Building pkgsrc packages reproducibly

To: tech-pkg%netbsd.org@localhost
Subject: Building pkgsrc packages reproducibly
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Sun, 12 Nov 2017 04:28:12 +0100

			Hi tech-pkg@,

the patch attached here adds initial support for building packages
reproducibly for pkgsrc. It currently tackles two problems:

- gcc(1) hard-coding full paths in debugging information (with one
  caveat at the moment)
- ar(1) hard-coding user IDs in archive headers

There are many more issues to tackle, but this is still quite uncharted
territory and they will have to be dealt with one by one.

Here is the description of this option:

> $ make help topic=reproducible
> ===> mk/repro/repro.mk (keywords: reproducible):
> # Infrastructure support for PKGSRC_MKREPRO.
> #
> 
> ===> mk/defaults/mk.conf (keywords: reproducible PKGSRC_MKREPRO):
> PKGSRC_MKREPRO?= no
> # If no, do not alter the build process. Otherwise, try to build reproducibly.
> # This allows packages built from the same tree and options to produce identical
> # results bit by bit.
> # This option should be combined with ASLR and PKGSRC_MKPIE to avoid predictable
> # address offsets for attackers attempting to exploit security vulnerabilities.
> # Possible: yes, no
> # Default: no

This feature is enabled by default in Debian GNU/Linux' own packages,
where 93% of them now build reproducibly. FreeBSD's ports also support
this to some extent (I believe > 60% of the ports build so).

If I am not mistaken, this feature is also planned to be enabled by
default for the base system in NetBSD in the coming 8.0 release (on the
amd64 and sparc64 platforms at least). Of course, the corresponding
support for pkgsrc can evolve independently from NetBSD's base system.

Without any objections I will commit this next week.

Cheers,
-- 
khorben

Index: mk/defaults/mk.conf
===================================================================
RCS file: /cvsroot/pkgsrc/mk/defaults/mk.conf,v
retrieving revision 1.285
diff -p -u -r1.285 mk.conf
--- mk/defaults/mk.conf	28 Oct 2017 15:56:48 -0000	1.285
+++ mk/defaults/mk.conf	12 Nov 2017 03:18:39 -0000
@@ -231,6 +231,17 @@ PKGSRC_MKPIE?= no
 # Possible: yes, no
 # Default: no
 
+PKGSRC_MKREPRO?= no
+# If no, do not alter the build process. Otherwise, try to build reproducibly.
+# This allows packages built from the same tree and options to produce identical
+# results bit by bit.
+# This option should be combined with ASLR and PKGSRC_MKPIE to avoid predictable
+# address offsets for attackers attempting to exploit security vulnerabilities.
+# Possible: yes, no
+# Default: no
+#
+# Keywords: reproducible
+
 PKGSRC_USE_FORTIFY?= strong
 # Turns on substitute wrappers for commonly used functions that do not bounds
 # checking regularly, but could in some cases. This is effectively in use only
Index: mk/bsd.pkg.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.mk,v
retrieving revision 1.2027
diff -p -u -r1.2027 bsd.pkg.mk
--- mk/bsd.pkg.mk	16 Sep 2017 09:34:25 -0000	1.2027
+++ mk/bsd.pkg.mk	12 Nov 2017 03:18:39 -0000
@@ -315,6 +315,10 @@ OVERRIDE_DIRDEPTH?=	2
 .endif
 .endif
 
+# Handle Reproducible Builds
+#
+.include "repro/repro.mk"
+
 # Define SMART_MESSAGES in /etc/mk.conf for messages giving the tree
 # of dependencies for building, and the current target.
 _PKGSRC_IN?=		===${SMART_MESSAGES:D> ${.TARGET} [${PKGNAME}${_PKGSRC_DEPS}] ===}
Index: mk/bsd.prefs.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.prefs.mk,v
retrieving revision 1.394
diff -p -u -r1.394 bsd.prefs.mk
--- mk/bsd.prefs.mk	3 Nov 2017 18:07:40 -0000	1.394
+++ mk/bsd.prefs.mk	12 Nov 2017 03:18:39 -0000
@@ -705,6 +705,12 @@ _PKGSRC_MKPIE=	no
 _PKGSRC_MKPIE=	yes
 .endif
 
+_PKGSRC_MKREPRO=	no
+.if (${PKGSRC_MKREPRO:tl} == "yes") && \
+    (${_OPSYS_SUPPORTS_MKREPRO:Uno} == "yes")
+_PKGSRC_MKREPRO=	yes
+.endif
+
 _PKGSRC_USE_FORTIFY=	no
 .if (${PKGSRC_USE_FORTIFY:tl} != "no") && \
     (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes")
Index: mk/compiler/gcc.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/compiler/gcc.mk,v
retrieving revision 1.186
diff -p -u -r1.186 gcc.mk
--- mk/compiler/gcc.mk	7 Nov 2017 16:57:58 -0000	1.186
+++ mk/compiler/gcc.mk	12 Nov 2017 03:18:39 -0000
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.186 2017/11/07 16:57:58 khorben Exp $
+# $NetBSD: gcc.mk,v 1.185 2017/10/03 09:38:16 jperkin Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -347,6 +347,17 @@ CWRAPPERS_APPEND.cc+=	${_MKPIE_CFLAGS.gc
 # CWRAPPERS_APPEND.ld+=	${_MKPIE_LDFLAGS.gcc}
 .endif
 
+.if ${_PKGSRC_MKREPRO} == "yes"
+.export WRKDIR
+# XXX the dollar sign should not be expanded by the shell
+_GCC_CFLAGS+=		-fdebug-prefix-map=$$$$WRKDIR/=
+.endif
+
+.if ${_PKGSRC_MKREPRO} == "yes"
+_GCC_CFLAGS+=		${_MKREPRO_CFLAGS.gcc}
+CWRAPPERS_APPEND.cc+=	${_MKREPRO_CFLAGS.gcc}
+.endif
+
 # The user can choose the level of FORTIFY.
 .if ${PKGSRC_USE_FORTIFY} == "weak"
 _FORTIFY_CFLAGS=	-D_FORTIFY_SOURCE=1
Index: mk/platform/NetBSD.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/platform/NetBSD.mk,v
retrieving revision 1.56
diff -p -u -r1.56 NetBSD.mk
--- mk/platform/NetBSD.mk	3 Oct 2017 13:18:00 -0000	1.56
+++ mk/platform/NetBSD.mk	12 Nov 2017 03:18:39 -0000
@@ -142,6 +142,9 @@ _OPSYS_SUPPORTS_MKPIE=	yes
 _OPSYS_SUPPORTS_RELRO=	yes
 .endif
 
+# Register support for REPRO (with GCC)
+_OPSYS_SUPPORTS_MKREPRO=	yes
+
 # Register support for SSP on most architectures (with GCC)
 .if (${MACHINE_ARCH} != "alpha") && \
     (${MACHINE_ARCH} != "hppa") && \
Index: mk/repro/ar
===================================================================
RCS file: mk/repro/ar
diff -N mk/repro/ar
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ mk/repro/ar	12 Nov 2017 03:18:39 -0000
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ $# -ge 2 ]; then
+	args="$1"
+	mod="$2"
+	shift 2
+
+	exec /usr/bin/ar "$mod$args" "$@"
+else
+	exec /usr/bin/ar "$@"
+fi
Index: mk/repro/repro.mk
===================================================================
RCS file: mk/repro/repro.mk
diff -N mk/repro/repro.mk
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ mk/repro/repro.mk	12 Nov 2017 03:18:39 -0000
@@ -0,0 +1,15 @@
+# $NetBSD$
+#
+# Infrastructure support for PKGSRC_MKREPRO.
+#
+# Keywords: reproducible
+#
+
+.if ${_PKGSRC_MKREPRO} == "yes"
+
+# force ar(1) to be deterministic
+TOOLS_CREATE+=	ar
+TOOLS_PATH.ar?=	${PKGSRCDIR}/mk/repro/ar
+TOOLS_ARGS.ar?=	D
+
+.endif

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: Building pkgsrc packages reproducibly
  - From: Thomas Klausner

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Renaming cups to cups-base and depend on cups-filters
Previous by Thread: Renaming cups to cups-base and depend on cups-filters
Next by Thread: Re: Building pkgsrc packages reproducibly
Indexes:

Home | Main Index | Thread Index | Old Index