dpkg-genbuildinfo: Add support for new Build-Kernel-Version field

Packages intended to be built in a generic way must never rely on the
currently running kernel on the build system (an exception could be an
optimization rebuild using the current system as the reference baseline).

But to be able to detect when a package might not be reproducible due to
varying kernel information it is still useful to be able to record this
information. Although that information can be very sensitive.

When the builder has explicitly enabled the Build-Kernel-Version field
with the new dpkg-genbuildinfo --always-include-kernel option, it will
get included in the generated .buildinfo file.

Closes: #873937

6 files changed, 33 insertions, 5 deletions

diff --git a/debian/changelog b/debian/changelog
index 36282818a..53a13c3ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,9 @@ dpkg (1.19.0) UNRELEASED; urgency=medium
     deb822 format.
   * Remove long obsolete dselect floppy method.
   * Remove traces of non-US support from dselect methods.
+  * Add support for a new Build-Kernel-Version field in .buildinfo files,
+    that can be emitted with a new dpkg-genbuildinfo --always-include-kernel
+    option. Closes: #873937
   * Perl modules:
     - Switch from Dpkg::Util to List::Util, now that the module in the
       new required Perl contains the needed functions.
diff --git a/man/deb-buildinfo.man b/man/deb-buildinfo.man
index 3b184241e..5013aa047 100644
--- a/man/deb-buildinfo.man
+++ b/man/deb-buildinfo.man
@@ -135,6 +135,12 @@ The date the package was built.
 It must be in the same format as the date in a \fBdeb\-changelog\fP(5)
 entry.
 .TP
+.BR Build\-Kernel\-Version: " \fIbuild-kernel-version\fP"
+The release and version (in an unspecified format) of the kernel running
+on the build system.
+This field is only going to be present if the builder has explicitly
+requested it, to avoid leaking possibly sensitive information.
+.TP
 .BR Build\-Path: " \fIbuild-path\fP"
 The absolute build path, which correspond to the unpacked source tree.
 This field is only going to be present if the vendor has whitelisted it
diff --git a/man/dpkg-genbuildinfo.man b/man/dpkg-genbuildinfo.man
index aaf54a38a..ad5e614b1 100644
--- a/man/dpkg-genbuildinfo.man
+++ b/man/dpkg-genbuildinfo.man
@@ -104,6 +104,12 @@ rather than
 (\fBdpkg\-genbuildinfo\fP needs to find these files so that it can include
 their sizes and checksums in the \fB.buildinfo\fP file).
 .TP
+.BI \-\-always\-include\-kernel
+By default, the \fBBuild\-Kernel-Version\fR field will not be written out.
+
+Specify this option (since dpkg 1.19.0) to always write a
+\fBBuild\-Kernel\-Version\fR field when generating the \fB.buildinfo\fR.
+.TP
 .BI \-\-always\-include\-path
 By default, the \fBBuild\-Path\fR field will only be written if the current
 directory starts with a whitelisted pattern.
diff --git a/scripts/Dpkg/Control/FieldsCore.pm b/scripts/Dpkg/Control/FieldsCore.pm
index 8f5d7f34a..74c54e686 100644
--- a/scripts/Dpkg/Control/FieldsCore.pm
+++ b/scripts/Dpkg/Control/FieldsCore.pm
@@ -159,6 +159,10 @@ our %FIELDS = (
         name => 'Build-Essential',
         allowed => ALL_PKG,
     },
+    'build-kernel-version' => {
+        name => 'Build-Kernel-Version',
+        allowed => CTRL_FILE_BUILDINFO,
+    },
     'build-origin' => {
         name => 'Build-Origin',
         allowed => CTRL_FILE_BUILDINFO,
@@ -629,8 +633,8 @@ our %FIELD_ORDER = (
     CTRL_FILE_BUILDINFO() => [
         qw(format source binary architecture version binary-only-changes),
         @src_checksums_fields,
-        qw(build-origin build-architecture build-date build-path
-        installed-build-depends environment),
+        qw(build-origin build-architecture build-kernel-version build-date
+        build-path installed-build-depends environment),
     ],
     CTRL_FILE_CHANGES() => [
         qw(format date source binary binary-only built-for-profiles architecture
diff --git a/scripts/dpkg-genbuildinfo.pl b/scripts/dpkg-genbuildinfo.pl
index 3682f2f02..45c45089d 100755
--- a/scripts/dpkg-genbuildinfo.pl
+++ b/scripts/dpkg-genbuildinfo.pl
@@ -61,6 +61,7 @@ my $outputfile;
 my $stdout = 0;
 my $admindir = $Dpkg::ADMINDIR;
 my %use_feature = (
+    kernel => 0,
     path => 0,
 );
 my @build_profiles = get_build_profiles();
@@ -294,6 +295,7 @@ sub usage {
   -F<changelog-format>     force changelog format.
   -O[<buildinfo-file>]     write to stdout (or <buildinfo-file>).
   -u<upload-files-dir>     directory with files (default is '..').
+  --always-include-kernel  always include Build-Kernel-Version.
   --always-include-path    always include Build-Path.
   --admindir=<directory>   change the administrative directory.
   -?, --help               show this help message.
@@ -325,6 +327,8 @@ while (@ARGV) {
     } elsif (m/^--buildinfo-id=.*$/) {
         # Deprecated option
         warning('--buildinfo-id is deprecated, it is without effect');
+    } elsif (m/^--always-include-kernel$/) {
+        $use_feature{kernel} = 1;
     } elsif (m/^--always-include-path$/) {
         $use_feature{path} = 1;
     } elsif (m/^--admindir=(.*)$/) {
@@ -415,6 +419,11 @@ $fields->{'Build-Origin'} = get_current_vendor();
 $fields->{'Build-Architecture'} = get_build_arch();
 $fields->{'Build-Date'} = get_build_date();
 
+if ($use_feature{kernel}) {
+    my (undef, undef, $kern_rel, $kern_ver, undef) = POSIX::uname();
+    $fields->{'Build-Kernel-Version'} = "$kern_rel $kern_ver";
+}
+
 my $cwd = cwd();
 if ($use_feature{path}) {
     $fields->{'Build-Path'} = $cwd;
diff --git a/scripts/t/Dpkg_Control_Fields.t b/scripts/t/Dpkg_Control_Fields.t
index 74d1739fc..e096c5494 100644
--- a/scripts/t/Dpkg_Control_Fields.t
+++ b/scripts/t/Dpkg_Control_Fields.t
@@ -20,7 +20,7 @@ use Test::More;
 use Test::Dpkg qw(:paths);
 
 BEGIN {
-    plan tests => 2394;
+    plan tests => 2416;
 
     use_ok('Dpkg::Control::Types');
     use_ok('Dpkg::Control::FieldsCore');
@@ -162,8 +162,8 @@ my %fields = (
         fields => [
             qw(Format Source Binary Architecture Version Binary-Only-Changes),
             @src_checksums,
-            qw(Build-Origin Build-Architecture Build-Date Build-Path
-               Installed-Build-Depends Environment)
+            qw(Build-Origin Build-Architecture Build-Kernel-Version
+               Build-Date Build-Path Installed-Build-Depends Environment)
         ],
     },
     CTRL_FILE_CHANGES() => {