build: introduce buildinfo files for reproducibility #2121
Conversation
Makefile
Outdated
| @@ -92,6 +92,8 @@ checksum: FORCE | |||
| diffconfig: FORCE | |||
| mkdir -p $(BIN_DIR) | |||
| $(SCRIPT_DIR)/diffconfig.sh > $(BIN_DIR)/config.seed | |||
| echo "# buildroot $$(git --git-dir $(TOPDIR)/.git rev-parse HEAD)" > $(BIN_DIR)/feeds.seed | |||
There was a problem hiding this comment.
Note that this may fail if buildroot does not reside in Git (which is something we do support at least for releases). This can for example happen if you download a release tarball from the Github release page - such a tarball will come without any metadata.
Maybe it would be better to use the output of ./scripts/getver.sh instead which is able to cope with such a situation.
There was a problem hiding this comment.
From my POV it's not diffconfig target anymore, you're as well adding feeds config and build config which are probably separate things.
So this probably should be something like:
buildconfig: FORCE
echo "commit=$$(git --git-dir $(TOPDIR)/.git rev-parse HEAD)" > $(BIN_DIR)/build.seed
feedsconfig: FORCE
$(SCRIPT_DIR)/feeds list -fs >> $(BIN_DIR)/feeds.seed
prepare: .config $(tools/stamp-compile) $(toolchain/stamp-compile)
$(_SINGLE)$(SUBMAKE) -r diffconfig feedsconfig buildconfig
so you can then just source build.seed in some script/make target and simply use it, without any additional parsing. And I think, that it's likely, that we (or downstream projects) might need to add also other variables to the build.seed in order to provide enough information for reproducible builds.
There was a problem hiding this comment.
Switched to using getver.sh and introduced buildconfig and feedsconfig.
|
looks good for a start, however jow is right, you also need to support
non-git checkouts...
(and i'm a bit bothered/sad that you don't reuse the .buildinfo term.)
…--
tschau,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
|
aparcar
changed the title
aparcar
force-pushed
the
feeds-seed
branch
3 times, most recently
from
cb0be9f
to
74ee4f6
Compare
aparcar
changed the title
|
On Thu, Jun 13, 2019 at 07:49:49AM -0700, Paul Spooren wrote:
Talking with @h01ger I decided to rename all files required for reproducibility to +.buildinfo as described [here](https://reproducible-builds.org/docs/recording/).
yay & thank you!
…--
tschau,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Dance like no one's watching. Encrypt like everyone is.
|
dedeckeh
added
RFC
|
I’d very much see this merged. Once merged I can create a rebuild tool to verify not only release builds but also user builds offered in the OpenWrt forum. |
aparcar
changed the title
|
@lynxis ping |
|
@h01ger could you please check the script I attached? Would be very happy this gets merged |
|
On Tue, Jul 02, 2019 at 04:40:23AM -0700, Paul Spooren wrote:
@h01ger could you please check the script I attached?
looks good to me, though obviously i'm not an openwrt expert :)
Would be very happy this gets merged
same here.
…--
tschau,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
|
scripts/rebuild.sh
Outdated
| [ -z "$COMMIT" ] && exit 1 | ||
|
|
||
| [ -d "$REBUILD_DIR/openwrt" ] || \ | ||
| git clone https://github.com/openwrt/openwrt.git "$REBUILD_DIR/openwrt/" --depth 1 |
There was a problem hiding this comment.
Couldn't the URL come from buildinfo was well instead of hard-coding it here? Then at least you'd know that a certain binary is based on a different tree (there are a lot of forks of OpenWrt, vendor SDKs, ...)
There was a problem hiding this comment.
And wouldn't be https://git.openwrt.org/openwrt/openwrt.git better anyway?
There was a problem hiding this comment.
@dangowrt the rebuild.sh is just a "proof of concept", to be later used in a CI or something. However, it seems like a good idea to store the origin source in buildfiles. What would you suggest?
|
The rebuild.sh is more of a proof of concept but a tool to be really added. As this PR is cherry-picked anyway, only the first commit should be picked. I'd be happy to see some progress here, once done I'd work together with @h01ger to integrate in in their CI. |
|
On Wed, Jul 31, 2019 at 06:19:16AM -0700, Paul Spooren wrote:
The rebuild.sh is more of a *proof of concept* but a tool to be really added. As this PR is cherry-picked anyway, only the first commit should be picked.
then split this commit in two?
I'd be happy to see some progress here, once done I'd work together with @h01ger to integrate in in their CI.
sure!
…--
tschau,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
we'll all die. make a difference while you can. disobey. smile.
|
Done |
generate feeds.buildinfo and version.buildinfo in build dir after
containing the feed revisions (via ./scripts/feeds list -sf) as well as
the current revision of buildroot (via ./scripts/getver.sh).
With this information it should be possible to reproduce any build,
especially the release builds.
Usage would be to move feeds.buildinfo to feeds.conf and git checkout the
revision hash of version.buildinfo.
Content of feeds.buildinfo would look similar to this:
src-git routing https://git.openwrt.org/feed/routing.git^bf475d6
src-git telephony https://git.openwrt.org/feed/telephony.git^470eb8e
...
Content of version.buildinfo would look similar to this:
r10203+1-c12bd3a21b
Without the exact feed revision it is not possible to determine
installed package versions.
Also rename config.seed to config.buildinfo to follow the recommended
style of https://reproducible-builds.org/docs/recording/
Signed-off-by: Paul Spooren <mail@aparcar.org>
|
Cherry-picked onto master (a while ago). |
generate feeds.buildinfo and commit.buildinfo in build dir after
containing the feed revisions (via ./scripts/feeds list -sf) as well as
the current revision of buildroot (via ./scripts/getver.sh).
With this information it should be possible to reproduce any build,
especially the release builds.
Usage would be to move feeds.buildinfo to feeds.conf and git checkout the
revision hash of commit.buildinfo.
Content of feeds.buildinfo would look similar to this:
Content of commit.buildinfo would look similar to this:
Without the exact feed revision it is not possible to determine
installed package versions.
Also rename config.seed to config.buildinfo to follow the recommended
style of https://reproducible-builds.org/docs/recording/
Signed-off-by: Paul Spooren mail@aparcar.org