Removing build metadata, for reproducible kernel builds
Fabian Keil
freebsd-listen at fabiankeil.de
Fri Dec 4 14:59:02 UTC 2015
Ed Maste <emaste at freebsd.org> wrote:
> The main issue currently preventing kernel builds from being
> reproducible[1] is the build metadata itself that's included (time,
> user, host, build path). In order to make the kernel build
> reproducible I plan to remove these by default, and add a src.conf
> knob to enable them for developers who want them in their own builds.
To make the ElectroBSD build (kernel, world and release)
reproducible the time, user and host can be overwritten.
To make this more convenient the user can do this through a shell
script (/usr/src/reproduce.sh) which reads the values from a small
config file (/usr/src/reproduce.conf) which is included in the src.txz.
Example content:
| BUILD=ElectroBSD-r291706-29246dc
| EPOCH=1449163375
Currently the build path can't be changed between builds, mainly
because I expect most users to reproduce the build using a jail
in which case this limitation doesn't seem to matter.
The relevant patches (minus the ones I overlooked) are now available at:
https://www.fabiankeil.de/sourcecode/electrobsd/reproducible-build-goo-r291706-29246dc.diff
Due to the auto-untainting (also done by reproduce.sh) this is not
expected to build with vanilla FreeBSD, but if that code is disabled
it might work.
If anyone with a freebsd.org address and an OpenPGP key is interested
in the whole ElectroBSD patchset (which contains security fixes that
were (mostly) sent to freebsd-so@ months ago but have not been addressed
yet) I'll provide it upon request.
> The user-facing effect of this is that the kern.version sysctl no
> longer conveys this information, and uname -a changes from something
> like:
Allowing to overwrite the values avoids this problem.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20151204/7172129b/attachment.bin>
More information about the freebsd-arch
mailing list