Attack on SolarWinds could have been countered by reproducible builds

Bernhard M. Wiedemann bernhardout at lsmod.de
Sun Dec 27 12:00:33 UTC 2020 


On 21/12/2020 22.28, Richard Purdie wrote:
> OE-Core is about 800 pieces of software generating ~11,000
> packages of which we have about 65 marked as not reproducible at
> present. We're obviously working on improving those 65, and the
> techniques used will "just work" to a large extend throughout our wider
> layers of other software, we're just note testing that until we sort
> the core.

do you have pointers to the list of unreproducible packages and how to
do test builds?


In http://git.openembedded.org/openembedded-core/
meta/lib/oeqa/selftest/cases/reproducible.py exclude_packages maybe?


> 	'acpica-src',
> 	'babeltrace2-ptest',
> 	'bootchart2-doc',
> 	'cups',
> 	'cwautomacros',
> 	'dtc',
> 	'efivar',
> 	'epiphany',
> 	'gcr',
> 	'git',
> 	'glide',
> 	'go-dep',
> 	'go-helloworld',
> 	'go-runtime',
> 	'go_',
> 	'groff',
https://build.opensuse.org/request/show/645935
> 	'gst-devtools',
> 	'gstreamer1.0-python',
> 	'gtk-doc',
https://bugzilla.gnome.org/show_bug.cgi?id=784177
> 	'igt-gpu-tools',
>         'kernel-devsrc',
> 	'libaprutil',
> 	'libcap-ng',
> 	'libhandy-1-src',
> 	'libid3tag',
> 	'libproxy',
> 	'libsecret-dev',
> 	'libsecret-src',
> 	'lttng-tools-dbg',
> 	'lttng-tools-ptest',
> 	'ltp',
> 	'meson',
> 	'ovmf-shell-efi',
> 	'parted-ptest',
> 	'perf',
https://elixir.bootlin.com/linux/latest/source/tools/perf/pmu-events/jevents.c#L1168
> 	'python3-cython',
> 	'qemu',
> 	'quilt-ptest',
> 	'rsync',
> 	'ruby',
https://github.com/ruby/io-console/commit/679a941d05d869f5e575730f6581c027203b7b26
> 	'spirv-tools-dev',
> 	'swig',
> 	'syslinux-misc',
> 	'systemd-bootchart',
> 	'valgrind-ptest',
> 	'vim',
> 	'watchdog',
> 	'xmlto',
> 	'xorg-minimal-fonts'

I found some relevant patches and pointers in our packages, linked above.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20201227/87573452/attachment.sig>

More information about the rb-general mailing list