Drop LSOF_CCDATE in order to ensure reproducible builds #150
Conversation
|
By the way - there are additional variables that seem completely unnecessary that I could also remove if you'd like. On my system after I build, I see the following output from 'lsof -v': lsof version information: Distributions often override those variables (Debian overrides LSOF_CCDATE, LSOF_HOST, LSOF_LOGNAME, LSOF_SYSINFO, and LSOF_USER). I'm not sure who actually cares what compiler was used (LSOF_CC), or when it was built (LSOF_CCDATE) and by who (LSOF_USER/LSOF_LOGNAME) and where (LSOF_HOST). I'm happy to add additional commits to this branch to remove more of those variables if you agree with removing any of them. LSOF_SYSINFO in particular seems very unneccessary. |
|
We have already an applied patch for the same purpose. |
|
Dropping the coverage is not important in this pull request, of course. |
That will also work. The Debian patch (which you can see here: Personally I'd still rather see a bunch of the noise removed, but it's your choice. |
|
Could you consider writing an entry for your change at the end of 00DIST file? |
|
Sure, but how should I be updating this branch? Removing CCDATE or adding the freebsd override using SOURCE_DATE_EPOCH? |
|
Let's remove CCDATE. |
LSOF_CCDATE is used to embed the build time/date string into the lsof binary. This string is displayed as part of 'lsof -v' output. However, having that embedded string breaks reproducible builds - we want to ensure that subsequent builds (using the same exact build environemnt) produce the same exact binary, bit-for-bit. The Linux dialect replaced the LSOF_CCDATE variable with the SOURCE_DATE_EPOCH variable for this reason. However, it doesn't make sense to even include the build date. We have 'ls -l' and version strings to give us information about an installed binary. So let's just drop the build time/date string. SOURCE_DATE_EPOCH was overriding the LSOF_HOST, LSOF_LOGNAME, LSOF_SYSINFO, and LSOF_USER variables on Linux. These variables are already capable of being overridden, and having "SOURCE_DATE_EPOCH" as a shortcut for overriding random other variables (even if it is being standardized by the reproducible-builds.org folks) doesn't make much sense. So this also gets rid of SOURCE_DATE_EPOCH.
dilinger
force-pushed
the
reproducible
branch
from
94aab92
to
1b2722b
Compare
|
Thank you. I will review (and merge). |
LSOF_CCDATE is used to embed the build time/date string into the lsof binary.
This string is displayed as part of 'lsof -v' output. However, having that
embedded string breaks reproducible builds - we want to ensure that subsequent
builds (using the same exact build environemnt) produce the same exact binary,
bit-for-bit.
Debian has a patch that allows overriding the variable, similar to what lsof allows
for LSOF_HOST (and others). Let me know if you'd prefer that patch. However,
I'm of the opinion that LSOF_CCDATE should just be dropped completely. We
can see the version to tell us what the corresponding source code is, and we have
file timestamps to tell us when a binary was installed. LSOF_CCDATE provides
no security, as an attacker could hardcode the older date/time string in their
malicious binary. So, this pull request just drops the variable completely.