From: "Moessbauer, Felix" <felix.moessbauer@siemens.com>
To: "venkata.pyla@toshiba-tsip.com" <venkata.pyla@toshiba-tsip.com>,
"Schild, Henning" <henning.schild@siemens.com>
Cc: "amikan@ilbers.de" <amikan@ilbers.de>,
"isar-users@googlegroups.com" <isar-users@googlegroups.com>,
"Kiszka, Jan" <jan.kiszka@siemens.com>,
"kazuhiro3.hayashi@toshiba.co.jp"
<kazuhiro3.hayashi@toshiba.co.jp>,
"dinesh.kumar@toshiba-tsip.com" <dinesh.kumar@toshiba-tsip.com>
Subject: Re: [PATCH v2 1/1] image.bbclass: fix non-reproducible file time-stamps inside rootfs
Date: Thu, 5 Jan 2023 09:50:36 +0000 [thread overview]
Message-ID: <e5ae3592ee7d3a815e4570609fa92b573932c2d8.camel@siemens.com> (raw)
In-Reply-To: <20230105091904.530199bb@md1za8fc.ad001.siemens.net>
On Thu, 2023-01-05 at 09:19 +0100, Henning Schild wrote:
> Am Thu, 5 Jan 2023 11:48:57 +0530
> schrieb venkata.pyla@toshiba-tsip.com:
>
> > From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> >
> > As part of reproducible-build work, the rootfs images generated on
> > same source should be identical between two builds.
> >
> > In this commit it tries to solve one of the non-reproducible
> > problem
> > i.e. the rootfs file time-stamps generated during build time are
> > not
> > reproducible, it uses one of the solution provided in the debian
> > live-build image project (refer [1]), it fixes by finding all the
> > files/folders that are gernerated newly and set the time-stamp
> > provided by `SOURCE_DATE_EPOCH` environment variable.
> >
> > [1]
> > https://salsa.debian.org/live-team/live-build/-/merge_requests/218
> >
> > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> > ---
> > meta-isar/conf/local.conf.sample | 10 ++++++++++
> > meta/classes/image.bbclass | 9 +++++++++
> > 2 files changed, 19 insertions(+)
> >
> > diff --git a/meta-isar/conf/local.conf.sample
> > b/meta-isar/conf/local.conf.sample index 57d0620..3c4a473 100644
> > --- a/meta-isar/conf/local.conf.sample
> > +++ b/meta-isar/conf/local.conf.sample
> > @@ -255,3 +255,13 @@ USER_isar[flags] += "clear-text-password"
> > #CCACHE_TOP_DIR ?= "${TMPDIR}/ccache"
> > # Enable ccache debug mode
> > #CCACHE_DEBUG = "1"
> > +
> > +# Uncommnet and add value to it to build images reproducibly
> > +#
> > +# The value for `SOURCE_DATE_EPOCH` should be latest source change
> > time in +# seconds since the Epoch.
> > +# Git repository users can use value from 'git log -1 --
> > pretty=%ct'
> > +# Non git repository users can use value from 'stat -c%Y
> > ChangeLog'
> > +# To know more details about this variable and how to set the
> > value
> > refer below +#
> > https://reproducible-builds.org/docs/source-date-epoch/
> > +#SOURCE_DATE_EPOCH =
>
> ${@bb.process.run(git log ...)}
>
> would be nice here. So once uncommented it will keep moving as people
> commit.
Be careful with this pattern as it bypasses the Bitbake signatures,
leading to non-deterministic signatures errors. We had the same problem
with the ISAR release command. Maybe the immediate expansion operator
works in the local conf, but I did not check that.
It would be better to inject that from the outside, e.g. via KAS or an
environment variable. And in addition, we need to make sure that we
only forward this variable to non-sbuild tasks. The sbuild tasks should
get the SOURCE_DATE_EPOCH from the latest entry in the changelog.
However, for auto-generated changelogs, the date should be the value of
SOURCE_DATE_EPOCH.
Felix
>
> > diff --git a/meta/classes/image.bbclass
> > b/meta/classes/image.bbclass
> > index 813e1f3..38a9adf 100644
> > --- a/meta/classes/image.bbclass
> > +++ b/meta/classes/image.bbclass
> > @@ -430,6 +430,15 @@ do_rootfs_finalize() {
> > "${ROOTFSDIR}/etc/apt/sources.list.d/bootstrap.list"
> >
> > rm -f "${ROOTFSDIR}/etc/apt/sources-list"
> > +
> > + # Set same time-stamps to the newly generated file/folders
> > in the
> > + # rootfs image for the purpose of reproducible builds.
> > + test ! -z "${SOURCE_DATE_EPOCH}" && \
> > + find ${ROOTFSDIR} -newermt \
> > + "$(date -d@${SOURCE_DATE_EPOCH} '+%Y-%m-%d
> > %H:%M:%S')" \
> > + -printf "%y %p\n" \
> > + -exec touch '{}' -h -d@${SOURCE_DATE_EPOCH} ';' >
> > ${DEPLOY_DIR_IMAGE}/files.modified_timestamps +
> > EOSUDO
>
> I would suggest to at least display a bbwarn if "wc -l" of that file
> exceeds some number ... say 50. I guess if SOURCE_DATE_EPOCH was too
> old, say 01.01.1990 the whole filesystem would be touched which might
> indicate a problem.
>
> Not sure what a good number would be. We could also check for certain
> files to _not_ be in there for sure.
>
> I might give that patch a try and see for myself what a too old value
> would do. But right now i will keep going with the expectation that
> it
> would "touch all files without big warning" and the thing might still
> boot but the broken metadata could cause any kind of problems in
> applications that can get confused by that big change.
>
> Henning
>
> > }
> > addtask rootfs_finalize before do_rootfs after
> > do_rootfs_postprocess
>
next prev parent reply other threads:[~2023-01-05 9:50 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-02 14:58 [PATCH] image.bbclass: fix non-reproducible file time-stamps inside rootfs image venkata.pyla
2023-01-02 15:32 ` Jan Kiszka
2023-01-03 5:54 ` Venkata.Pyla
2023-01-02 16:44 ` Henning Schild
2023-01-03 8:05 ` Jan Kiszka
2023-01-03 18:51 ` Henning Schild
2023-01-03 14:10 ` Venkata.Pyla
2023-01-03 19:05 ` Henning Schild
2023-01-04 7:54 ` Venkata.Pyla
2023-01-04 9:29 ` Henning Schild
2023-01-04 13:48 ` Venkata.Pyla
2023-01-04 13:53 ` Henning Schild
2023-01-04 14:35 ` Jan Kiszka
2023-01-04 14:50 ` Venkata.Pyla
2023-01-04 15:07 ` Henning Schild
2023-01-04 15:34 ` Venkata.Pyla
2023-01-05 6:18 ` [PATCH v2 0/1] Fix for reproducible build issue venkata.pyla
2023-01-05 6:18 ` [PATCH v2 1/1] image.bbclass: fix non-reproducible file time-stamps inside rootfs venkata.pyla
2023-01-05 8:19 ` Henning Schild
2023-01-05 9:50 ` Moessbauer, Felix [this message]
2023-01-05 17:05 ` Henning Schild
2023-01-06 2:08 ` Moessbauer, Felix
2023-01-05 13:52 ` Venkata.Pyla
2023-01-05 15:12 ` [PATCH v3 0/1] Fix for reproducible build issue venkata.pyla
2023-01-05 15:12 ` [PATCH v3 1/1] image.bbclass: fix non-reproducible file time-stamps inside rootfs venkata.pyla
2023-01-06 9:45 ` Moessbauer, Felix
2023-01-06 10:17 ` Venkata.Pyla
2023-01-05 16:49 ` [PATCH v2 " Henning Schild
2023-01-04 15:01 ` [PATCH] image.bbclass: fix non-reproducible file time-stamps inside rootfs image Henning Schild
2023-01-04 15:27 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e5ae3592ee7d3a815e4570609fa92b573932c2d8.camel@siemens.com \
--to=felix.moessbauer@siemens.com \
--cc=amikan@ilbers.de \
--cc=dinesh.kumar@toshiba-tsip.com \
--cc=henning.schild@siemens.com \
--cc=isar-users@googlegroups.com \
--cc=jan.kiszka@siemens.com \
--cc=kazuhiro3.hayashi@toshiba.co.jp \
--cc=venkata.pyla@toshiba-tsip.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox