-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop LSOF_CCDATE in order to ensure reproducible builds #150
Conversation
By the way - there are additional variables that seem completely unnecessary that I could also remove if you'd like. On my system after I build, I see the following output from 'lsof -v': lsof version information: Distributions often override those variables (Debian overrides LSOF_CCDATE, LSOF_HOST, LSOF_LOGNAME, LSOF_SYSINFO, and LSOF_USER). I'm not sure who actually cares what compiler was used (LSOF_CC), or when it was built (LSOF_CCDATE) and by who (LSOF_USER/LSOF_LOGNAME) and where (LSOF_HOST). I'm happy to add additional commits to this branch to remove more of those variables if you agree with removing any of them. LSOF_SYSINFO in particular seems very unneccessary. |
We have already an applied patch for the same purpose. |
Dropping the coverage is not important in this pull request, of course. |
That will also work. The Debian patch (which you can see here: Personally I'd still rather see a bunch of the noise removed, but it's your choice. |
Could you consider writing an entry for your change at the end of 00DIST file? |
Sure, but how should I be updating this branch? Removing CCDATE or adding the freebsd override using SOURCE_DATE_EPOCH? |
Let's remove CCDATE. |
LSOF_CCDATE is used to embed the build time/date string into the lsof binary. This string is displayed as part of 'lsof -v' output. However, having that embedded string breaks reproducible builds - we want to ensure that subsequent builds (using the same exact build environemnt) produce the same exact binary, bit-for-bit. The Linux dialect replaced the LSOF_CCDATE variable with the SOURCE_DATE_EPOCH variable for this reason. However, it doesn't make sense to even include the build date. We have 'ls -l' and version strings to give us information about an installed binary. So let's just drop the build time/date string. SOURCE_DATE_EPOCH was overriding the LSOF_HOST, LSOF_LOGNAME, LSOF_SYSINFO, and LSOF_USER variables on Linux. These variables are already capable of being overridden, and having "SOURCE_DATE_EPOCH" as a shortcut for overriding random other variables (even if it is being standardized by the reproducible-builds.org folks) doesn't make much sense. So this also gets rid of SOURCE_DATE_EPOCH.
94aab92
to
1b2722b
Compare
Thank you. I will review (and merge). |
LSOF_CCDATE is used to embed the build time/date string into the lsof binary.
This string is displayed as part of 'lsof -v' output. However, having that
embedded string breaks reproducible builds - we want to ensure that subsequent
builds (using the same exact build environemnt) produce the same exact binary,
bit-for-bit.
Debian has a patch that allows overriding the variable, similar to what lsof allows
for LSOF_HOST (and others). Let me know if you'd prefer that patch. However,
I'm of the opinion that LSOF_CCDATE should just be dropped completely. We
can see the version to tell us what the corresponding source code is, and we have
file timestamps to tell us when a binary was installed. LSOF_CCDATE provides
no security, as an attacker could hardcode the older date/time string in their
malicious binary. So, this pull request just drops the variable completely.