Re: PR/58196 CVS commit: src/distrib/common

To: gnats-bugs%netbsd.org@localhost, Christos Zoulas <christos%netbsd.org@localhost>, Martin Husemann <martin%NetBSD.org@localhost>
Subject: Re: PR/58196 CVS commit: src/distrib/common
From: Jan-Benedict Glaw <jbglaw%lug-owl.de@localhost>
Date: Wed, 8 May 2024 18:47:05 +0200

Hi Christos, Martin!

On Wed, 2024-05-08 11:01:00 +0200, Jan-Benedict Glaw <jbglaw%lug-owl.de@localhost> wrote:
> On Tue, 2024-05-07 20:35:02 +0000, Christos Zoulas <christos%netbsd.org@localhost> wrote:
> >  Module Name:	src
> >  Committed By:	christos
> >  Date:		Tue May  7 20:33:20 UTC 2024
> >  
> >  Modified Files:
> >  	src/distrib/common: Makefile.bootcd
> >  
> >  Log Message:
> >  PR/58196: Jan-Benedict Glaw: If there was no spec file specified, generate
> >  one on the fly. Should fix reproducible builds where the mode and the
> >  ownership/group is not fixed and picked up from the filesystem.
> 
> I've pulled in this specific patch into my patch queue and started
> builds for VAX.  However, I *think* this won't cut it unfortunately:
> My impression is that we _do_ have manifests, but these only contain a
> (small) subset of what's on the CD. What's _missing_ (IIRC) is all the
> content that makes it a port-specific CD: In the manifests, there are
> no entries for the kernel(s), any sets, filesystem/ramdisk images.
> Only generic stuff is listed there AFAIR.

Both builds succeeded and had no differences except for the install
ISO. Unfortunately, I don't (yet---working on it) keep the generated
.spec files.  However, I loop-mounted the ISO images and did a
`ls -lnR` on them. Results attached.

  You'll notice 998 as a GID or UID number in _both_ listings.

  The NetBSD repo (on the source-holding host) is owned by 998:998.
From there, cloning happens with this route:

  * On the Linux host within a Docker container, I've added the cached
    NetBSD-src GIT repo as a volume, so a "local" `git clone --shared`
    is used. The Docker container also uses `--user 998:998`.

  * On the NetBSD amd64 VM, the whole GIT repo is copied using a tar
    (from the source host:
	(cd /path/to/NetBSD-src && tar cf - .) | \
	   ssh [...] root@netbsd-vm "cd /root/ && mkdir NetBSD-src && tar xf -"
    )
    So copying the files is done as root within the NetBSD VM (thus
    tar preserves owner/group), and afterwards, the build is also done
    as `root`, though `-U` is used when `./build.sh` is invoked.

That means that whereever we see a UID/GID of 998 in that listing,
it's leaked information. That's almost certainly because there's no
explicit line in the manifest for that specific file or directory.

MfG, JBG

--

Attachment: ls-lnR-linux.gz
Description: application/gzip

Attachment: ls-lnR-netbsd.gz
Description: application/gzip

Attachment: signature.asc
Description: PGP signature

References:
- PR/58196 CVS commit: src/distrib/common
  - From: Christos Zoulas
- Re: PR/58196 CVS commit: src/distrib/common
  - From: Jan-Benedict Glaw

Prev by Date: Re: kern/58235: compat_netbsd32 broken for SIOCGIFDATA
Next by Date: Re: PR/58196 CVS commit: src/distrib/common
Previous by Thread: Re: PR/58196 CVS commit: src/distrib/common
Next by Thread: Re: PR/58196 CVS commit: src/distrib/common
Indexes:

Home | Main Index | Thread Index | Old Index