[Git][reproducible-builds/reproducible-presentations][master] OSFC 2023: Very Rough Draft.

Vagrant Cascadian (@vagrant) gitlab at salsa.debian.org
Sat Oct 7 06:24:18 UTC 2023



Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations


Commits:
da9548da by Vagrant Cascadian at 2023-10-06T23:22:29-07:00
OSFC 2023: Very Rough Draft.

- - - - -


10 changed files:

- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/Makefile
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/Reproducible-Builds-All-The-Way-Down.org
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/changelog
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/control
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/copyright
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/reproducible-builds-all-the-way-down.install
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/rules
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/source/format
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/images/reproducible-builds.png
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/images/vagrantupsidedown.png


Changes:

=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/Makefile
=====================================
@@ -0,0 +1,16 @@
+# thanks to dima for walking me through this!
+#
+# needs: apt install emacs texlive-latex-extra texlive-plain-generic
+
+export FORCE_SOURCE_DATE = 1
+export SOURCE_DATE_EPOCH := $(shell date --utc --date '2023-10-11 12:15 -0700' +%s)
+
+all: $(patsubst %.org,%.pdf,$(wildcard *.org))
+
+%.pdf: %.org
+	emacs -Q --batch --eval '(progn (random "0") (find-file "$<") (org-beamer-export-to-pdf))'
+
+clean:
+	rm -f *.pdf *.tex *.png
+
+.PHONY:clean


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/Reproducible-Builds-All-The-Way-Down.org
=====================================
@@ -0,0 +1,293 @@
+#+TITLE: Reproducible Builds All The Way Down
+#+AUTHOR: Vagrant Cascadian <vagrant at reproducible-builds.org>
+#+EMAIL: vagrant at reproducible-builds.org
+#+DATE: OSFC 2023-10-11
+#+LANGUAGE:  en
+#+OPTIONS:   H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS:   TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+OPTIONS: ^:nil
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+latex_header: \mode<beamer>{\usetheme{Madrid}}
+#+LaTeX_CLASS_OPTIONS: [aspectratio=169]
+#+BEGIN_comment
+  https://www.osfc.io/2023/talks/reproducible-builds-all-the-way-down/
+  Reproducible Builds All The Way Down
+
+  Reproducible Builds enables bit-for-bit identical comparison,
+  providing a strong link that the binaries used are the result of
+  building the source code.
+
+  This talk will explore some of the historic and recurring issues of
+  reproducible builds in various Open Source Firmware projects, as well
+  as tooling used to diagnose and troubleshoot reproducibility issues.
+
+  There has been Reproducible Builds work on several firmware projects
+  including u-boot, trustedfirmware, opensbi and others!
+
+  Because firmware projects tend to be limited in scope, Open Source
+  Firmware projects make a great showcase for the viability of 100%
+  reproducibility!
+#+END_comment
+
+* Who am I
+
+** image
+	:PROPERTIES:
+	:BEAMER_col: 0.4
+	:END:
+
+[[./images/vagrantupsidedown.png]]
+
+
+** text
+	:PROPERTIES:
+	:BEAMER_col: 0.4
+	:END:
+
+  |                     | Vagrant |
+  |---------------------+---------|
+  | debian user         |    2001 |
+  | debian developer    |    2010 |
+  | reproducible builds |    2015 |
+
+* Reproducible Builds
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.7
+    :END:
+
+https://reproducible-builds.org/docs/definition/
+
+\vspace{\baselineskip}
+
+A build is reproducible if given the same source code, build
+environment and build instructions, any party can recreate bit-by-bit
+identical copies of all specified artifacts.
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.3
+    :END:
+
+[[./images/reproducible-builds.png]]
+
+* Spelling it out
+
+** text
+    :PROPERTIES:
+    :BEAMER_col: 0.7
+    :END:
+
+Reproducible Builds provides...
+
+#+ATTR_BEAMER: :overlay <+->
+- strong confidence...
+- that a binary was produced from a given source...
+- ...probably!
+
+** image
+    :PROPERTIES:
+    :BEAMER_col: 0.3
+    :END:
+[[./images/reproducible-builds.png]]
+
+* Scope: Debian
+
+Debian
+
+#+ATTR_BEAMER: :overlay <+->
+- The Universal Operating System
+- ~34000 source packages and counting
+- ~95% reproducible
+
+* Scope: Open Source Firmware
+
+Firmware projects
+
+#+ATTR_BEAMER: :overlay <+->
+- hardware specific
+- limited functionality
+- 100% reproducible
+
+* Happy U-Boot Anniversary, Vagrant!
+
+  https://bugs.debian.org/726699
+
+On Thu, Oct 17, 2013 at 09:48:50PM -0700, Vagrant Cascadian wrote:
+> A newer version of u-boot is available (2013.10), with support for a few new
+> platforms such as BeagleBone Black and Wandboard...
+>
+> I've done some work towards updating to the new version and could help with
+> an upload or two if needed... but probably not long-term maintenance.
+
+There's basically no one willing to do long-term maintenance, so
+have a blast!
+
+* u-boot
+
+commit 878e2a50b50199cb06ee28df53151e396a29d838
+Author: Vagrant Cascadian <vagrant at reproducible-builds.org>
+Date:   Thu May 2 11:14:12 2019 -0700
+
+    Set time and umask on fit-dtb.blob to ensure reproducibile builds.
+
+commit 8664ab7debabfb6e1049c81030c2a18fd3eecb58
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date:   Sun Jun 3 12:26:57 2018 -0700
+
+    Set time and umask on multi-dtb fit images to ensure reproducibile builds.
+
+	
+https://patchwork.ozlabs.org/project/uboot/patch/20220818173133.12552-1-vagrant@debian.org/
+Makefile: Use relative paths for debugging symbols.
+
+worked around in Debian u-boot packages.
+
+Fixed in upstream gcc 13 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93371
+
+
+commit 3a0654ecd0d6a39406e6fe91f7a40ce589594ae9
+Author: Heinrich Schuchardt <xypron.glpk at gmx.de>
+Date:   Fri Jun 10 18:24:48 2022 +0200
+
+    efi_loader: correctly identify binary name
+
+    Only on the sandbox the default EFI binary name (e.g. BOOTX64.EFI) must
+    match the host architecture.
+
+    In all other cases we must use the target architecture.
+
+    Use #elif where appropriate.
+
+    Reported-by: Vagrant Cascadian <vagrant at reproducible-builds.org>
+    Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
+
+commit aaa91a4e4b8a5d74f1317e18aa47d2a7a72e0c43
+Author: Fabio Estevam <festevam at gmail.com>
+Date:   Mon Jul 27 21:03:13 2020 -0300
+
+    fit_image: Use calloc() to fix reproducibility issue
+
+    Vagrant Cascadian reported that mx6cuboxi target no longer builds
+    reproducibility on Debian.
+
+    One example of builds mismatches:
+
+    00096680: 696e 6700 736f 756e 642d 6461 6900 6465  ing.sound-dai.de
+    -00096690: 7465 6374 2d67 7069 6f73 0000            tect-gpios..
+    +00096690: 7465 6374 2d67 7069 6f73 0061            tect-gpios.a
+
+    This problem happens because all the buffers in fit_image.c are
+    allocated via malloc(), which does not zero out the allocated buffer.
+
+    Using calloc() fixes this unpredictable behaviour as it guarantees
+    that the allocated buffer are zero initialized.
+
+    Reported-by: Vagrant Cascadian <vagrant at reproducible-builds.org>
+    Suggested-by: Tom Rini <trini at konsulko.com>
+    Signed-off-by: Fabio Estevam <festevam at gmail.com>
+    Tested-by: Vagrant Cascadian <vagrant at reproducible-builds.org>
+
+commit 5847084f6bbd0778afb29f0574085d4210ea8cff
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date:   Thu Jun 16 12:28:40 2016 -0700
+
+    Respect SOURCE_DATE_EPOCH when building FIT images.
+
+    Embedding timestamps in FIT images results in unreproducible builds
+    for targets that generate a fit image, such as dra7xx_evm.
+
+    This patch uses the SOURCE_DATE_EPOCH environment variable, when set,
+    to use specified value for the date.
+
+    Thanks to HW42 for debugging the issue and providing the patch:
+
+      https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20160606/005722.html
+
+    For more information about reproducible builds and the
+    SOURCE_DATE_EPOCH specification:
+
+      https://reproducible-builds.org/specs/source-date-epoch/
+      https://reproducible-builds.org/
+
+    Signed-off-by: Vagrant Cascadian <vagrant at debian.org>
+    Reviewed-by: Simon Glass <sjg at chromium.org>
+
+commit 42ffa51fd46bc6fd4bf2c244f00a80df31d01596
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date:   Sun Jun 12 06:07:07 2016 -0700
+
+    Use C locale when setting CC_VERSION_STRING and LD_VERSION_STRING.
+
+    The output reported may be locale-dependent, which results in
+    unreproducible builds.
+
+      $ LANG=C ld --version | head -n 1
+        GNU ld (GNU Binutils for Debian) 2.26
+
+      $ LANG=it_CH.UTF-8 ld --version | head -n 1
+        ld di GNU (GNU Binutils for Debian) 2.26
+
+    Forcing LC_ALL=C ensures the output is consistant regardless of the
+    build environment.
+
+    Thanks to HW42 for debugging the issue:
+
+      https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20160606/005722.html
+
+    For more information about reproducible builds:
+
+      https://reproducible-builds.org/
+
+    Signed-off-by: Vagrant Cascadian <vagrant at debian.org>
+    Reviewed-by: Tom Rini <trini at konsulko.com>
+	
+* opensbi 
+
+https://github.com/riscv-software-src/opensbi/pull/229
+Ensure reproducible builds regardless of build path
+
+Upstream commit 12753d2 introduced
+uses of FILE which may result in the build path getting embedded
+into the resulting binary.
+
+The -ffile-prefix-map argument is available in gcc 8 and clang 10, which can be used to strip out the absolute part of the path from the artifacts the compiler produces.
+
+https://reproducible-builds.org/docs/build-path/
+
+Signed-off-by: Vagrant Cascadian vagrant at reproducible-builds.org
+
+commit 14faee6916bc973b9fdb816c5f4a45096e3f645a
+Author: Jessica Clarke <jrtc27 at jrtc27.com>
+Date:   Sun Nov 21 17:30:22 2021 +0000
+
+    lib: sbi: Improve fatal error handling
+
+* trustedfirmware-a (or did you say arm-trusted-firmware)
+
+commit 3b984c23fc5c2810d2177af50f5ef58345ca64bc
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date:   Sat Oct 17 15:06:43 2020 -0700
+
+    debian/rules: Use -ffile-prefix-map in TF_CFLAGS.
+
+* Copyright and attributions
+\addtocounter{framenumber}{-1}
+\tiny
+
+  Copyright 2019-2023 Vagrant Cascadian <vagrant at reproducible-builds.org>
+  Portions by contributors to the reproducible-builds.org website.
+
+  Copyright 2019 Holger Levsen <holger at layer-acht.org>
+
+  This work is licensed under the Creative Commons
+  Attribution-ShareAlike 4.0 International License.
+
+  To view a copy of this license, visit
+  https://creativecommons.org/licenses/by-sa/4.0/


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/changelog
=====================================
@@ -0,0 +1,5 @@
+reproducible-builds-all-the-way-down (2023.10.11+OSFC) UNRELEASED; urgency=medium
+
+  * Presented at OSFC 2023.
+
+ -- Vagrant Cascadian <vagrant at reproducible-builds.org>  Fri, 06 Oct 2023 23:17:39 -0700


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/control
=====================================
@@ -0,0 +1,17 @@
+Source: reproducible-builds-all-the-way-down
+Section: doc
+Priority: optional
+Maintainer: Vagrant Cascadian <vagrant at reproducible-builds.org>
+Build-Depends: debhelper-compat (=13),
+ emacs,
+ emacs-nox,
+ texlive-latex-extra,
+ texlive-plain-generic,
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+Homepage: https://www.osfc.io/2023/talks/reproducible-builds-all-the-way-down/
+
+Package: reproducible-builds-all-the-way-down
+Architecture: all
+Depends: ${misc:Depends}, ${shlibs:Depends},
+Description: Reproducible Builds All The Way Down


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/copyright
=====================================
@@ -0,0 +1,14 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Reproducible Builds All The Way Down
+Source: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-10-11-Reproducible-Builds-All-The-Way-Down/
+
+Files: *
+Copyright: 2019-2023 Vagrant Cascadian <vagrant at reproducible-builds.org>
+License: cc-by-sa-4.0
+
+License:
+  This work is licensed under the Creative Commons
+  Attribution-ShareAlike 4.0 International License.
+  .
+  To view a copy of this license, visit
+  https://creativecommons.org/licenses/by-sa/4.0/


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/reproducible-builds-all-the-way-down.install
=====================================
@@ -0,0 +1 @@
+Reproducible-Builds-All-The-Way-Down.pdf /usr/share/doc/reproducible-builds-all-the-way-down/


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/rules
=====================================
@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/source/format
=====================================
@@ -0,0 +1 @@
+3.0 (native)


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/images/reproducible-builds.png
=====================================
Binary files /dev/null and b/2023-10-11-Reproducible-Builds-All-The-Way-Down/images/reproducible-builds.png differ


=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/images/vagrantupsidedown.png
=====================================
Binary files /dev/null and b/2023-10-11-Reproducible-Builds-All-The-Way-Down/images/vagrantupsidedown.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/da9548daf3862458c82d3e487b2f1623efe67995

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/da9548daf3862458c82d3e487b2f1623efe67995
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20231007/ff776fa3/attachment.htm>


More information about the rb-commits mailing list