script/release.sh: make builds reproducible

What it takes is add an empty buildid, which, together with previously added strip invocation, results in reproducible build! NB: earlier versions of this patch also added the following: 1. non-random libseccomp install $prefix; 2. "objcopy --enable-deterministic-archives $prefix/lib/libseccomp.a" to strip ar dates and UIDs/GIDs; 3. "-B=0x00" to EXTRA_LDFLAGS to have non-variable NT_GNU_BUILD_ID. Apparently, all this is not needed with strip. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
opencontainers · Jul 27, 2021 · 18f434e · 18f434e
1 parent 61e201a
commit 18f434e
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/script/release.sh b/script/release.sh
@@ -33,7 +33,6 @@ function build_project() {
 	local libseccomp_ver='2.5.1'
 	local tarball="libseccomp-${libseccomp_ver}.tar.gz"
 	local prefix
-	local ldflags="-w -s"
 	prefix="$(mktemp -d)"
 	wget "https://github.com/seccomp/libseccomp/releases/download/v${libseccomp_ver}/${tarball}"{,.asc}
 	tar xf "$tarball"
@@ -44,6 +43,11 @@ function build_project() {
 	)
 	mv "$tarball"{,.asc} "$builddir"
 
+	# For reproducible builds, add these to EXTRA_LDFLAGS:
+	#  -w to disable DWARF generation;
+	#  -s to disable symbol table;
+	#  -buildid= to remove variable build id.
+	local ldflags="-w -s -buildid="
 	# Add -a to go build flags to make sure it links against
 	# the provided libseccomp, not the system one (otherwise
 	# it can reuse cached pkg-config results).