Reproducible release tarballs #1550
Conversation
patmaddox
force-pushed
the
reproducible-tarballs
branch
2 times, most recently
from
4c0cbd1 to
51dc538
Compare
patmaddox
force-pushed
the
reproducible-tarballs
branch
from
51dc538 to
05420f0
Compare
|
I can't add myself as a reviewer but would like to review this properly in the coming days |
patmaddox
force-pushed
the
reproducible-tarballs
branch
from
05420f0 to
f7e2f46
Compare
patmaddox
force-pushed
the
reproducible-tarballs
branch
2 times, most recently
from
5542e70 to
3654c13
Compare
This isn't the right fix. The correct thing to do is to fix certctl, not paper over it and any other potential buggy build steps. |
I feel like that's more of a sign the library is being installed to the wrong place and should be in /usr/tests/lib/sys/... or similar. |
patmaddox
force-pushed
the
reproducible-tarballs
branch
from
3654c13 to
c4b5544
Compare
|
@jrtc27 you're right about the owner, fix in 526efd6 I'll see if there's a better spot for the test - but maybe someone more familiar with it knows off-hand? @emaste @bsdimp I've submitted this single PR with a series of patches, but they're mostly independent. I didn't know if I should do one PR and let you cherry pick acceptable commits, or open separate PRs for each one. Let me know if I should split it up - or any general guidance you have, as this is my first time contributing to src. |
patmaddox
force-pushed
the
reproducible-tarballs
branch
from
c4b5544 to
ac493db
Compare
|
on amd64
should produce kernel |
|
Added certctl fix (thanks @jrtc27). Building and packaging as a non-privileged user reproduces the root build. 526efd6 with |
This will break building on Linux though as there's no wheel group there. This is what DB_FROM_SRC is for, certctl needs to pass -N /path/to/etc for wheel to have meaning. |
On FreeBSD, #!/bin/sh
set -eu
rm -rf METALOG foo bar installed
echo "this is foo" > foo
echo "this is bar" > bar
mkdir installed
install -U -M METALOG -o missing-user -g missing-group foo bar installed/
cat METALOGThis produces: Are you saying that on Linux, |
I just tested on debian, and it doesn't even have So... check if |
Hm, it seems you're right that our install(1) (which will still be the one used on non-FreeBSD during the build) doesn't validate user/group names for -U. It's not documented though, and seems to be a bad idea to me, we should be validating them at install time, not at makefs time nor, in the case of distribution tarballs, untar, i.e. bsdinstall, time (since our tarballs use symbolic user/group names, and bsdtar doesn't get a -N equivalent yet packageworld works on Linux, so it can't possibly be validating it). |
That's good to know - so build behavior is equivalent on both OSes.
Maybe... but I think there would need to be a flag to let you validate or not. It's plausible for a builder to configure a METALOG for users it doesn't have. In fact that's exactly something I'm going to do now that I know about That may be a useful enhancement to |
My point is, throughout the build system, we, at least intend to, pass -N /path/to/etc to install(1), mtree(8) and makefs(8) whenever DB_FROM_SRC is set (in some cases even unconditionally), which is implied to NO_ROOT. So, just as we have |
|
CC @brooksdavis and @kevans91 for certctl - this originated in 48e9fb8. I think the patch in 526efd6 is a good step in the right direction, even if we should also have support for |
|
Although that said I wonder if the |
Makefile.inc1
Outdated
| @sed -e 's|^./kernel|.|' ${DESTDIR}/${DISTDIR}/kernel.premeta > \ | ||
| ${DESTDIR}/${DISTDIR}/kernel.meta | ||
| echo "#${MTREE_MAGIC}" > ${DESTDIR}/${DISTDIR}/kernel.meta | ||
| sed -e 's|^./kernel|.|' ${DESTDIR}/${DISTDIR}/kernel.premeta | \ |
There was a problem hiding this comment.
does the unsortedness happen only with -j? I'd be a bit surprised by nondeterminism without -j.
There was a problem hiding this comment.
I'm not sure - I've never had the patience to run without -j.
One potential source of non-determinism is when file lists are generated rather than declared. For example, some of the items returned by grep -R '=.*find' --include 'Makefile*' sys could potentially be non-determinstic. But I can't say for sure.
There was a problem hiding this comment.
It looks like those are all in sys/contrib (and so not actually used in our build), but indeed anything that returns files in filesystem order could be an issue.
I expect -j will result in nondeterminism and so the sorting is necessary, mainly just wondering if this is the only source of nondeterminism here.
release/Makefile
Outdated
| >> ${.OBJDIR}/${DISTDIR}/base.meta | ||
| sed -n 's,^\.,./var/db/etcupdate/current,p' \ | ||
| ${.OBJDIR}/${DISTDIR}/base/var/db/etcupdate/current/METALOG | \ | ||
| ${METALOG_SORT_CMD} >> ${.OBJDIR}/${DISTDIR}/base.meta |
There was a problem hiding this comment.
Wait, where is METALOG_SORT_CMD defined for relelase/* Makefiles?
There was a problem hiding this comment.
oof... it is not.
And the reason this "worked" for removing the non-determinism is because echo "foo" | > file is valid shell, and results in empty file. So the etc entries aren't being sorted... they're just not being added at all.
There was a problem hiding this comment.
fixed in fb482e3 and confirmed it packages the same on three systems
There was a problem hiding this comment.
You still have to do what METALOG_SORT_CMD does or this won't be sound on systems with LC_COLLATE!=C.
There was a problem hiding this comment.
Updated in 0d3b734
patmaddox
force-pushed
the
reproducible-tarballs
branch
2 times, most recently
from
9da5a0f to
b35bfb5
Compare
|
0d3b734 looks good except for the chicken and metalog files, will commit without those :) |
patmaddox
force-pushed
the
reproducible-tarballs
branch
from
b35bfb5 to
3a06988
Compare
|
patmaddox
force-pushed
the
reproducible-tarballs
branch
from
3a06988 to
e482667
Compare
|
CC @allanjude @kevans91 if you'd like to look at the certctl change in e482667 |
This sets the correct ownership values when building base.txz PR: 283340 Reviewed by: allanjude Pull request: #1550 Signed-off-by: Pat Maddox <[email protected]>
|
@allanjude did you review all of the changes or just certctl? (AFAIK there's no way to indicate review of a partial set of commits in a pull request.) |
The metalog is produced by install -M, which is not sorted. This results in non-deterministic file ordering in kernel.txz. Order the files in kernel.txz to support reproducible builds. PR: 283214 Signed-off-by: Pat Maddox <[email protected]>
When using -DWITHOUT_REPRODUCIBLE_BUILD, files in *.txz will be added with their built timestamps. This results in non-deterministic tarballs. -DWITH_REPRODUCIBLE_BUILD sets the time in the METALOG, so that all files have the time defined by PKG_TIMESTAMP. kernel is added to its metalog via install -M, which does not support configuring the mtree keys. Rewrite the time for its metalog entry. PR: 283214 Signed-off-by: Pat Maddox <[email protected]>
distributeworld builds man pages using distribute, rather than install. Check for distribute, and wait to build etc. This ensures that makedb is called after the man pages have been distributed. PR: 283214 Signed-off-by: Pat Maddox <[email protected]>
PR: 283214 Signed-off-by: Pat Maddox <[email protected]>
patmaddox
force-pushed
the
reproducible-tarballs
branch
from
e482667 to
6bc903d
Compare
| ${_+_}cd ${KRNLOBJDIR}/${INSTALLKERNEL}; \ | ||
| ${IMAKEENV} ${IMAKE_INSTALL:S/METALOG/kernel.premeta/} \ | ||
| ${IMAKE_MTREE} PATH=${TMPPATH:Q} ${MAKE} KERNEL=${INSTKERNNAME} \ | ||
| DISTBASE=/kernel DESTDIR=${INSTALL_DDIR}/kernel \ | ||
| METALOG=${METALOG:S/METALOG/kernel.premeta/} \ | ||
| ${.TARGET:S/distributekernel/install/} | ||
| .if defined(NO_ROOT) | ||
| @sed -e 's|^./kernel|.|' ${DESTDIR}/${DISTDIR}/kernel.premeta > \ | ||
| ${DESTDIR}/${DISTDIR}/kernel.meta | ||
| echo "#${MTREE_MAGIC}" > ${DESTDIR}/${DISTDIR}/kernel.meta |
There was a problem hiding this comment.
We want to keep the @s presumably
There was a problem hiding this comment.
IMO the @s are bugs. These aren't steps with should be hiding from the caller.
| @@ -462,7 +462,7 @@ SUBDIR+= ${_DIR} | |||
| # by calling 'makedb' in share/man. This is only relevant for | |||
| # install/distribute so they build the whatis file after every manpage is | |||
| # installed. | |||
| .if make(installworld) || make(install) | |||
| .if make(installworld) || make(install) || make(distribute) | |||
There was a problem hiding this comment.
Should this be make(distributeworld)? I'm not sure, but I don't fully understand the distribute pseduo-target.
|
Sorting pushed in 58610d1. I think
I've got some comments for the doc update in |
| Different builders can produce bit-identical release tarballs using | ||
| .Va PKG_TIMESTAMP | ||
| and | ||
| .Va REVISION : |
There was a problem hiding this comment.
We probably want to differentiate PKG_TIMESTAMP from REVISION -- the former is an actual (literal) env variable used by Makefile*, but the latter is a placeholder in the example command below. I'm not sure off hand what the markup for that should be.
I wonder if we should have newvers.sh collect the commit time (e.g. from git show -s --format=%ct) and have the default SOURCE_DATE_EPOCH derived from that.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283214
picking up the work from https://reviews.freebsd.org/D48010
TODO:
usr/share/man/mandoc.dbnon-determinism