[ipxe-devel] reproducible builds

Neil Roza neil at rtr.ai
Sun May 3 01:10:37 UTC 2020


On Sat, May 2, 2020, 20:31 Michael Brown <mcb30 at ipxe.org> wrote:

> On 03/05/2020 00:10, Neil Roza wrote:
> >     Hashing the build target name is not sufficient, because that would
> >     result in a collision between the same ROM built at different times
> >     from
> >     different source trees.
> >
> > Okay, understood. If I take your meaning correctly, then it would be
> > enough to hash a concatenation of the `$(SOURCE_DATE_EPOCH)` with the
> > target name. The relevant shell expression would become...
> >
> >      echo $(SOURCE_DATE_EPOCH) $@ | md5sum | head -c8
> >
> > Would that get it done? Or did I interpret your mention of "different
> > times" too literally?
>
> Different build configurations (e.g. config/*.h setting, or even
> DEBUG=... options specified on the make command line) also count as
> needing different build IDs.  Basically: anything that could possibly
> affect the runtime memory layout is relevant.
>
> It should really be a hash of the object that results from the link.
> The only reason it doesn't already use a hash is because the build ID is
> itself used as an input to the link (since that's how the value ends up
> in the binary).  It's possible that binutils now offers a clean and sane
> way to construct a hash value over the object: if so, then we could use
> that instead.  (If the result ends up being more than 32 bits then the
> consuming code would need to be updated accordingly.)


I think one Matt Turner has discovered the trick we need:

https://github.com/mattst88/build-id/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200502/e07b6975/attachment.htm>


More information about the ipxe-devel mailing list