[OE-core] [PATCH] openssl_1.0.2n: improve reproducibility
Andre McCurdy
armccurdy at gmail.com
Mon Jul 23 17:33:08 UTC 2018
On Sun, Jul 22, 2018 at 9:46 AM, Bystricky, Juro
<juro.bystricky at intel.com> wrote:
> No, not on purpose, the word "prepend" should be taken out.
> Although running "make" the second time does no harm (should do nothing, in fact) it needs to be fixed,
> I'll send in a fix.
I have a fix too, as part of a series of other minor openssl recipe
fixes. So maybe you could review my fix when it's sent rather than
working on your own version? Up to you.
> Thanks
> Juro
> ________________________________________
> From: Andre McCurdy [armccurdy at gmail.com]
> Sent: Friday, July 20, 2018 2:08 PM
> To: Bystricky, Juro
> Cc: OE Core mailing list; Juro Bystricky
> Subject: Re: [OE-core] [PATCH] openssl_1.0.2n: improve reproducibility
>
> On Sat, Mar 10, 2018 at 11:27 AM, Juro Bystricky
> <juro.bystricky at intel.com> wrote:
>> Improve reproducible build of:
>>
>> openssl-staticdev
>> openssl-dbg
>> libcrypto
>>
>> There are two main causes that prevent reproducible build, both related to
>> the generated file "buildinf.h":
>>
>> 1. "buildinf.h" contains build host CFLAGS, containing various build
>> host references. We need to pass sanitized CFLAGS to the script
>> generating this file ("mkbuildinf.pl". )
>>
>> 2. We also need to modify the script "mkbuildinf.pl" itsel in order to
>> generate a build timestamp based on SOURCE_DATE_EPOCH, if present in
>> the environment.
>>
>> Signed-off-by: Juro Bystricky <juro.bystricky at intel.com>
>> ---
>> .../openssl-1.0.2n/reproducible-cflags.patch | 20 ++++++++++++++++++++
>> .../openssl-1.0.2n/reproducible-mkbuildinf.patch | 21 +++++++++++++++++++++
>> meta/recipes-connectivity/openssl/openssl10.inc | 3 +++
>> meta/recipes-connectivity/openssl/openssl_1.0.2n.bb | 5 +++++
>> 4 files changed, 49 insertions(+)
>> create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.2n/reproducible-cflags.patch
>> create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.2n/reproducible-mkbuildinf.patch
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl10.inc b/meta/recipes-connectivity/openssl/openssl10.inc
>> index 02a0e16..0598195 100644
>> --- a/meta/recipes-connectivity/openssl/openssl10.inc
>> +++ b/meta/recipes-connectivity/openssl/openssl10.inc
>> @@ -162,6 +162,9 @@ do_configure () {
>>
>> do_compile_prepend_class-target () {
>> sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile
>> + oe_runmake depend
>> + cc_sanitized=`echo "${CC} ${CFLAG}" | sed -e 's,--sysroot=${STAGING_DIR_TARGET},,g' -e 's|${DEBUG_PREFIX_MAP}||g'`
>> + oe_runmake CC_INFO="${cc_sanitized}"
>
> Here calls to "oe_runmake depend" and "oe_runmake" are made from the
> target specific do_compile_prepend(), but the original calls (without
> sanitised CC_INFO) are then run again from do_compile(), ie:
>
> do_compile() {
> sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile
> oe_runmake depend
> cc_sanitized=`echo ...`
> oe_runmake CC_INFO="${cc_sanitized}"
> oe_runmake depend
> oe_runmake
> }
>
> Is the intention really to run "oe_runmake depend" and "oe_runmake" twice?
>
>> }
>>
>> do_compile () {
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2n.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2n.bb
>> index 32444c6..f07289d 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2n.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2n.bb
>> @@ -43,6 +43,11 @@ SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
>> file://0001-Fix-build-with-clang-using-external-assembler.patch \
>> file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \
>> "
>> +
>> +SRC_URI_append_class-target = "\
>> + file://reproducible-cflags.patch \
>> + file://reproducible-mkbuildinf.patch \
>> + "
>> SRC_URI[md5sum] = "13bdc1b1d1ff39b6fd42a255e74676a4"
>> SRC_URI[sha256sum] = "370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
>>
More information about the Openembedded-core
mailing list