[ipxe-devel] reproducible builds

Neil Roza neil at rtr.ai
Sat May 2 23:10:34 UTC 2020


On Sat, May 2, 2020 at 6:40 PM Michael Brown <mcb30 at ipxe.org> wrote:

> On 01/05/2020 23:36, Neil Roza wrote:
> > Please find the attached diff representing a patch I would like to
> > submit for your consideration. This is a small change to the
> > `src/Makefile.housekeeping` that makes the generation of most artifacts
> > (notably not `*.usb` images) deterministic.
> >
> > The scariest change here is the removal of the `BUILD_ID_CMD` in favor
> > of an inlined shell snippet where the `_build_id` symbol is defined. In
> > keeping with the comments that specify a unique `_build_id` for each
> > `$(BIN)/%.tmp`, I use the first 8 characters of the md5sum of the
> > target, in the expected base-prefixed hexadecimal representation.
> > Calculating the likelihood of collisions I leave as an exercise to the
> > reviewer. :D
>
> The existing comment in the Makefile is not especially clear, sorry.
> The build ID is supposed to be collision-free across all ROMs that might
> ever end up installed in the same system.  It doesn't just disambiguate
> targets within a single build; it also disambiguates different builds.
>
> It gets used by the ROM prefix to determine when another ROM in the
> system contains identical code.  This happens when, for example, a
> multi-port NIC exposes the same iPXE ROM image for several different PCI
> functions, or when two identical NICs are installed in the same system.
> We need to know this in order to save space within the legacy BIOS
> option ROM area, which is extremely limited in size.
>
> Hashing the build target name is not sufficient, because that would
> result in a collision between the same ROM built at different times from
> different source trees.
>

Okay, understood. If I take your meaning correctly, then it would be enough
to hash a concatenation of the `$(SOURCE_DATE_EPOCH)` with the target name.
The relevant shell expression would become...

    echo $(SOURCE_DATE_EPOCH) $@ | md5sum | head -c8

Would that get it done? Or did I interpret your mention of "different
times" too literally?


> > The `BUILD_TIMESTAMP` assignment has been changed to allow environment
> > variable overriding, but it defaults to `SOURCE_DATE_EPOCH`. The source
> > date epoch can also be overridden; it defaults to the Unix timestamp of
> > the current git HEAD commit.
>
> This seems like a reasonable approach, but would need to fail gracefully
> when built from something that isn't a git checkout.  See the way that
> VERSIONS is handled for an example.


Can do. Look for it in my next patch.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200502/e952880c/attachment.htm>


More information about the ipxe-devel mailing list