Making reproducible builds & GitBOM work together without gitBOM-ID embedding

Yongkui Han (yonhan) yonhan at cisco.com
Thu Jan 12 00:56:36 UTC 2023


Hi folks,

A few months have passed since the last discussion on "Making reproducible builds & GitBOM work together in spite of low-level component variation".
https://lists.reproducible-builds.org/pipermail/rb-general/2022-June/002637.html

Here are some advances in gitBOM: Now gitBOM supports not-embedding gitBOM-identifier into output artifacts. This will solve the build-reproducibility issue caused by embedding gitBOM ID in artifacts. By default, the various gitBOM tools will still embed gitBOM identifier, but user can configure the tool to not embed, and the tool will still create the gitBOM ADG (Artifact Dependency Graph) documents correctly.

In order to support not-embedding gitBOM ID, the build tool must persist the artifact-ID to ADG-doc mappings at some external location. For example, the artifact-ID to ADG-doc mappings can be persisted in the file system via symlink farm. When a new artifact is created, its associated ADG document is computed and generated, and a symlink file is also created which points to its associated ADG document. This way, without embedding a bom-id in the output artifact, we still know the associated bom-id for an artifact.

Here are some gitBOM tools that support not embedding bom-id into artifacts:

https://github.com/git-bom/bomsh
https://github.com/git-bom/gcc-gitbom
https://github.com/git-bom/binutils-gitbom

The gitBOM behavior of the GCC and binutils tools are configured via the environment variable GITBOM_BUILD_MODE (or similar variable names).

The bomsh tool is special because it can create the gitBOM documents for already-released official Debian packages which are build-reproducible. When your Debian package hello.deb is created, a symlink hello.deb.gitbom_adg is created for you automatically, which points to its associated ADG doc. When using the bomsh tool, please remember to modify the bomtrace.conf file to add the "-n" option, which tells bomsh to not embed bom-id to output files.
https://github.com/omnibor/bomsh#Generating-gitBOM-ADGs-for-Debian-or-RPM-Packages-with-Bomtrace2

If reproducible build becomes the main user of the bomsh tool, we can probably change the default bomsh option to not embed bom-id.

If multiple Debian builds generate the exact same gitBOM ID, it is actually a stronger reproducibility than the existing build-reproducibility because it means all the intermediate object files are also same.

Let me know if there are any questions/comments.

BTW, gitBOM has been renamed to OmniBOR to avoid confusion with git and BOM.
https://omnibor.io/

Thanks,
Yongkui
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230112/53988e4a/attachment.htm>


More information about the rb-general mailing list