[ipxe-devel] reproducible builds
Neil Roza
neil at rtr.ai
Sun May 3 01:10:37 UTC 2020
On Sat, May 2, 2020, 20:31 Michael Brown <mcb30 at ipxe.org> wrote:
> On 03/05/2020 00:10, Neil Roza wrote:
> > Hashing the build target name is not sufficient, because that would
> > result in a collision between the same ROM built at different times
> > from
> > different source trees.
> >
> > Okay, understood. If I take your meaning correctly, then it would be
> > enough to hash a concatenation of the `$(SOURCE_DATE_EPOCH)` with the
> > target name. The relevant shell expression would become...
> >
> > echo $(SOURCE_DATE_EPOCH) $@ | md5sum | head -c8
> >
> > Would that get it done? Or did I interpret your mention of "different
> > times" too literally?
>
> Different build configurations (e.g. config/*.h setting, or even
> DEBUG=... options specified on the make command line) also count as
> needing different build IDs. Basically: anything that could possibly
> affect the runtime memory layout is relevant.
>
> It should really be a hash of the object that results from the link.
> The only reason it doesn't already use a hash is because the build ID is
> itself used as an input to the link (since that's how the value ends up
> in the binary). It's possible that binutils now offers a clean and sane
> way to construct a hash value over the object: if so, then we could use
> that instead. (If the result ends up being more than 32 bits then the
> consuming code would need to be updated accordingly.)
I think one Matt Turner has discovered the trick we need:
https://github.com/mattst88/build-id/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200502/e07b6975/attachment.htm>
More information about the ipxe-devel
mailing list