feat: improve Composer's output reproducibility (#11663)

* AutoloadGenerator: add `Locker` parameter to the `dump` method * AutoloadGenerator: do not create a random hash, re-use the one from the lock file if it exists * FileSystem: make sure `safeCopy` copy also the file time metadata
composer · Sep 28, 2023 · b608b8e · b608b8e
1 parent 77fadf0
commit b608b8e
Show file tree

Hide file tree

Showing 10 changed files with 187 additions and 56 deletions.
diff --git a/doc/01-basic-usage.md b/doc/01-basic-usage.md
@@ -152,6 +152,13 @@ a Composer `install` to make sure the vendor directory is up in sync with your
 php composer.phar install
 ```
 
+Composer enables reproducible builds by default. This means that running the
+same command multiple times will produce a `vendor/` directory containing files
+that are identical (*except their timestamps*), including the autoloader files.
+It is especially beneficial for environments that require strict
+verification processes, as well as for Linux distributions aiming to package PHP
+applications in a secure and predictable manner.
+
 ## Updating dependencies to their latest versions
 
 As mentioned above, the `composer.lock` file prevents you from automatically getting

diff --git a/doc/06-config.md b/doc/06-config.md
@@ -365,8 +365,10 @@ with other autoloaders.
 
 ## autoloader-suffix
 
-Defaults to `null`. Non-empty string to be used as a suffix for the generated
-Composer autoloader. When null a random one will be generated.
+Defaults to `null`. When set to a non-empty string, this value will be used as a
+suffix for the generated Composer autoloader. If set to `null`, the
+`content-hash` value from the `composer.lock` file will be used if available;
+otherwise, a random suffix will be generated.
 
 ## optimize-autoloader
 

diff --git a/src/Composer/Autoload/AutoloadGenerator.php b/src/Composer/Autoload/AutoloadGenerator.php
@@ -33,6 +33,7 @@
 use Composer\Script\ScriptEvents;
 use Composer\Util\PackageSorter;
 use Composer\Json\JsonFile;
+use Composer\Package\Locker;
 
 /**
  * @author Igor Wiedler <igor@wiedler.ch>
@@ -172,7 +173,7 @@ public function setPlatformRequirementFilter(PlatformRequirementFilterInterface
      * @throws \Seld\JsonLint\ParsingException
      * @throws \RuntimeException
      */
-    public function dump(Config $config, InstalledRepositoryInterface $localRepo, RootPackageInterface $rootPackage, InstallationManager $installationManager, string $targetDir, bool $scanPsrPackages = false, ?string $suffix = null)
+    public function dump(Config $config, InstalledRepositoryInterface $localRepo, RootPackageInterface $rootPackage, InstallationManager $installationManager, Locker $locker, string $targetDir, bool $scanPsrPackages = false, ?string $suffix = null)
     {
         if ($this->classMapAuthoritative) {
             // Force scanPsrPackages when classmap is authoritative
@@ -405,9 +406,8 @@ public static function autoload(\$class)
                 }
             }
 
-            // generate one if we still haven't got a suffix
             if (null === $suffix) {
-                $suffix = md5(uniqid('', true));
+                $suffix = $locker->isLocked() ? $locker->getLockData()['content-hash'] : md5(uniqid('', true));
             }
         }
 

diff --git a/src/Composer/Command/DumpAutoloadCommand.php b/src/Composer/Command/DumpAutoloadCommand.php
@@ -100,7 +100,15 @@ protected function execute(InputInterface $input, OutputInterface $output)
         $generator->setRunScripts(true);
         $generator->setApcu($apcu, $apcuPrefix);
         $generator->setPlatformRequirementFilter($this->getPlatformRequirementFilter($input));
-        $classMap = $generator->dump($config, $localRepo, $package, $installationManager, 'composer', $optimize);
+        $classMap = $generator->dump(
+            $config,
+            $localRepo,
+            $package,
+            $installationManager,
+            $composer->getLocker(),
+            'composer',
+            $optimize
+        );
         $numberOfClasses = count($classMap);
 
         if ($authoritative) {

diff --git a/src/Composer/Command/ReinstallCommand.php b/src/Composer/Command/ReinstallCommand.php
@@ -163,7 +163,15 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             $generator->setClassMapAuthoritative($authoritative);
             $generator->setApcu($apcu, $apcuPrefix);
             $generator->setPlatformRequirementFilter($this->getPlatformRequirementFilter($input));
-            $generator->dump($config, $localRepo, $package, $installationManager, 'composer', $optimize);
+            $generator->dump(
+                $config,
+                $localRepo,
+                $package,
+                $installationManager,
+                $composer->getLocker(),
+                'composer',
+                $optimize
+            );
         }
 
         $eventDispatcher->dispatchScript(ScriptEvents::POST_INSTALL_CMD, $devMode);

diff --git a/src/Composer/Installer.php b/src/Composer/Installer.php
@@ -349,7 +349,17 @@ public function run(): int
             $this->autoloadGenerator->setApcu($this->apcuAutoloader, $this->apcuAutoloaderPrefix);
             $this->autoloadGenerator->setRunScripts($this->runScripts);
             $this->autoloadGenerator->setPlatformRequirementFilter($this->platformRequirementFilter);
-            $this->autoloadGenerator->dump($this->config, $localRepo, $this->package, $this->installationManager, 'composer', $this->optimizeAutoloader);
+            $this
+                ->autoloadGenerator
+                ->dump(
+                    $this->config,
+                    $localRepo,
+                    $this->package,
+                    $this->installationManager,
+                    $this->locker,
+                    'composer',
+                    $this->optimizeAutoloader
+                );
         }
 
         if ($this->install && $this->executeOperations) {

diff --git a/src/Composer/Util/Filesystem.php b/src/Composer/Util/Filesystem.php
@@ -874,10 +874,8 @@ public function filePutContentsIfModified(string $path, string $content)
 
     /**
      * Copy file using stream_copy_to_stream to work around https://bugs.php.net/bug.php?id=6463
-     *
-     * @return void
      */
-    public function safeCopy(string $source, string $target)
+    public function safeCopy(string $source, string $target): void
     {
         if (!file_exists($target) || !file_exists($source) || !$this->filesAreEqual($source, $target)) {
             $sourceHandle = fopen($source, 'r');
@@ -888,6 +886,8 @@ public function safeCopy(string $source, string $target)
             stream_copy_to_stream($sourceHandle, $targetHandle);
             fclose($sourceHandle);
             fclose($targetHandle);
+
+            touch($target, (int) filemtime($source), (int) fileatime($source));
         }
     }