Hey Thomas, tech-pkg@,
On 12/11/2017 09:47, Thomas Klausner wrote:
> On Sun, Nov 12, 2017 at 04:28:12AM +0100, Pierre Pronchery wrote:
>> the patch attached here adds initial support for building packages
>> reproducibly for pkgsrc.
>
> Very cool! Thank you!
:)
> Some comments:
>
>> Index: mk/compiler/gcc.mk
>> ===================================================================
>> RCS file: /cvsroot/pkgsrc/mk/compiler/gcc.mk,v
>> retrieving revision 1.186
>> diff -p -u -r1.186 gcc.mk
>> --- mk/compiler/gcc.mk 7 Nov 2017 16:57:58 -0000 1.186
>> +++ mk/compiler/gcc.mk 12 Nov 2017 03:18:39 -0000
>> @@ -1,4 +1,4 @@
>> -# $NetBSD: gcc.mk,v 1.186 2017/11/07 16:57:58 khorben Exp $
>> +# $NetBSD: gcc.mk,v 1.185 2017/10/03 09:38:16 jperkin Exp $
>> #
>> # This is the compiler definition for the GNU Compiler Collection.
>> #
>> @@ -347,6 +347,17 @@ CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gc
>> # CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc}
>> .endif
>>
>> +.if ${_PKGSRC_MKREPRO} == "yes"
>> +.export WRKDIR
>> +# XXX the dollar sign should not be expanded by the shell
>> +_GCC_CFLAGS+= -fdebug-prefix-map=$$$$WRKDIR/=
>> +.endif
>
> Why is the export needed? Shouldn't ${WRKDIR} be expanded before being
> passed to gcc?
The trick is as follows: the -fdebug-prefix-map option allows us to tell
GCC to use a path that we will all share, regardless of where we each
build pkgsrc. So far so good, but GCC also includes the command used
during compilation inside the resulting binary. Therefore, if ${WRKDIR}
is expanded, the build is no longer reproducible...
NetBSD's GCC is patched to look for "$" as the first character of this
option, and expands it internally, then injecting the same command
inside the resulting binary.
The caveat here is that the underlying shell called by make(1) does
expand $WRKDIR before calling GCC. I did not find a way to escape it out
yet.
> (Does 'export' even work in Makefiles like this? Perhaps you mean
> ".export"?)
This is using ".export" already :)
Or did you mean something else?
>> Index: mk/repro/ar
>> ===================================================================
>> RCS file: mk/repro/ar
>> diff -N mk/repro/ar
>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>> +++ mk/repro/ar 12 Nov 2017 03:18:39 -0000
>> @@ -0,0 +1,11 @@
>> +#!/bin/sh
>> +
>> +if [ $# -ge 2 ]; then
>> + args="$1"
>> + mod="$2"
>> + shift 2
>> +
>> + exec /usr/bin/ar "$mod$args" "$@"
>> +else
>> + exec /usr/bin/ar "$@"
>> +fi
>
> Is ar(1) in /usr/bin on all systems supported by pkgsrc?
Probably not, but PKGSRC_MKREPRO can only be enabled on NetBSD with this
first patch. I will try to implement maya's suggestion to find the
proper path to ar(1) though.
>> Index: mk/repro/repro.mk
>> ===================================================================
>> RCS file: mk/repro/repro.mk
>> diff -N mk/repro/repro.mk
>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>> +++ mk/repro/repro.mk 12 Nov 2017 03:18:39 -0000
>> @@ -0,0 +1,15 @@
>> +# $NetBSD$
>> +#
>> +# Infrastructure support for PKGSRC_MKREPRO.
>> +#
>> +# Keywords: reproducible
>> +#
>> +
>> +.if ${_PKGSRC_MKREPRO} == "yes"
>> +
>> +# force ar(1) to be deterministic
>> +TOOLS_CREATE+= ar
>> +TOOLS_PATH.ar?= ${PKGSRCDIR}/mk/repro/ar
>> +TOOLS_ARGS.ar?= D
>> +
>> +.endif
>
> Do we need a minimum version of ar(1) to support "D"?
maya already answered this one :) (thanks!)
Cheers,
--
khorben
Attachment:
signature.asc
Description: OpenPGP digital signature