[rb-general] Fwd: Building pkgsrc packages reproducibly
Pierre Pronchery
khorben at defora.org
Wed Nov 15 20:18:54 CET 2017
Dear reproducible builders,
this first part is now committed:
https://twitter.com/pkgsrc/status/929704717277593600
Can it be part of the next weekly report?
Cheers,
-- khorben
On 12/11/2017 04:42, Pierre Pronchery wrote:
> I have made progress on supporting reproducible builds when building
> packages with pkgsrc (for NetBSD and more). What this first patch
> actually does is still quite limited, but already helps a bit.
>
> First, I have solved my issue when looking for debugging information:
> strings(1) from binutils only looks at the initialized and loaded
> sections in binaries by default. So I have used my own implementation
> instead
> (https://git.defora.org/gitweb/?p=utils.git;a=blob;f=src/strings.c).
> Otherwise, use "strings -a", it works too.
>
> Then, to answer Holger's last two questions on this topic, here is what
> I can say at the moment:
> - I am not setting SOURCE_DATE_EPOCH yet
> - when not explicitly specified, I would use the timestamp from
> doc/CHANGES-$(date +%Y) for S_D_E, however:
> * building on "$(date +%Y) + x" will fail with x >= 1
> * CVS preserves timestamps but not Git
>
> If you are interested, I can let you know when I actually get the
> permission to commit this, and when I make further progress with the
> implementation.
>
> TTFN,
> -- khorben
>
> -------- Forwarded Message --------
> Subject: Building pkgsrc packages reproducibly
> Date: Sun, 12 Nov 2017 04:28:12 +0100
> From: Pierre Pronchery <khorben at defora.org>
> Newsgroups: gmane.os.netbsd.devel.packages
>
> Hi tech-pkg@,
>
> the patch attached here adds initial support for building packages
> reproducibly for pkgsrc. It currently tackles two problems:
>
> - gcc(1) hard-coding full paths in debugging information (with one
> caveat at the moment)
> - ar(1) hard-coding user IDs in archive headers
>
> There are many more issues to tackle, but this is still quite uncharted
> territory and they will have to be dealt with one by one.
>
> Here is the description of this option:
>
>> $ make help topic=reproducible
>> ===> mk/repro/repro.mk (keywords: reproducible):
>> # Infrastructure support for PKGSRC_MKREPRO.
>> #
>>
>> ===> mk/defaults/mk.conf (keywords: reproducible PKGSRC_MKREPRO):
>> PKGSRC_MKREPRO?= no
>> # If no, do not alter the build process. Otherwise, try to build reproducibly.
>> # This allows packages built from the same tree and options to produce identical
>> # results bit by bit.
>> # This option should be combined with ASLR and PKGSRC_MKPIE to avoid predictable
>> # address offsets for attackers attempting to exploit security vulnerabilities.
>> # Possible: yes, no
>> # Default: no
>
> This feature is enabled by default in Debian GNU/Linux' own packages,
> where 93% of them now build reproducibly. FreeBSD's ports also support
> this to some extent (I believe > 60% of the ports build so).
>
> If I am not mistaken, this feature is also planned to be enabled by
> default for the base system in NetBSD in the coming 8.0 release (on the
> amd64 and sparc64 platforms at least). Of course, the corresponding
> support for pkgsrc can evolve independently from NetBSD's base system.
>
> Without any objections I will commit this next week.
>
> Cheers,
>
>
>
> _______________________________________________
> rb-general at lists.reproducible-builds.org mailing list
>
> To change your subscription options, visit https://lists.reproducible-builds.org/listinfo/rb-general.
>
> To unsubscribe, send an email to rb-general-unsubscribe at lists.reproducible-builds.org.
>
--
khorben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20171115/60711f1d/attachment.sig>
More information about the rb-general
mailing list