From patchwork Mon Oct 30 15:17:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eli Schwartz X-Patchwork-Id: 272 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost.localdomain [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id A0314178A866 for ; Mon, 30 Oct 2017 15:18:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on apollo X-Spam-Level: X-Spam-Status: No, score=-2.4 required=2.5 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.1 Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Mon, 30 Oct 2017 15:18:27 +0000 (UTC) Received: from orion.archlinux.org (localhost.localdomain [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id E849F6FD564DD; Mon, 30 Oct 2017 15:18:26 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [IPv6:2a01:4f8:160:3033::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by orion.archlinux.org (Postfix) with ESMTPS; Mon, 30 Oct 2017 15:18:26 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id C6309213E0; Mon, 30 Oct 2017 15:18:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=luna2; t=1509376706; bh=uzaT4md03zPWGQXBIGgTG7rh2snnWEXxS1v1AFmnDKU=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Reply-To; b=lcFbNUCdhN83Xp+ctOnhS+l7AhFcpaV7PkS4lOMmKjcrqB6vRsYG4jT1tAAKy++eT 3Gbf6pLhb6nDuUmCQgYMwnGdymeyWTFu6iZ1T7w6ucHm1V+VIF6fgXvGWgXjo8Kh5z FfbofMCuUij0cJkqT11KH2blIXcHJ5fu9I+UwIw80+Pz2ePRiJV+aJEDgWuRpVJ2/G 0wEDHimeoA84BVfn4ulFGdkKj+sXRkAFrpet19LgwXUf/9lPyTw7XxjBu3HhemZ3no xvKZyI8jlARvpIuo6UrHTXb4j0jfUToUXh3qRK4o1cLN83otEIS4FSpe94A5nFxgFZ Mk3/uOFjl8B+2M69EIzxsjm1SXKR6FPtnvAJfttW4BqIRdb3s8QiVaAVkXWxrWPWaX zHjkYPnBivAmLFPiss+KWxlase/pWAA5Vt51KyklprHm0Qw8D2E0YpL3O3F5EE/Ob9 n6N2gutMofIIPlrDtAae6PUN55BnDewXyBFfX1R79dG5AFKCDeE/uXe5SRCztX6Tzf 2a7jrAHkk227pD25OSG1jJuNirQ0R7bE+Kvc4vRdAUZvtNh944zl/PYrzRh7uLBmdA 6F0d3OmiXnRjAr2OsAHKZmIk7u4+DeFYsBPCiRKdxRTKGEFuwcDNHOzXQylPOa7qNZ N2JPMcFdK68cK7OO7Y9XsMMs= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 98599213D9 for ; Mon, 30 Oct 2017 15:18:24 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by luna.archlinux.org (Postfix) with ESMTPS for ; Mon, 30 Oct 2017 15:18:24 +0000 (UTC) Received: from orion.archlinux.org (localhost.localdomain [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 29E2C6FD564D7; Mon, 30 Oct 2017 15:18:23 +0000 (UTC) Received: from vostro.localdomain (unknown [216.97.145.124]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) (Authenticated sender: eschwartz) by orion.archlinux.org (Postfix) with ESMTPSA id AB1C76FD564D6; Mon, 30 Oct 2017 15:18:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1509376703; bh=uzaT4md03zPWGQXBIGgTG7rh2snnWEXxS1v1AFmnDKU=; h=From:To:Subject:Date; b=Htu37Y2/vDfZNp5MqaZ0TV3SOEl4X4y8cf5hLiRJ+I3scpaprMCRlj5EYXt+vue7w vBxxt6YRjyXu2hr/YzZjNsPoL2Rr/shkxyCagC/0S+22XQBK6MBc9zd3OJ5CNrMb4B ajdEHUCSkQevnpBIai/Z+N4rQnLp5wncQ55ubh8gf2yDihQD6GHJmgSxK4F+TBwx2V fzydtD/BbZzUjYUAqDTe2XqHZ1PIl8L3WJmPzemB/x5oYOE6Qni+Sh51l+//lNzIHh jukm7nfGPLOvxn3jarV4LhIph4NXCbZ1wcqUZHqWlRmiW+ux7/ILstUB/wI9CEGcVO Yur8OvT/0iS8lUtElLXvAClCfxwQP3b9r4lU8xfuo5D2qX2IO7AohQopqrdI+smoxz SVS+jvckujq42DpOYjn6noxEPYZNpBF9yXFJYKT9PnDlpBh49SZ88CbjZb+Qf4Q3wK J9v+iNtHftcKGx6ASzhpCyor5H9/6M4qDZ4yhc6Koudik/HNisbO+oSSL+Eb6d8RB1 6wQgQisQsBtCXvHgN88wPRP2zT6c73Yr2xURZFSGgrtk03YTOcGsBWVMBRhodYiSa4 gjIA3AOHRRsel2cXVqEurr75/9GMref55ftQsEFqlsuVC4FJ2JSB+z5VwFkSIQiQKG LWCd5DsXWVJyeL0IUTPT0x6w= From: Eli Schwartz To: arch-projects@archlinux.org Date: Mon, 30 Oct 2017 11:17:56 -0400 Message-Id: <20171030151756.17565-1-eschwartz@archlinux.org> X-Mailer: git-send-email 2.15.0 Subject: [arch-projects] [devtools] [PATCH] Support reproducible builds X-BeenThere: arch-projects@archlinux.org X-Mailman-Version: 2.1.24 Precedence: list List-Id: Arch Linux projects development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Arch Linux projects development discussion Errors-To: arch-projects-bounces@archlinux.org Sender: "arch-projects" Recent development versions of makepkg support reproducible builds through the environment variable SOURCE_DATE_EPOCH. Pass this variable through makechrootpkg to makepkg when available. Also initialize SOURCE_DATE_EPOCH whenever running archbuild to enforce reproducible builds for repository packages. Signed-off-by: Eli Schwartz --- archbuild.in | 7 ++++++- lib/archroot.sh | 6 ++++-- makechrootpkg.in | 5 +++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/archbuild.in b/archbuild.in index 8339aef..1e5b582 100644 --- a/archbuild.in +++ b/archbuild.in @@ -39,7 +39,7 @@ while getopts 'hcr:' arg; do esac done -check_root +check_root SOURCE_DATE_EPOCH # Pass all arguments after -- right to makepkg makechrootpkg_args+=("${@:$OPTIND}") @@ -74,5 +74,10 @@ else pacman -Syu --noconfirm || abort fi +# Always build official packages reproducibly +if [[ ! -v SOURCE_DATE_EPOCH ]]; then + export SOURCE_DATE_EPOCH=$(date +%s) +fi + msg "Building in chroot for [%s] (%s)..." "${repo}" "${arch}" exec makechrootpkg -r "${chroots}/${repo}-${arch}" "${makechrootpkg_args[@]}" diff --git a/lib/archroot.sh b/lib/archroot.sh index 98fd2cf..f279603 100644 --- a/lib/archroot.sh +++ b/lib/archroot.sh @@ -6,13 +6,15 @@ CHROOT_VERSION='v4' ## -# usage : check_root +# usage : check_root $keepenv ## orig_argv=("$0" "$@") check_root() { + local keepenv=$1 + (( EUID == 0 )) && return if type -P sudo >/dev/null; then - exec sudo -- "${orig_argv[@]}" + exec sudo --preserve-env=$keepenv -- "${orig_argv[@]}" else exec su root -c "$(printf ' %q' "${orig_argv[@]}")" fi diff --git a/makechrootpkg.in b/makechrootpkg.in index be9b33f..d43a130 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -200,6 +200,7 @@ EOF { printf '#!/bin/bash\n' declare -f _chrootbuild + declare -p SOURCE_DATE_EPOCH 2>/dev/null printf '_chrootbuild "$@" || exit\n' if [[ $run_namcap = true ]]; then @@ -226,7 +227,7 @@ _chrootbuild() { # use "$" in arguments to commands with "sudo -i". ${foo} or # ${1} is OK, but $foo or $1 isn't. # https://bugzilla.sudo.ws/show_bug.cgi?id=765 - sudo -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@" + sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@" } _chrootnamcap() { @@ -338,7 +339,7 @@ main() { [[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.' makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}} - check_root + check_root SOURCE_DATE_EPOCH # Canonicalize chrootdir, getting rid of trailing / chrootdir=$(readlink -e "$passeddir")