busybox not reproducible for same commit same board build from CI without cache #1225
Comments
|
Something helpful would be to hack CircleCI limitations, and add a step i CircleCI builds to output each board's hashes.txt so that we can easily target what module causes the discrepancy to ease troubleshooting of reproducible builds in the future. |
Lol, sorry for the noise: we already have that. |
|
A quick comparison between hash outputs of the boards builds shows us that busybox is the culprit, consequently affecting tools.cpio, initrd and final rom image hashes. Renaming issue |
tlaurion
changed the title
|
EDIT: cause of difference is most probably linked to debian-11 docker image build stack differences here, since building from a clean github checkout produces the same rom from CircleCI..... Again linked to #1191 #927, and most importantly voiding #936 impacts on reproducible builds: that is, controlling what is poked by configure scripts to have a reproducible outcome (rom here). Creating a reproducible docker image with NixOS/Guix is again the lesser effort with the biggest outcome here. |
|
Sadly, https://try.diffoscope.org/ doesn't have cbfstool and fallsback to binary comparison when provided with 2 coreboot roms. This is sad and I haven't found quickly a way to ask gently to have cbfs installed in their testing suite so users can provide ROMs to be compared online with their tool. Rebuilding with CircleCI's project settings's variable CACHE_VERSION set to f2e45c4 to rebuild from clean checkout. Comparable builds with artifacts will be
Let's remember we can compare hashes.txt between builds, which states hashes for all components, some of which are packed under others. Let's inspect https://output.circle-artifacts.com/output/job/7d0bc3de-9cf5-43b7-a53a-bc06f2ef7005/artifacts/0/build/x86/x230-hotp-maximized/hashes.txt content quickly:
Reusing trick under #590 (comment) permits us to download initrd.cpio.xz from artifacts and compare the binaries directly: |
Hmmmm. Ok. So building clean from CircleCI builds the same ROM today. |
|
For safe measures, I deleted my 5.0.1 branch and created an issue in my personal github, so that when I ask github to sync against master, it triggers a build with same versioning as master. Notes on versioning: heads-x230-hotp-maximized-v0.2.0-1263-gf2e45c4.rom
If the following build creates the same hashes as master, then we have a way to tell users to currently validate "reproducibility" of builds, asking them to fork osresearch heads project and have CircleCI follow their branch for project. Test happening under https://app.circleci.com/pipelines/github/tlaurion/heads/1217/workflows/65c200d2-cfd7-47d3-a357-9fe89c8bf380 |
|
Interestingly enough as well, under bookwork, coreboot-utils exists, so having diffoscope installed permits to compare roms between them easily:
And then diffoscope on the roms downloaded returns nothing (no diff) And we confrm this by comparing the hash files, which shows only differences with dates of produced hashes: |
|
Hmmm. For some reason, my branch produces ROMs appended with a 3 which is not the commit id reported by github (7 chars vs 8):
Example of diffs in rom from diffoscope (where a lot more changes since offsetted by 1 char everywhere) So of course, doing a diffoscope on both binaries shows differences on parts of the rom relaying that part which is considered to be the commit and included at different spaces in the firmware packing.... Will have to investigate |
|
Still confused though.... So why that would be different output from my CircleCI instance is unknown for the moment but is impactful. |
|
Another batch of tests, removing CACHE_VERSION for both osresearch and tlaurion CircleCI configurations (since it might be my fault since both caches were with commit version and might have caused a bug with CircleCI. Next builds to compare: |
|
There is a difference between git reports of what is specified in Makefile to obtain git tag+commit: osresearch: tlaurion: Seems like a way to fix this would be to set the abbrev option to fixate output. Github shows commit ids in an abbrev form of 7 characters. We should force the same inside of the builds for consistency and to avoid reproducibility issues on that: Locally, this fixes the issue: |
Edit: false. Same commit with same build environment produces same rom. Unfortunately, the build system changed within 30 days (packages installed by apt on top of debian-11 docker, where two builds made on top of the same docker-11+same packages applied the same day produces the same rom, with hashes being different then the past) .
Conclusion: again, we need a reproducible toolstack, a docker image that would be pinned in the same commit as Heads and used under CircleCI.
This means we have other problems that would not be resolved by having a reproduced environment; eg: build time of some module being injected in the rom.
Diffoscope between two clean builds on the same environment are needed.
Insights given while rebuilding a same commit over CircleCI since cache expired (latest commit being 30 days ago): #1224
The text was updated successfully, but these errors were encountered: