Removing build metadata, for reproducible kernel builds
freebsd-listen at fabiankeil.de
Fri Dec 4 14:59:02 UTC 2015
Ed Maste <emaste at freebsd.org> wrote:
> The main issue currently preventing kernel builds from being
> reproducible is the build metadata itself that's included (time,
> user, host, build path). In order to make the kernel build
> reproducible I plan to remove these by default, and add a src.conf
> knob to enable them for developers who want them in their own builds.
To make the ElectroBSD build (kernel, world and release)
reproducible the time, user and host can be overwritten.
To make this more convenient the user can do this through a shell
script (/usr/src/reproduce.sh) which reads the values from a small
config file (/usr/src/reproduce.conf) which is included in the src.txz.
Currently the build path can't be changed between builds, mainly
because I expect most users to reproduce the build using a jail
in which case this limitation doesn't seem to matter.
The relevant patches (minus the ones I overlooked) are now available at:
Due to the auto-untainting (also done by reproduce.sh) this is not
expected to build with vanilla FreeBSD, but if that code is disabled
it might work.
If anyone with a freebsd.org address and an OpenPGP key is interested
in the whole ElectroBSD patchset (which contains security fixes that
were (mostly) sent to freebsd-so@ months ago but have not been addressed
yet) I'll provide it upon request.
> The user-facing effect of this is that the kern.version sysctl no
> longer conveys this information, and uname -a changes from something
Allowing to overwrite the values avoids this problem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the freebsd-arch