Background
We previously built the MPC contract WASM reproducibly via cargo-near's [package.metadata.near.reproducible_build] (NEP-330) using a sourcescan/cargo-near Docker image. In #3356 we removed that metadata and switched to a Nix derivation (nix/mpc-contract.nix) because no sourcescan/cargo-near image existed for the workspace's toolchain (now rust-1.93.0, bumped in #3321).
The Nix build is reproducible, but loses NEP-330 build metadata, so third-party verifiers like sourcescan.io and nearblocks can no longer replay and verify the on-chain contract (noted in docs/reproducible-builds.md).
The required images have now been released: https://hub.docker.com/r/sourcescan/cargo-near/tags — so we can restore the cargo-near-based reproducible build and regain automated third-party verification. nix/mpc-contract.nix stays; cargo-near is added back alongside it to provide the NEP-330 metadata third-party verifiers need.
Acceptance Criteria
- Re-add
[package.metadata.near.reproducible_build] to crates/contract/Cargo.toml, pinning a sourcescan/cargo-near image (with digest) matching rust-toolchain.toml (1.93.0).
- Keep
nix/mpc-contract.nix; the cargo-near build coexists with it.
- Contract WASM carries NEP-330 metadata and is verifiable on sourcescan.io / nearblocks.
docs/reproducible-builds.md updated to document both build paths and remove the third-party-verification caveat.
Background
We previously built the MPC contract WASM reproducibly via cargo-near's
[package.metadata.near.reproducible_build](NEP-330) using asourcescan/cargo-nearDocker image. In #3356 we removed that metadata and switched to a Nix derivation (nix/mpc-contract.nix) because nosourcescan/cargo-nearimage existed for the workspace's toolchain (nowrust-1.93.0, bumped in #3321).The Nix build is reproducible, but loses NEP-330 build metadata, so third-party verifiers like sourcescan.io and nearblocks can no longer replay and verify the on-chain contract (noted in
docs/reproducible-builds.md).The required images have now been released: https://hub.docker.com/r/sourcescan/cargo-near/tags — so we can restore the cargo-near-based reproducible build and regain automated third-party verification.
nix/mpc-contract.nixstays; cargo-near is added back alongside it to provide the NEP-330 metadata third-party verifiers need.Acceptance Criteria
[package.metadata.near.reproducible_build]tocrates/contract/Cargo.toml, pinning asourcescan/cargo-nearimage (with digest) matchingrust-toolchain.toml(1.93.0).nix/mpc-contract.nix; the cargo-near build coexists with it.docs/reproducible-builds.mdupdated to document both build paths and remove the third-party-verification caveat.