[Git][reproducible-builds/reproducible-presentations][master] OSFC 2023: Very Rough Draft.
Vagrant Cascadian (@vagrant)
gitlab at salsa.debian.org
Sat Oct 7 06:24:18 UTC 2023
Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations
Commits:
da9548da by Vagrant Cascadian at 2023-10-06T23:22:29-07:00
OSFC 2023: Very Rough Draft.
- - - - -
10 changed files:
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/Makefile
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/Reproducible-Builds-All-The-Way-Down.org
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/changelog
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/control
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/copyright
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/reproducible-builds-all-the-way-down.install
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/rules
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/source/format
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/images/reproducible-builds.png
- + 2023-10-11-Reproducible-Builds-All-The-Way-Down/images/vagrantupsidedown.png
Changes:
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/Makefile
=====================================
@@ -0,0 +1,16 @@
+# thanks to dima for walking me through this!
+#
+# needs: apt install emacs texlive-latex-extra texlive-plain-generic
+
+export FORCE_SOURCE_DATE = 1
+export SOURCE_DATE_EPOCH := $(shell date --utc --date '2023-10-11 12:15 -0700' +%s)
+
+all: $(patsubst %.org,%.pdf,$(wildcard *.org))
+
+%.pdf: %.org
+ emacs -Q --batch --eval '(progn (random "0") (find-file "$<") (org-beamer-export-to-pdf))'
+
+clean:
+ rm -f *.pdf *.tex *.png
+
+.PHONY:clean
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/Reproducible-Builds-All-The-Way-Down.org
=====================================
@@ -0,0 +1,293 @@
+#+TITLE: Reproducible Builds All The Way Down
+#+AUTHOR: Vagrant Cascadian <vagrant at reproducible-builds.org>
+#+EMAIL: vagrant at reproducible-builds.org
+#+DATE: OSFC 2023-10-11
+#+LANGUAGE: en
+#+OPTIONS: H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS: TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+OPTIONS: ^:nil
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+latex_header: \mode<beamer>{\usetheme{Madrid}}
+#+LaTeX_CLASS_OPTIONS: [aspectratio=169]
+#+BEGIN_comment
+ https://www.osfc.io/2023/talks/reproducible-builds-all-the-way-down/
+ Reproducible Builds All The Way Down
+
+ Reproducible Builds enables bit-for-bit identical comparison,
+ providing a strong link that the binaries used are the result of
+ building the source code.
+
+ This talk will explore some of the historic and recurring issues of
+ reproducible builds in various Open Source Firmware projects, as well
+ as tooling used to diagnose and troubleshoot reproducibility issues.
+
+ There has been Reproducible Builds work on several firmware projects
+ including u-boot, trustedfirmware, opensbi and others!
+
+ Because firmware projects tend to be limited in scope, Open Source
+ Firmware projects make a great showcase for the viability of 100%
+ reproducibility!
+#+END_comment
+
+* Who am I
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.4
+ :END:
+
+[[./images/vagrantupsidedown.png]]
+
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.4
+ :END:
+
+ | | Vagrant |
+ |---------------------+---------|
+ | debian user | 2001 |
+ | debian developer | 2010 |
+ | reproducible builds | 2015 |
+
+* Reproducible Builds
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.7
+ :END:
+
+https://reproducible-builds.org/docs/definition/
+
+\vspace{\baselineskip}
+
+A build is reproducible if given the same source code, build
+environment and build instructions, any party can recreate bit-by-bit
+identical copies of all specified artifacts.
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.3
+ :END:
+
+[[./images/reproducible-builds.png]]
+
+* Spelling it out
+
+** text
+ :PROPERTIES:
+ :BEAMER_col: 0.7
+ :END:
+
+Reproducible Builds provides...
+
+#+ATTR_BEAMER: :overlay <+->
+- strong confidence...
+- that a binary was produced from a given source...
+- ...probably!
+
+** image
+ :PROPERTIES:
+ :BEAMER_col: 0.3
+ :END:
+[[./images/reproducible-builds.png]]
+
+* Scope: Debian
+
+Debian
+
+#+ATTR_BEAMER: :overlay <+->
+- The Universal Operating System
+- ~34000 source packages and counting
+- ~95% reproducible
+
+* Scope: Open Source Firmware
+
+Firmware projects
+
+#+ATTR_BEAMER: :overlay <+->
+- hardware specific
+- limited functionality
+- 100% reproducible
+
+* Happy U-Boot Anniversary, Vagrant!
+
+ https://bugs.debian.org/726699
+
+On Thu, Oct 17, 2013 at 09:48:50PM -0700, Vagrant Cascadian wrote:
+> A newer version of u-boot is available (2013.10), with support for a few new
+> platforms such as BeagleBone Black and Wandboard...
+>
+> I've done some work towards updating to the new version and could help with
+> an upload or two if needed... but probably not long-term maintenance.
+
+There's basically no one willing to do long-term maintenance, so
+have a blast!
+
+* u-boot
+
+commit 878e2a50b50199cb06ee28df53151e396a29d838
+Author: Vagrant Cascadian <vagrant at reproducible-builds.org>
+Date: Thu May 2 11:14:12 2019 -0700
+
+ Set time and umask on fit-dtb.blob to ensure reproducibile builds.
+
+commit 8664ab7debabfb6e1049c81030c2a18fd3eecb58
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date: Sun Jun 3 12:26:57 2018 -0700
+
+ Set time and umask on multi-dtb fit images to ensure reproducibile builds.
+
+
+https://patchwork.ozlabs.org/project/uboot/patch/20220818173133.12552-1-vagrant@debian.org/
+Makefile: Use relative paths for debugging symbols.
+
+worked around in Debian u-boot packages.
+
+Fixed in upstream gcc 13 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93371
+
+
+commit 3a0654ecd0d6a39406e6fe91f7a40ce589594ae9
+Author: Heinrich Schuchardt <xypron.glpk at gmx.de>
+Date: Fri Jun 10 18:24:48 2022 +0200
+
+ efi_loader: correctly identify binary name
+
+ Only on the sandbox the default EFI binary name (e.g. BOOTX64.EFI) must
+ match the host architecture.
+
+ In all other cases we must use the target architecture.
+
+ Use #elif where appropriate.
+
+ Reported-by: Vagrant Cascadian <vagrant at reproducible-builds.org>
+ Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
+
+commit aaa91a4e4b8a5d74f1317e18aa47d2a7a72e0c43
+Author: Fabio Estevam <festevam at gmail.com>
+Date: Mon Jul 27 21:03:13 2020 -0300
+
+ fit_image: Use calloc() to fix reproducibility issue
+
+ Vagrant Cascadian reported that mx6cuboxi target no longer builds
+ reproducibility on Debian.
+
+ One example of builds mismatches:
+
+ 00096680: 696e 6700 736f 756e 642d 6461 6900 6465 ing.sound-dai.de
+ -00096690: 7465 6374 2d67 7069 6f73 0000 tect-gpios..
+ +00096690: 7465 6374 2d67 7069 6f73 0061 tect-gpios.a
+
+ This problem happens because all the buffers in fit_image.c are
+ allocated via malloc(), which does not zero out the allocated buffer.
+
+ Using calloc() fixes this unpredictable behaviour as it guarantees
+ that the allocated buffer are zero initialized.
+
+ Reported-by: Vagrant Cascadian <vagrant at reproducible-builds.org>
+ Suggested-by: Tom Rini <trini at konsulko.com>
+ Signed-off-by: Fabio Estevam <festevam at gmail.com>
+ Tested-by: Vagrant Cascadian <vagrant at reproducible-builds.org>
+
+commit 5847084f6bbd0778afb29f0574085d4210ea8cff
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date: Thu Jun 16 12:28:40 2016 -0700
+
+ Respect SOURCE_DATE_EPOCH when building FIT images.
+
+ Embedding timestamps in FIT images results in unreproducible builds
+ for targets that generate a fit image, such as dra7xx_evm.
+
+ This patch uses the SOURCE_DATE_EPOCH environment variable, when set,
+ to use specified value for the date.
+
+ Thanks to HW42 for debugging the issue and providing the patch:
+
+ https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20160606/005722.html
+
+ For more information about reproducible builds and the
+ SOURCE_DATE_EPOCH specification:
+
+ https://reproducible-builds.org/specs/source-date-epoch/
+ https://reproducible-builds.org/
+
+ Signed-off-by: Vagrant Cascadian <vagrant at debian.org>
+ Reviewed-by: Simon Glass <sjg at chromium.org>
+
+commit 42ffa51fd46bc6fd4bf2c244f00a80df31d01596
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date: Sun Jun 12 06:07:07 2016 -0700
+
+ Use C locale when setting CC_VERSION_STRING and LD_VERSION_STRING.
+
+ The output reported may be locale-dependent, which results in
+ unreproducible builds.
+
+ $ LANG=C ld --version | head -n 1
+ GNU ld (GNU Binutils for Debian) 2.26
+
+ $ LANG=it_CH.UTF-8 ld --version | head -n 1
+ ld di GNU (GNU Binutils for Debian) 2.26
+
+ Forcing LC_ALL=C ensures the output is consistant regardless of the
+ build environment.
+
+ Thanks to HW42 for debugging the issue:
+
+ https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20160606/005722.html
+
+ For more information about reproducible builds:
+
+ https://reproducible-builds.org/
+
+ Signed-off-by: Vagrant Cascadian <vagrant at debian.org>
+ Reviewed-by: Tom Rini <trini at konsulko.com>
+
+* opensbi
+
+https://github.com/riscv-software-src/opensbi/pull/229
+Ensure reproducible builds regardless of build path
+
+Upstream commit 12753d2 introduced
+uses of FILE which may result in the build path getting embedded
+into the resulting binary.
+
+The -ffile-prefix-map argument is available in gcc 8 and clang 10, which can be used to strip out the absolute part of the path from the artifacts the compiler produces.
+
+https://reproducible-builds.org/docs/build-path/
+
+Signed-off-by: Vagrant Cascadian vagrant at reproducible-builds.org
+
+commit 14faee6916bc973b9fdb816c5f4a45096e3f645a
+Author: Jessica Clarke <jrtc27 at jrtc27.com>
+Date: Sun Nov 21 17:30:22 2021 +0000
+
+ lib: sbi: Improve fatal error handling
+
+* trustedfirmware-a (or did you say arm-trusted-firmware)
+
+commit 3b984c23fc5c2810d2177af50f5ef58345ca64bc
+Author: Vagrant Cascadian <vagrant at debian.org>
+Date: Sat Oct 17 15:06:43 2020 -0700
+
+ debian/rules: Use -ffile-prefix-map in TF_CFLAGS.
+
+* Copyright and attributions
+\addtocounter{framenumber}{-1}
+\tiny
+
+ Copyright 2019-2023 Vagrant Cascadian <vagrant at reproducible-builds.org>
+ Portions by contributors to the reproducible-builds.org website.
+
+ Copyright 2019 Holger Levsen <holger at layer-acht.org>
+
+ This work is licensed under the Creative Commons
+ Attribution-ShareAlike 4.0 International License.
+
+ To view a copy of this license, visit
+ https://creativecommons.org/licenses/by-sa/4.0/
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/changelog
=====================================
@@ -0,0 +1,5 @@
+reproducible-builds-all-the-way-down (2023.10.11+OSFC) UNRELEASED; urgency=medium
+
+ * Presented at OSFC 2023.
+
+ -- Vagrant Cascadian <vagrant at reproducible-builds.org> Fri, 06 Oct 2023 23:17:39 -0700
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/control
=====================================
@@ -0,0 +1,17 @@
+Source: reproducible-builds-all-the-way-down
+Section: doc
+Priority: optional
+Maintainer: Vagrant Cascadian <vagrant at reproducible-builds.org>
+Build-Depends: debhelper-compat (=13),
+ emacs,
+ emacs-nox,
+ texlive-latex-extra,
+ texlive-plain-generic,
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+Homepage: https://www.osfc.io/2023/talks/reproducible-builds-all-the-way-down/
+
+Package: reproducible-builds-all-the-way-down
+Architecture: all
+Depends: ${misc:Depends}, ${shlibs:Depends},
+Description: Reproducible Builds All The Way Down
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/copyright
=====================================
@@ -0,0 +1,14 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Reproducible Builds All The Way Down
+Source: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-10-11-Reproducible-Builds-All-The-Way-Down/
+
+Files: *
+Copyright: 2019-2023 Vagrant Cascadian <vagrant at reproducible-builds.org>
+License: cc-by-sa-4.0
+
+License:
+ This work is licensed under the Creative Commons
+ Attribution-ShareAlike 4.0 International License.
+ .
+ To view a copy of this license, visit
+ https://creativecommons.org/licenses/by-sa/4.0/
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/reproducible-builds-all-the-way-down.install
=====================================
@@ -0,0 +1 @@
+Reproducible-Builds-All-The-Way-Down.pdf /usr/share/doc/reproducible-builds-all-the-way-down/
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/rules
=====================================
@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/debian/source/format
=====================================
@@ -0,0 +1 @@
+3.0 (native)
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/images/reproducible-builds.png
=====================================
Binary files /dev/null and b/2023-10-11-Reproducible-Builds-All-The-Way-Down/images/reproducible-builds.png differ
=====================================
2023-10-11-Reproducible-Builds-All-The-Way-Down/images/vagrantupsidedown.png
=====================================
Binary files /dev/null and b/2023-10-11-Reproducible-Builds-All-The-Way-Down/images/vagrantupsidedown.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/da9548daf3862458c82d3e487b2f1623efe67995
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/da9548daf3862458c82d3e487b2f1623efe67995
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20231007/ff776fa3/attachment.htm>
More information about the rb-commits
mailing list