[ipxe-devel] reproducible builds
mcb30 at ipxe.org
Sun May 3 00:31:34 UTC 2020
On 03/05/2020 00:10, Neil Roza wrote:
> Hashing the build target name is not sufficient, because that would
> result in a collision between the same ROM built at different times
> different source trees.
> Okay, understood. If I take your meaning correctly, then it would be
> enough to hash a concatenation of the `$(SOURCE_DATE_EPOCH)` with the
> target name. The relevant shell expression would become...
> echo $(SOURCE_DATE_EPOCH) $@ | md5sum | head -c8
> Would that get it done? Or did I interpret your mention of "different
> times" too literally?
Different build configurations (e.g. config/*.h setting, or even
DEBUG=... options specified on the make command line) also count as
needing different build IDs. Basically: anything that could possibly
affect the runtime memory layout is relevant.
It should really be a hash of the object that results from the link.
The only reason it doesn't already use a hash is because the build ID is
itself used as an input to the link (since that's how the value ends up
in the binary). It's possible that binutils now offers a clean and sane
way to construct a hash value over the object: if so, then we could use
that instead. (If the result ends up being more than 32 bits then the
consuming code would need to be updated accordingly.)
More information about the ipxe-devel