Add SecureDrop-specific metadata to buildinfo files #434
+50
−37
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
legoktm
force-pushed
the
buildinfo-metadata
branch
from
e25771f
to
f482268
Compare
|
One open question that I kind of discussed in #433 (comment) is at what layer should But then should the build-debianpackage script error out if SD_BUILDER_GITREF is set and we're using the wrong builder? I think that would be a reasonable fail-safe. |
legoktm
force-pushed
the
buildinfo-metadata
branch
from
f482268
to
179241e
Compare
|
This is basically ready for review, but lets land #427 first and then I'll rebase this. |
This will be exported in the `.buildinfo` file so let's prefix it with "SD" to make it abundantly clear this is our environment variable and reduce the risk of collision. There don't appear to be any other users of this besides humans, so I have not added in any backwards-compatibility support for the old name.
dpkg will only export specific known environment variables into the
buildinfo file[1], but we want to track at least two more things:
1) the Git commit of the package being built
2) the Git commit of the securedrop-builder repository being used, as
the bootstrap and wheels used affect the package output.
We can track those by capturing the values before the build process and
then manually adding them to the end of the buildinfo file. This also
means that builds must be done from a Git checkout, and cannot be from a
tarball; so that path now errors out.
It would be too complicated to have this script respect the new
$SD_BUILDER_GITREF by checking out a different version of the
repository, re-initializing the bootstrap, etc., so we leave that as a
responsiblity of the caller. But as a failsafe we still double-check
that the desired version of the builder repository is being used.
While we're at it, look up the package filename by "parsing"
debian/files instead of trying to find it via find.
[1]
https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/scripts/Dpkg/BuildInfo.pm
legoktm
force-pushed
the
buildinfo-metadata
branch
from
179241e
to
5f49360
Compare
|
@legoktm and I discussed this in the DX working group just now. @zenmonkeykstop, I can pick this up, unless you're attached to it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
dpkg will only export specific known environment variables into the
buildinfo file[1], but we want to track at least two more things:
the bootstrap and wheels used affect the package output.
We can track those by capturing the values before the build process and
then manually adding them to the end of the buildinfo file. This also
means that builds must be done from a Git checkout, and cannot be from a
tarball, so that path now errors out.
While we're at it, look up the package filename by "parsing"
debian/files instead of trying to find it via find.
[1] https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/scripts/Dpkg/BuildInfo.pm
I am also renaming
PKG_GITREFtoSD_PKG_GITREF, as this will be exported in the.buildinfofile so let's prefix it with "SD" to make it abundantly clear this is our environment variable and reduce the risk of collision.There don't appear to be any other users of this besides humans, so I have not added in any backwards-compatibility support for the old name.
Test plan
SD_PKG_GITREF=main make securedrop-proxy, verify the buildinfo file contains SD_BUILDER_GITREF and SD_PKG_GITREF with commits that correspond to this builder PR you just checked out and the current main branch of sd-proxy.SD_PKG_GITREF=main make securedrop-proxy, verify SD_BUILDER_GITREF changed to correspond to the new commit you just added.git -C /tmp/securedrop-proxy checkout HEAD~1, note which commit you're now on. RunPKG_PATH=/tmp/securedrop-proxy make securedrop-proxy, verify SD_PKG_GITREF changed to the new commit you switched to.PKG_VERSION=1 make securedrop-keyring, verify the buildinfo file contains SD_BUILDER_GITREF but not SD_PKG_GITREF.