[asterisk-bugs] [JIRA] (ASTERISK-27499) Make build of Asterisk reproducible, if so required
Tzafrir Cohen (JIRA)
noreply at issues.asterisk.org
Wed Dec 20 03:32:10 CST 2017
Tzafrir Cohen created ASTERISK-27499:
----------------------------------------
Summary: Make build of Asterisk reproducible, if so required
Key: ASTERISK-27499
URL: https://issues.asterisk.org/jira/browse/ASTERISK-27499
Project: Asterisk
Issue Type: Improvement
Security Level: None
Affects Versions: 15.1.4, 13.18.4
Reporter: Tzafrir Cohen
Severity: Minor
The following is a description of a simple patch I already have in the Debian package. I expect this would be a low hanging fruit for someone else to implement.
Reproducible builds are intended to guarantee that a binary was built from a given source tree by the fact that building it again would give exactly the same result. This has nice implications in trust. Normally you don't need it, but it may be handy in many cases.
This breaks when the result of the build changes due to differences in the build environment: build time, host name, and such.
The patch does the following:
1. In Makefile: call 'sort' with locale explicitly set to 'C' to make sure sort order does not differ by locales. I'm not 100% sure this is needed with the module naming convention, but it wouldn't hurt.
2. build_tools/make_build_h: This one heavily depends on the build environment. It would be nice to avoid that. A reproducible build build environment must set the variable SOURCE_DATE_EPOCH (See https://reproducible-builds.org/specs/source-date-epoch/ ). Thus if this variable is set, some values could be overridden (be it to arbitrary values) and not set from the build environment:
* HOSTNAME
* KERNEL
* MACHINE
* USER
* DATE
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list