Pin musl-cross-git to a particular commit for reproducible builds #498
Comments
Fixes upstreams potentially being able to break our builds, and also makes builds more deterministic which helps with reproducible builds. Fixes linuxboot#498
|
Note that I just pulled the latest commit from GitHub for all of these, which I assume is the right thing to do? |
Fixes upstreams potentially being able to break our builds, and also makes builds more deterministic which helps with reproducible builds. Fixes linuxboot#498
|
Discussion follows in pull request |
|
@strugee : any base Makefile change proposition to pull the code upon detected git changes instead? That would do it IMHO. Doing so, a CI build would notify CI owner of any conflict that needs to be fixed since the builds would fails in case a patch that cannot be applied (thinking of this for example). Would guarantee that builds come from latest versions available and make them reproducible without having a high maintenance cost, since git dependent modules are stable. The situation would be different for coreboot module switching to git, on which I would agree with you with the necessity of pinning to a specific commit. Else each build actually has a commit id in the build under /etc/config , and each build CI build log will have /build/$BOARD/hashes.txt file permitting to find reproducibility error source once #457 is merged. Let me know what you think. |
While patching musl-cross it came to my attention that Heads' build script just clones the latest git commit. This seems like a problem for reproducible builds? Especially since upstream can break our build. In fact I first noticed this because I pushed a commit to my fork (which I patched Heads to pull from) and my Heads build started failing because patching the musl-cross config file failed.
The text was updated successfully, but these errors were encountered: