[rb-general] Fwd: Building pkgsrc packages reproducibly

Pierre Pronchery khorben at defora.org
Sun Nov 12 04:42:37 CET 2017 

		Dear reproducible builders,

I have made progress on supporting reproducible builds when building
packages with pkgsrc (for NetBSD and more). What this first patch
actually does is still quite limited, but already helps a bit.

First, I have solved my issue when looking for debugging information:
strings(1) from binutils only looks at the initialized and loaded
sections in binaries by default. So I have used my own implementation
instead
(https://git.defora.org/gitweb/?p=utils.git;a=blob;f=src/strings.c).
Otherwise, use "strings -a", it works too.

Then, to answer Holger's last two questions on this topic, here is what
I can say at the moment:
- I am not setting SOURCE_DATE_EPOCH yet
- when not explicitly specified, I would use the timestamp from
  doc/CHANGES-$(date +%Y) for S_D_E, however:
  * building on "$(date +%Y) + x" will fail with x >= 1
  * CVS preserves timestamps but not Git

If you are interested, I can let you know when I actually get the
permission to commit this, and when I make further progress with the
implementation.

TTFN,
-- khorben

-------- Forwarded Message --------
Subject: Building pkgsrc packages reproducibly
Date: Sun, 12 Nov 2017 04:28:12 +0100
From: Pierre Pronchery <khorben at defora.org>
Newsgroups: gmane.os.netbsd.devel.packages

			Hi tech-pkg@,

the patch attached here adds initial support for building packages
reproducibly for pkgsrc. It currently tackles two problems:

- gcc(1) hard-coding full paths in debugging information (with one
  caveat at the moment)
- ar(1) hard-coding user IDs in archive headers

There are many more issues to tackle, but this is still quite uncharted
territory and they will have to be dealt with one by one.

Here is the description of this option:

> $ make help topic=reproducible
> ===> mk/repro/repro.mk (keywords: reproducible):
> # Infrastructure support for PKGSRC_MKREPRO.
> #
> 
> ===> mk/defaults/mk.conf (keywords: reproducible PKGSRC_MKREPRO):
> PKGSRC_MKREPRO?= no
> # If no, do not alter the build process. Otherwise, try to build reproducibly.
> # This allows packages built from the same tree and options to produce identical
> # results bit by bit.
> # This option should be combined with ASLR and PKGSRC_MKPIE to avoid predictable
> # address offsets for attackers attempting to exploit security vulnerabilities.
> # Possible: yes, no
> # Default: no

This feature is enabled by default in Debian GNU/Linux' own packages,
where 93% of them now build reproducibly. FreeBSD's ports also support
this to some extent (I believe > 60% of the ports build so).

If I am not mistaken, this feature is also planned to be enabled by
default for the base system in NetBSD in the coming 8.0 release (on the
amd64 and sparc64 platforms at least). Of course, the corresponding
support for pkgsrc can evolve independently from NetBSD's base system.

Without any objections I will commit this next week.

Cheers,
-- 
khorben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-pkgsrc_mkrepro.diff
Type: text/x-patch
Size: 4771 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20171112/9a1b1bf3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20171112/9a1b1bf3/attachment.sig>

More information about the rb-general mailing list