From 397dc6ffd6c18431c4952deff7ae03606a812a82 Mon Sep 17 00:00:00 2001
From: AJ Jordan <alex@strugee.net>
Date: Fri, 14 Dec 2018 17:28:53 -0500
Subject: [PATCH] Pin git repos to specific revisions

Fixes upstreams potentially being able to break our builds, and also
makes builds more deterministic which helps with reproducible builds.

Fixes #498
---
 Makefile                            | 2 +-
 modules/libremkey-hotp-verification | 1 +
 modules/linuxboot                   | 1 +
 modules/musl-cross                  | 1 +
 modules/tpmtotp                     | 1 +
 5 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index cad491c3a..f75e25e15 100644
--- a/Makefile
+++ b/Makefile
@@ -209,7 +209,7 @@ define define_module =
     # that the files are all present. No signature hashes are checked in
     # this case, since we don't have a stable version to compare against.
     $(build)/$($1_base_dir)/.canary:
-	git clone $($1_repo) "$(build)/$($1_base_dir)"
+	git clone $($1_repo) --branch $($1_rev) "$(build)/$($1_base_dir)"
 	if [ -r patches/$1.patch ]; then \
 		( cd $(build)/$($1_base_dir) ; patch -p1 ) \
 			< patches/$1.patch \
diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification
index c9b9d45ab..73ed6f597 100644
--- a/modules/libremkey-hotp-verification
+++ b/modules/libremkey-hotp-verification
@@ -5,6 +5,7 @@ libremkey-hotp-verification_depends := libusb $(musl_dep)
 libremkey-hotp-verification_version := git
 libremkey-hotp-verification_dir := libremkey-hotp-verification
 libremkey-hotp-verification_repo := --recursive https://github.com/Nitrokey/nitrokey-hotp-verification
+libremkey-hotp-verification_rev := 5b2bb429777b208b70fea86129b8c26355ef5569
 
 libremkey-hotp-verification_target := \
 	$(MAKE_JOBS) \
diff --git a/modules/linuxboot b/modules/linuxboot
index 4e04a9e34..77f9d3360 100644
--- a/modules/linuxboot
+++ b/modules/linuxboot
@@ -3,6 +3,7 @@ modules-$(CONFIG_LINUXBOOT) += linuxboot
 linuxboot_version := git
 linuxboot_repo := https://github.com/osresearch/linuxboot
 linuxboot_base_dir := linuxboot-$(linuxboot_version)
+linuxboot_rev := b5376a441e8e85cbf722e943bb8294958e87c784
 
 # linuxboot builds are specialized on a per-target basis.
 # They can be specialized by defining $(CONFIG_LINUXBOOT_BOARD)
diff --git a/modules/musl-cross b/modules/musl-cross
index 199731859..67eeb9d3c 100644
--- a/modules/musl-cross
+++ b/modules/musl-cross
@@ -26,6 +26,7 @@ modules-y += musl-cross
 musl-cross_version := git
 musl-cross_dir := musl-cross-$(musl-cross_version)
 musl-cross_repo := https://github.com/GregorR/musl-cross
+musl-cross_rev := abf1dd54ac05f5b2d34d750027fa083b870e069e
 
 CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-musl-linux-
 CROSS := $(build)/../$(CROSS_TOP)
diff --git a/modules/tpmtotp b/modules/tpmtotp
index 792dd512c..cfbb39e3b 100644
--- a/modules/tpmtotp
+++ b/modules/tpmtotp
@@ -4,6 +4,7 @@ tpmtotp_depends := mbedtls qrencode $(musl_dep)
 
 tpmtotp_version := git
 tpmtotp_repo := https://github.com/osresearch/tpmtotp
+tpmtotp_rev := 18b860fdcf5a55537c8395b891f2b2a5c24fc00a
 
 #tpmtotp_version := 0.3.0
 tpmtotp_dir := tpmtotp-$(tpmtotp_version)