[OE-core] [PATCH v2 1/6] bitbake.conf: new variable BUILD_REPRODUCIBLE_BINARIES
Richard Purdie
richard.purdie at linuxfoundation.org
Mon May 1 23:13:17 UTC 2017
On Mon, 2017-05-01 at 13:58 -0700, Juro Bystricky wrote:
> Building reproducible binaries may remove certain intentional
> randomness intended for increased security. Hence, it is reasonable
> to expect there will be cases where this is not desirable.
> The user can select his/her preferences via the variable
> BUILD_REPRODUCIBLE_BINARIES. The variable defaults to "0" (do not
> build reproducible binaries) in order to minimize any potential
> regressions. (Once the reproducible binaries code is mature enough,
> it can be set to "1".)
> If the variable BUILD_REPRODUCIBLE_BINARIES is set to "1",
> timestamp values taken from additional variables will be optionally
> used
> when building binary reproducible images:
>
> REPRODUCIBLE_TIMESTAMP_ROOTFS
> If the value is specified, all files mtime will be set to
> this value.
> In addition, /etc/timestamp and /etc/version will both
> contain the value.
> If no value is specified, timestamp will be derived from the
> top git commit.
>
> REPRODUCIBLE_TIMESTAMP_IMAGE_PRELINK
> Value passed via environment variable PRELINK_TIMESTAMP to
> the prelink program.
> If the value is specified, the value will be used.
> If no value is specified, timestamp will be derived from the
> top git commit.
>
> Signed-off-by: Juro Bystricky <juro.bystricky at intel.com>
> ---
> meta/conf/bitbake.conf | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> index 227babd..6ce1a1a 100644
> --- a/meta/conf/bitbake.conf
> +++ b/meta/conf/bitbake.conf
> @@ -859,3 +859,14 @@ BB_SIGNATURE_EXCLUDE_FLAGS ?= "doc deps depends
> \
>
> MLPREFIX ??= ""
> MULTILIB_VARIANTS ??= ""
> +
> +BUILD_REPRODUCIBLE_BINARIES ??= "0"
> +BUILD_REPRODUCIBLE_BINARIES[export] = "1"
> +
> +# Unix timestamp
> +REPRODUCIBLE_TIMESTAMP_ROOTFS ??= ""
> +REPRODUCIBLE_TIMESTAMP_ROOTFS[export] = "1"
> +
> +# Unix timestamp
> +REPRODUCIBLE_TIMESTAMP_IMAGE_PRELINK ??= ""
> +REPRODUCIBLE_TIMESTAMP_IMAGE_PRELINK[export] = "1"
Please don't add new global exports in bitbake.conf. Changing the value
of this will cause everything to rebuild (e.g. recompile) since the
exported environment goes to all tasks. We really don't want to do that
if it only affects the image generation.
I'll give this a bit more thought/review but wanted to comment on this
whilst I see it/remember.
Cheers,
Richard
More information about the Openembedded-core
mailing list