From: Juro Bystricky <juro.bystricky@intel.com>
To: openembedded-core@lists.openembedded.org
Cc: jurobystricky@hotmail.com
Subject: [PATCH v2 0/6] Reproducible binaries
Date: Mon, 1 May 2017 13:58:58 -0700 [thread overview]
Message-ID: <1493672344-21965-1-git-send-email-juro.bystricky@intel.com> (raw)
This patch set (V2) contains several patches aimed to achieve reproducible binaries.
Building reproducible binaries may remove certain intentional
randomness intended for increased security. Hence, it is reasonable
to expect there will be cases where this is not desirable.
The user can select his/her preferences via the variable
BUILD_REPRODUCIBLE_BINARIES. The variable defaults to "0" (do not
build reproducible binaries) in order to minimize any potential
regressions.
For debian packages we get a lot of binary identical packages simply by
exporting SOURCE_DATE_EPOCH. This is done automatically when
BUILD_REPRODUCIBLE_BINARIES="1".
For rootfs we get much fewer differences by modified prelinking and by
ensuring various timestamps are reproducible.
For example, building core-image-minimal with this patchset,
using the following settings in the local.conf:
BUILD_REPRODUCIBLE_BINARIES="1"
LDCONFIGDEPEND=""
IMAGE_CMD_TAR="tar -v --sort=name"
#Optional user specified timestams:
REPRODUCIBLE_TIMESTAMP_IMAGE_PRELINK="1483228800"
REPRODUCIBLE_TIMESTAMP_ROOTFS="1483228800"
we can build binary identical core-image-minimal-rootfs.tar.bz2 images.
(Tested on the same machine, two different build folders, images built at different
times)
Eventually, it will be possible to build identical identical core-image-minimal-rootfs.ext4
as well. (Note in this test case the rootfs is built without pre-built ldconfig aux-cache).
This patchset does not address the reproducibility of the linux kernel nor
the reproducibility of linux kernel modules.
Juro Bystricky (6):
bitbake.conf: new variable BUILD_REPRODUCIBLE_BINARIES
base.bbclass: initial support for binary reproducibility
image-prelink.bbclass: support binary reproducibility
rootfs-postcommands.bbclass: support binary reproducibility
busybox.inc: improve reproducibility
image.bbclass: support binary reproducibility
meta/classes/base.bbclass | 82 ++++++++++++++++++++++++++++++++
meta/classes/image-prelink.bbclass | 12 ++++-
meta/classes/image.bbclass | 12 +++++
meta/classes/rootfs-postcommands.bbclass | 24 ++++++++--
meta/conf/bitbake.conf | 11 +++++
meta/recipes-core/busybox/busybox.inc | 3 ++
6 files changed, 140 insertions(+), 4 deletions(-)
--
2.7.4
next reply other threads:[~2017-05-01 20:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 20:58 Juro Bystricky [this message]
2017-05-01 20:58 ` [PATCH v2 1/6] bitbake.conf: new variable BUILD_REPRODUCIBLE_BINARIES Juro Bystricky
2017-05-01 23:13 ` Richard Purdie
2017-05-02 0:35 ` Bystricky, Juro
2017-05-02 5:55 ` Martin Jansa
2017-05-01 20:59 ` [PATCH v2 2/6] base.bbclass: initial support for binary reproducibility Juro Bystricky
2017-06-14 20:30 ` Martin Jansa
2017-06-14 20:50 ` Bystricky, Juro
2017-05-01 20:59 ` [PATCH v2 3/6] image-prelink.bbclass: support " Juro Bystricky
2017-05-01 20:59 ` [PATCH v2 4/6] rootfs-postcommands.bbclass: " Juro Bystricky
2017-05-01 20:59 ` [PATCH v2 5/6] busybox.inc: improve reproducibility Juro Bystricky
2017-05-02 0:31 ` Andre McCurdy
2017-05-01 20:59 ` [PATCH v2 6/6] image.bbclass: support binary reproducibility Juro Bystricky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493672344-21965-1-git-send-email-juro.bystricky@intel.com \
--to=juro.bystricky@intel.com \
--cc=jurobystricky@hotmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.