lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8b2864bd-30b1-254f-ebd6-79967249da9b@linux.alibaba.com>
Date:   Thu, 20 Oct 2022 18:48:20 -0700
From:   Dan Li <ashimida@...ux.alibaba.com>
To:     Bagas Sanjaya <bagasdotme@...il.com>
Cc:     masahiroy@...nel.org, michal.lkml@...kovi.net,
        ndesaulniers@...gle.com, corbet@....net,
        linux-kbuild@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org, Nicolas Schier <n.schier@....de>
Subject: Re: [RFC] Documentation: kbuild: Add description of git for
 reproducible builds



On 10/20/22 07:05, Bagas Sanjaya wrote:
> On Thu, Oct 20, 2022 at 03:38:23AM -0700, Dan Li wrote:
>> diff --git a/Documentation/kbuild/reproducible-builds.rst b/Documentation/kbuild/reproducible-builds.rst
>> index 071f0151a7a4..13397f38c358 100644
>> --- a/Documentation/kbuild/reproducible-builds.rst
>> +++ b/Documentation/kbuild/reproducible-builds.rst
>> @@ -119,6 +119,16 @@ To avoid this, you can make the vDSO different for different
>>   kernel versions by including an arbitrary string of "salt" in it.
>>   This is specified by the Kconfig symbol ``CONFIG_BUILD_SALT``.
>>   
>> +Git
>> +-----------------------
>> +
>> +Uncommitted changes or different commit ids in git can also lead
>> +to different compilation results. For example, after executing
>> +``git reset HEAD^``, even if the code is the same, the
>> +``include/config/kernel.release`` generated during compilation
>> +will be different, which will eventually lead to binary differences.
>> +See ``scripts/setlocalversion`` for details.
>> +
> 
> Briefly read the script, I don't see what the correlation between git
> reset with LOCALVERSION thing is. Also, does the exact state of git
> repository required for reproducible builds?
> 

Hi Bagas,

The Makefile has the following code:
filechk_kernel.release = \
         echo "$(KERNELVERSION)$$($(CONFIG_SHELL) $(srctree)/scripts/setlocalversion $(srctree))"

The output of setlocalversion affects kernel.release, while the output
of setlocalversion is related to the state of git when the git repository
exists (see function scm_version).

So changes in git state will result in changes to kernel.release, and
this information will be included in the final output vmlinux/modules
and in turn affect reproducible builds.

For example:
$ git log
commit 4cd155a93eec......
$ make ...
$ cat include/config/kernel.release
6.0.0-rc4-00025-g4cd155a93eec

$ git reset HEAD^
$ git log
commit 7b4d266b0c41......
$ make ...
$ cat include/config/kernel.release
6.0.0-rc4-00024-g7b4d266b0c41-dirty


AFAICT, in the presence of a git repository, we can compile a reproducible
build kernel in any git state, but we need to ensure that the git state is
always the same between compilations (or the same from the perspective of
the scm_version function).

Thanks, Dan.

> Thanks.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ