Pin git repos to specific revisions

Fixes upstreams potentially being able to break our builds, and also makes builds more deterministic which helps with reproducible builds. Fixes #498
linuxboot · Dec 14, 2018 · 397dc6f · 397dc6f
1 parent 7604296
commit 397dc6f
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -209,7 +209,7 @@ define define_module =
     # that the files are all present. No signature hashes are checked in
     # this case, since we don't have a stable version to compare against.
     $(build)/$($1_base_dir)/.canary:
-	git clone $($1_repo) "$(build)/$($1_base_dir)"
+	git clone $($1_repo) --branch $($1_rev) "$(build)/$($1_base_dir)"
 	if [ -r patches/$1.patch ]; then \
 		( cd $(build)/$($1_base_dir) ; patch -p1 ) \
 			< patches/$1.patch \

diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification
@@ -5,6 +5,7 @@ libremkey-hotp-verification_depends := libusb $(musl_dep)
 libremkey-hotp-verification_version := git
 libremkey-hotp-verification_dir := libremkey-hotp-verification
 libremkey-hotp-verification_repo := --recursive https://github.com/Nitrokey/nitrokey-hotp-verification
+libremkey-hotp-verification_rev := 5b2bb429777b208b70fea86129b8c26355ef5569
 
 libremkey-hotp-verification_target := \
 	$(MAKE_JOBS) \

diff --git a/modules/linuxboot b/modules/linuxboot
@@ -3,6 +3,7 @@ modules-$(CONFIG_LINUXBOOT) += linuxboot
 linuxboot_version := git
 linuxboot_repo := https://github.com/osresearch/linuxboot
 linuxboot_base_dir := linuxboot-$(linuxboot_version)
+linuxboot_rev := b5376a441e8e85cbf722e943bb8294958e87c784
 
 # linuxboot builds are specialized on a per-target basis.
 # They can be specialized by defining $(CONFIG_LINUXBOOT_BOARD)

diff --git a/modules/musl-cross b/modules/musl-cross
@@ -26,6 +26,7 @@ modules-y += musl-cross
 musl-cross_version := git
 musl-cross_dir := musl-cross-$(musl-cross_version)
 musl-cross_repo := https://github.com/GregorR/musl-cross
+musl-cross_rev := abf1dd54ac05f5b2d34d750027fa083b870e069e
 
 CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-musl-linux-
 CROSS := $(build)/../$(CROSS_TOP)

diff --git a/modules/tpmtotp b/modules/tpmtotp
@@ -4,6 +4,7 @@ tpmtotp_depends := mbedtls qrencode $(musl_dep)
 
 tpmtotp_version := git
 tpmtotp_repo := https://github.com/osresearch/tpmtotp
+tpmtotp_rev := 18b860fdcf5a55537c8395b891f2b2a5c24fc00a
 
 #tpmtotp_version := 0.3.0
 tpmtotp_dir := tpmtotp-$(tpmtotp_version)