[ipxe-devel] reproducible builds

Michael Brown mcb30 at ipxe.org
Sun May 3 00:31:34 UTC 2020


On 03/05/2020 00:10, Neil Roza wrote:
>     Hashing the build target name is not sufficient, because that would
>     result in a collision between the same ROM built at different times
>     from
>     different source trees.
> 
> Okay, understood. If I take your meaning correctly, then it would be 
> enough to hash a concatenation of the `$(SOURCE_DATE_EPOCH)` with the 
> target name. The relevant shell expression would become...
> 
>      echo $(SOURCE_DATE_EPOCH) $@ | md5sum | head -c8
> 
> Would that get it done? Or did I interpret your mention of "different 
> times" too literally?

Different build configurations (e.g. config/*.h setting, or even 
DEBUG=... options specified on the make command line) also count as 
needing different build IDs.  Basically: anything that could possibly 
affect the runtime memory layout is relevant.

It should really be a hash of the object that results from the link. 
The only reason it doesn't already use a hash is because the build ID is 
itself used as an input to the link (since that's how the value ends up 
in the binary).  It's possible that binutils now offers a clean and sane 
way to construct a hash value over the object: if so, then we could use 
that instead.  (If the result ends up being more than 32 bits then the 
consuming code would need to be updated accordingly.)

Thanks,

Michael



More information about the ipxe-devel mailing list