configured explicitly by setting the `SOURCE_DATE_EPOCH` environment variable.
+There's a few ways to break determinism (shell escape, reading from `/dev/urandom`),
+but anything else (especially behaviour in TeXLive packages) is considered a bug.

docs/src/v2cli/compile.md

@@ -111,6 +111,7 @@ The following are the available flags.
 |       | `--outfmt <FORMAT>`       | The kind of output to generate. Possible values: `pdf` (the default), `html`, `xdv`, `aux`, `format` |
 |       | `--pass <PASS>`           | Which engines to run. Possible values: `default`, `tex`, `bibtex_first` |
 | `-p`  | `--print`                 | Print the engine's chatter during processing |
+|       | `--reproducible`          | Ensure deterministic builds |
 | `-r`  | `--reruns <COUNT>`        | Rerun the TeX engine exactly this many times after the first |
 |       | `--synctex`               | Generate SyncTeX data |
 |       | `--untrusted`             | Input is untrusted: disable all known-insecure features |

docs/src/v2cli/dump.md

@@ -44,9 +44,9 @@ one of its parents.
 [tectonic-toml]: ../ref/tectonic-toml.md
 
 The “partial build” consists of one pass of the TeX engine. Future versions of
-this tool might gain options allowing you specify different passes. This command
-can be used to dump any file created by TeX during the build (so long as it's
-created on the first pass).
+this tool might gain options allowing you to specify different passes. This
+command can be used to dump any file created by TeX during the build (so long
+as it's created on the first pass).
 
 #### Command-Line Options
 

src/bin/tectonic/compile.rs

@@ -6,10 +6,8 @@
 //! `compile` subcommand of the "V2" / "cargo-like" interface.
 
 use std::{
-    env,
     path::{Path, PathBuf},
     str::FromStr,
-    time,
 };
 use structopt::StructOpt;
 use tectonic_bridge_core::{SecuritySettings, SecurityStance};
@@ -91,6 +89,10 @@ pub struct CompileOptions {
     #[structopt(long)]
     untrusted: bool,
 
+    /// Ensure deterministic build environment
+    #[structopt(long = "reproducible")]
+    reproducible_mode: bool,
+
     /// Unstable options. Pass -Zhelp to show a list
     #[structopt(name = "option", short = "Z", number_of_values = 1)]
     unstable: Vec<UnstableArg>,
@@ -119,7 +121,8 @@ impl CompileOptions {
             .keep_logs(self.keep_logs)
             .keep_intermediates(self.keep_intermediates)
             .format_cache_path(config.format_cache_path()?)
-            .synctex(self.synctex);
+            .synctex(self.synctex)
+            .reproducible_mode(self.reproducible_mode);
 
         sess_builder.output_format(OutputFormat::from_str(&self.outfmt).unwrap());
 
@@ -199,18 +202,7 @@ impl CompileOptions {
         } else {
             sess_builder.bundle(config.default_bundle(only_cached, status)?);
         }
-
-        let build_date_str = env::var("SOURCE_DATE_EPOCH").ok();
-        let build_date = match build_date_str {
-            Some(s) => {
-                let epoch = s.parse::<u64>().expect("invalid build date (not a number)");
-                time::SystemTime::UNIX_EPOCH
-                    .checked_add(time::Duration::from_secs(epoch))
-                    .expect("time overflow")
-            }
-            None => time::SystemTime::now(),
-        };
-        sess_builder.build_date(build_date);
+        sess_builder.build_date_from_env(self.reproducible_mode);
         run_and_report(sess_builder, status).map(|_| 0)
     }
 }

src/bin/tectonic/v2cli.rs

@@ -238,6 +238,10 @@ pub struct BuildCommand {
     /// Open built document using system handler
     #[structopt(long)]
     open: bool,
+
+    /// Ensure deterministic build environment
+    #[structopt(long = "reproducible")]
+    reproducible_mode: bool,
 }
 
 impl BuildCommand {
@@ -260,6 +264,7 @@ impl BuildCommand {
         let mut setup_options =
             DocumentSetupOptions::new_with_security(SecuritySettings::new(stance));
         setup_options.only_cached(self.only_cached);
+        setup_options.reproducible_mode(self.reproducible_mode);
 
         for output_name in doc.output_names() {
             let mut builder = doc.setup_session(output_name, &setup_options, status)?;

src/docmodel.rs

@@ -40,6 +40,9 @@ pub struct DocumentSetupOptions {
 
     /// Security settings for engine features.
     security: SecuritySettings,
+
+    /// Ensure a deterministic build environment.
+    reproducible_mode: bool,
 }
 
 impl DocumentSetupOptions {
@@ -48,6 +51,7 @@ impl DocumentSetupOptions {
     pub fn new_with_security(security: SecuritySettings) -> Self {
         DocumentSetupOptions {
             only_cached: false,
+            reproducible_mode: false,
             security,
         }
     }
@@ -61,6 +65,12 @@ impl DocumentSetupOptions {
         self.only_cached = s;
         self
     }
+
+    /// Specify whether we want to ensure a deterministic build environment.
+    pub fn reproducible_mode(&mut self, s: bool) -> &mut Self {
+        self.reproducible_mode = s;
+        self
+    }
 }
 
 pub trait DocumentExt {
@@ -157,7 +167,8 @@ impl DocumentExt for Document {
         sess_builder
             .output_format(output_format)
             .format_name(&profile.tex_format)
-            .build_date(std::time::SystemTime::now())
+            .build_date_from_env(setup_options.reproducible_mode)
+            .reproducible_mode(setup_options.reproducible_mode)
             .pass(PassSetting::Default)
             .primary_input_buffer(input_buffer.as_bytes())
             .tex_input_name(output_profile);

src/driver.rs

@@ -26,11 +26,9 @@ use std::{
     rc::Rc,
     result::Result as StdResult,
     str::FromStr,
-    time::SystemTime,
-};
-use tectonic_bridge_core::{
-    CoreBridgeLauncher, DriverHooks, FsEmulationSettings, SecuritySettings, SystemRequestError,
+    time::{Duration, SystemTime},
 };
+use tectonic_bridge_core::{CoreBridgeLauncher, DriverHooks, SecuritySettings, SystemRequestError};
 use tectonic_bundles::Bundle;
 use tectonic_engine_spx2html::AssetSpecification;
 use tectonic_io_base::{
@@ -819,6 +817,7 @@ pub struct ProcessingSessionBuilder {
     build_date: Option<SystemTime>,
     unstables: UnstableOptions,
     shell_escape_mode: ShellEscapeMode,
+    reproducible_mode: bool,
     html_assets_spec_path: Option<String>,
     html_precomputed_assets: Option<AssetSpecification>,
     html_do_not_emit_files: bool,
@@ -987,6 +986,28 @@ impl ProcessingSessionBuilder {
         self
     }
 
+    /// Configures the date and time of the processing session from the environment:
+    /// If `SOURCE_DATE_EPOCH` is set, it's used as the build date.
+    /// If `force_reproducible` is set, we fall back to UNIX_EPOCH.
+    /// Otherwise, we use the current system time.
+    pub fn build_date_from_env(&mut self, force_reproducible: bool) -> &mut Self {
+        let build_date_str = std::env::var("SOURCE_DATE_EPOCH").ok();
+        let build_date = match (force_reproducible, build_date_str) {
+            (_, Some(s)) => {
+                let epoch = s
+                    .parse::<u64>()
+                    .expect("invalid SOURCE_DATE_EPOCH (not a number)");
+
+                SystemTime::UNIX_EPOCH
+                    .checked_add(Duration::from_secs(epoch))
+                    .expect("time overflow")
+            }
+            (true, None) => SystemTime::UNIX_EPOCH,
+            (false, None) => SystemTime::now(),
+        };
+        self.build_date(build_date)
+    }
+
     /// Loads unstable options into the processing session
     pub fn unstables(&mut self, opts: UnstableOptions) -> &mut Self {
         self.unstables = opts;
@@ -1026,6 +1047,21 @@ impl ProcessingSessionBuilder {
         self
     }
 
+    /// Ensure a deterministic build environment.
+    ///
+    /// The most significant user-facing difference is a static document build
+    /// date, but this is already covered by [`build_date_from_env`], which
+    /// accepts a `reproducible` flag. Additionally, reproducible mode spoofs
+    /// file modification times and hides absolute paths from the engine.
+    ///
+    /// There's a few ways to break determinism (shell escape, reading from
+    /// `/dev/urandom`), but anything else (especially behaviour in TeXLive
+    /// packages) is considered a bug.
+    pub fn reproducible_mode(&mut self, reproducible: bool) -> &mut Self {
+        self.reproducible_mode = reproducible;
+        self
+    }
+
     /// When using HTML mode, emit an asset specification file instead of actual
     /// asset files.
     ///
@@ -1241,6 +1277,7 @@ impl ProcessingSessionBuilder {
             build_date: self.build_date.unwrap_or(SystemTime::UNIX_EPOCH),
             unstables: self.unstables,
             shell_escape_mode,
+            reproducible_mode: self.reproducible_mode,
             html_assets_spec_path: self.html_assets_spec_path,
             html_precomputed_assets: self.html_precomputed_assets,
             html_emit_files: !self.html_do_not_emit_files,
@@ -1308,6 +1345,8 @@ pub struct ProcessingSession {
 
     unstables: UnstableOptions,
 
+    reproducible_mode: bool,
+
     /// How to handle shell-escape. The `Defaulted` option will never
     /// be used here.
     shell_escape_mode: ShellEscapeMode,
@@ -1831,18 +1870,18 @@ impl ProcessingSession {
 
             let mut launcher =
                 CoreBridgeLauncher::new_with_security(&mut self.bs, status, self.security.clone());
-            launcher.with_fs_emulation_settings(FsEmulationSettings {
-                // We enable absolute paths if synctex was requested or other
-                // external tools are involved.
-                expose_absolute_paths: self.synctex_enabled || self.security.allow_shell_escape(),
-                // Note: We always return "dummy" modification times. Should
-                // there be a configuration knob to return the real mtime?
-                mtime_override: self
-                    .build_date
-                    .duration_since(SystemTime::UNIX_EPOCH)
-                    .map(|x| x.as_secs() as i64)
-                    .ok(),
-            });
+
+            // In reproducible mode, we stub a few aspects of the environment.
+            // They default to a "realistic" view, but we override them with static values:
+            if self.reproducible_mode {
+                launcher.with_expose_absolute_paths(false);
+                launcher.with_mtime_override(Some(
+                    self.build_date
+                        .duration_since(SystemTime::UNIX_EPOCH)
+                        .map(|x| x.as_secs() as i64)
+                        .expect("invalid build date in reproducible mode"),
+                ));
+            }
 
             TexEngine::default()
                 .halt_on_error_mode(!self.unstables.continue_on_errors)