[OE-core] [PATCH] classes/reproducible_build: Avoid dereferencing symlinks

Mon Aug 6 15:25:09 UTC 2018

Using os.path.getmtime() will dereference symbolic links in an attempt
to get the last modified time. This can cause errors if the target
doesn't exist, or worse map to some absolute build host path which would
make a build not reproducible.

Signed-off-by: Joshua Watt <JPEWhacker at gmail.com>
---
 meta/classes/reproducible_build.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/reproducible_build.bbclass b/meta/classes/reproducible_build.bbclass
index 2df805330aa..268b5fb8f19 100644
--- a/meta/classes/reproducible_build.bbclass
+++ b/meta/classes/reproducible_build.bbclass
@@ -56,7 +56,7 @@ def get_source_date_epoch_known_files(d, path):
     for file in known_files:
         filepath = os.path.join(path,file)
         if os.path.isfile(filepath):
-            mtime = int(os.path.getmtime(filepath))
+            mtime = int(os.lstat(filepath).st_mtime)
             # There may be more than one "known_file" present, if so, use the youngest one
             if mtime > source_date_epoch:
                 source_date_epoch = mtime
@@ -114,7 +114,7 @@ python do_create_source_date_epoch_stamp() {
             for fname in files:
                 filename = os.path.join(root, fname)
                 try:
-                    mtime = int(os.path.getmtime(filename))
+                    mtime = int(os.lstat(filename).st_mtime)
                 except ValueError:
                     mtime = 0
                 if mtime > source_date_epoch:
-- 
2.17.1


