Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to clamp mtime to SOURCE_DATE_EPOCH #1699

Merged
merged 1 commit into from Mar 5, 2021
Merged

Allow to clamp mtime to SOURCE_DATE_EPOCH #1699

merged 1 commit into from Mar 5, 2021

Conversation

bmwiedemann
Copy link
Contributor

Allow to clamp mtime to SOURCE_DATE_EPOCH
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.

Without this patch, openSUSE's scap-security-guide package had variations in /usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml for every build:

  <ds:component id="scap_org.open-scap_comp_ssg-opensuse-oval.xml" timestamp="2
021-02-23T09:58:15">

as it was created by oscap ds sds-compose ...

@bmwiedemann
Allow to clamp mtime to SOURCE_DATE_EPOCH
5842a3c 
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.

Without this patch, openSUSE's scap-security-guide package
had variations in /usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml
for every build:

```
  <ds:component id="scap_org.open-scap_comp_ssg-opensuse-oval.xml" timestamp="2
021-02-23T09:58:15">
```
@openscap-ci
Copy link

Can one of the admins verify this patch?

1 similar comment
@openscap-ci
Copy link

Can one of the admins verify this patch?

@bmwiedemann
Copy link
Contributor Author

related: ComplianceAsCode/content#6642

and then there is one more issue to solve about nondeterminism from filesystem readdir order.

@evgenyz
Copy link
Contributor

evgenyz commented Feb 25, 2021

Okay, it seems to be important and not really user-facing trick. Maybe you would also fancy creating a test for it?

@evgenyz
Copy link
Contributor

evgenyz commented Feb 25, 2021

@openscap-ci ok to test

@evgenyz
Copy link
Contributor

evgenyz commented Feb 25, 2021

@jan-cerny I recall that I once tried to locate the list of environment variables, honored by the scanner, and failed. Do we have it somewhere? If not – I'll create an issue to make one.

@evgenyz evgenyz added this to the 1.3.5 milestone Feb 25, 2021
@bmwiedemann bmwiedemann mentioned this pull request Feb 25, 2021
Merged
@bmwiedemann
Copy link
Contributor Author

would also fancy creating a test for it

Since I don't know the codebase, I'm usually not good at that. For the test design, there would be 4 cases:

  • SOURCE_DATE_EPOCH not set - same as previous behaviour
  • SOURCE_DATE_EPOCH=2123456789 - same as previous behaviour (until 2037)
  • SOURCE_DATE_EPOCH=invalid - same as previous behaviour
  • SOURCE_DATE_EPOCH=1 - all files' mtimes are clamped to 1970-01-01T00:00:01

@evgenyz
Copy link
Contributor

evgenyz commented Feb 26, 2021

  • SOURCE_DATE_EPOCH=2123456789 - same as previous behaviour (until 2037)
  • SOURCE_DATE_EPOCH=invalid - same as previous behaviour

Shouldn't these 2 cases raise a warning (the first one until 2037)?

@bmwiedemann
Copy link
Contributor Author

bmwiedemann commented Feb 26, 2021
edited

Shouldn't these 2 cases raise a warning

I try to keep the code as simple as possible. The assumption is that invalid values never happen and values in the future are valid and do not break anything. The future will be past, soon.

@jan-cerny
Copy link
Member

@evgenyz

recall that I once tried to locate the list of environment variables, honored by the scanner, and failed. Do we have it somewhere? If not – I'll create an issue to make one.

I think we don't have it.

@evgenyz evgenyz mentioned this pull request Mar 2, 2021
Closed
1 task
@jan-cerny jan-cerny merged commit 7e3120f into OpenSCAP:maint-1.3 Mar 5, 2021
1 of 2 checks passed
jan-cerny added a commit to jan-cerny/openscap that referenced this pull request Mar 5, 2021
@jan-cerny
Add a simple test for SOURCE_DATE_EPOCH
a8c9624 
This test checks if the SOURCE_DATE_EPOCH is used in the
oscap ds sds-compose command as a datastream component timestamp.

Related to OpenSCAP#1699
@jan-cerny jan-cerny mentioned this pull request Mar 5, 2021
Merged
@bmwiedemann bmwiedemann deleted the mtime branch March 27, 2021 03:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.3.5
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bmwiedemann @openscap-ci @evgenyz @jan-cerny