Removing build metadata, for reproducible kernel builds

Fabian Keil freebsd-listen at
Fri Dec 4 14:59:02 UTC 2015

Ed Maste <emaste at> wrote:

> The main issue currently preventing kernel builds from being
> reproducible[1] is the build metadata itself that's included (time,
> user, host, build path). In order to make the kernel build
> reproducible I plan to remove these by default, and add a src.conf
> knob to enable them for developers who want them in their own builds.

To make the ElectroBSD build (kernel, world and release)
reproducible the time, user and host can be overwritten.

To make this more convenient the user can do this through a shell
script (/usr/src/ which reads the values from a small
config file (/usr/src/reproduce.conf) which is included in the src.txz.

Example content:

| BUILD=ElectroBSD-r291706-29246dc
| EPOCH=1449163375

Currently the build path can't be changed between builds, mainly
because I expect most users to reproduce the build using a jail
in which case this limitation doesn't seem to matter.

The relevant patches (minus the ones I overlooked) are now available at:

Due to the auto-untainting (also done by this is not
expected to build with vanilla FreeBSD, but if that code is disabled
it might work.

If anyone with a address and an OpenPGP key is interested
in the whole ElectroBSD patchset (which contains security fixes that
were (mostly) sent to freebsd-so@ months ago but have not been addressed
yet) I'll provide it upon request.

> The user-facing effect of this is that the kern.version sysctl no
> longer conveys this information, and uname -a changes from something
> like:

Allowing to overwrite the values avoids this problem.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-arch mailing list