summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkhorben <khorben@pkgsrc.org>2017-11-12 13:34:14 +0000
committerkhorben <khorben@pkgsrc.org>2017-11-12 13:34:14 +0000
commit7d3f3ab2e3f90a0088ece35efa2265a79d9a302a (patch)
tree570e7605ffffab5381ff6af23ae175bce975f3c3
parent3152ab4faca23a0563c98c4201f9299e01b67376 (diff)
downloadpkgsrc-7d3f3ab2e3f90a0088ece35efa2265a79d9a302a.tar.gz
Add initial support for building packages reproducibly
It currently tackles two problems: - gcc(1) hard-coding full paths in debugging information (with one caveat at the moment) - ar(1) hard-coding user IDs in archive headers This allows packages built from the same tree and options to produce identical results bit by bit. This option should be combined with ASLR and PKGSRC_MKPIE to avoid predictable address offsets for attackers attempting to exploit security vulnerabilities. This is still disabled by default, and only supports NetBSD so far. As discussed on tech-pkg@
-rw-r--r--mk/bsd.pkg.mk6
-rw-r--r--mk/bsd.prefs.mk8
-rw-r--r--mk/compiler/gcc.mk13
-rw-r--r--mk/defaults/mk.conf13
-rw-r--r--mk/platform/NetBSD.mk5
-rwxr-xr-xmk/repro/ar11
-rw-r--r--mk/repro/repro.mk15
7 files changed, 66 insertions, 5 deletions
diff --git a/mk/bsd.pkg.mk b/mk/bsd.pkg.mk
index 4999e2f9e1e..d233cc14a93 100644
--- a/mk/bsd.pkg.mk
+++ b/mk/bsd.pkg.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.pkg.mk,v 1.2027 2017/09/16 09:34:25 wiz Exp $
+# $NetBSD: bsd.pkg.mk,v 1.2028 2017/11/12 13:34:14 khorben Exp $
#
# This file is in the public domain.
#
@@ -315,6 +315,10 @@ OVERRIDE_DIRDEPTH?= 2
.endif
.endif
+# Handle Reproducible Builds
+#
+.include "repro/repro.mk"
+
# Define SMART_MESSAGES in /etc/mk.conf for messages giving the tree
# of dependencies for building, and the current target.
_PKGSRC_IN?= ===${SMART_MESSAGES:D> ${.TARGET} [${PKGNAME}${_PKGSRC_DEPS}] ===}
diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk
index 2704e90ca2f..bbd93490cc6 100644
--- a/mk/bsd.prefs.mk
+++ b/mk/bsd.prefs.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.394 2017/11/03 18:07:40 bsiegert Exp $
+# $NetBSD: bsd.prefs.mk,v 1.395 2017/11/12 13:34:14 khorben Exp $
#
# This file includes the mk.conf file, which contains the user settings.
#
@@ -705,6 +705,12 @@ _PKGSRC_MKPIE= no
_PKGSRC_MKPIE= yes
.endif
+_PKGSRC_MKREPRO= no
+.if (${PKGSRC_MKREPRO:tl} == "yes") && \
+ (${_OPSYS_SUPPORTS_MKREPRO:Uno} == "yes")
+_PKGSRC_MKREPRO= yes
+.endif
+
_PKGSRC_USE_FORTIFY= no
.if (${PKGSRC_USE_FORTIFY:tl} != "no") && \
(${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes")
diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk
index 5d8ed005d03..be32fda368e 100644
--- a/mk/compiler/gcc.mk
+++ b/mk/compiler/gcc.mk
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.186 2017/11/07 16:57:58 khorben Exp $
+# $NetBSD: gcc.mk,v 1.187 2017/11/12 13:34:14 khorben Exp $
#
# This is the compiler definition for the GNU Compiler Collection.
#
@@ -347,6 +347,17 @@ CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gcc}
# CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc}
.endif
+.if ${_PKGSRC_MKREPRO} == "yes"
+.export WRKDIR
+# XXX the dollar sign should not be expanded by the shell
+_GCC_CFLAGS+= -fdebug-prefix-map=$$$$WRKDIR/=
+.endif
+
+.if ${_PKGSRC_MKREPRO} == "yes"
+_GCC_CFLAGS+= ${_MKREPRO_CFLAGS.gcc}
+CWRAPPERS_APPEND.cc+= ${_MKREPRO_CFLAGS.gcc}
+.endif
+
# The user can choose the level of FORTIFY.
.if ${PKGSRC_USE_FORTIFY} == "weak"
_FORTIFY_CFLAGS= -D_FORTIFY_SOURCE=1
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 0dee9ea98e3..cdb46dc8599 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.285 2017/10/28 15:56:48 schmonz Exp $
+# $NetBSD: mk.conf,v 1.286 2017/11/12 13:34:14 khorben Exp $
#
# This file provides default values for variables that may be overridden
@@ -231,6 +231,17 @@ PKGSRC_MKPIE?= no
# Possible: yes, no
# Default: no
+PKGSRC_MKREPRO?= no
+# If no, do not alter the build process. Otherwise, try to build reproducibly.
+# This allows packages built from the same tree and options to produce identical
+# results bit by bit.
+# This option should be combined with ASLR and PKGSRC_MKPIE to avoid predictable
+# address offsets for attackers attempting to exploit security vulnerabilities.
+# Possible: yes, no
+# Default: no
+#
+# Keywords: reproducible
+
PKGSRC_USE_FORTIFY?= strong
# Turns on substitute wrappers for commonly used functions that do not bounds
# checking regularly, but could in some cases. This is effectively in use only
diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk
index 0f863997e11..5c714d2b2d2 100644
--- a/mk/platform/NetBSD.mk
+++ b/mk/platform/NetBSD.mk
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.mk,v 1.56 2017/10/03 13:18:00 jperkin Exp $
+# $NetBSD: NetBSD.mk,v 1.57 2017/11/12 13:34:14 khorben Exp $
#
# Variable definitions for the NetBSD operating system.
@@ -142,6 +142,9 @@ _OPSYS_SUPPORTS_MKPIE= yes
_OPSYS_SUPPORTS_RELRO= yes
.endif
+# Register support for REPRO (with GCC)
+_OPSYS_SUPPORTS_MKREPRO= yes
+
# Register support for SSP on most architectures (with GCC)
.if (${MACHINE_ARCH} != "alpha") && \
(${MACHINE_ARCH} != "hppa") && \
diff --git a/mk/repro/ar b/mk/repro/ar
new file mode 100755
index 00000000000..69878dca680
--- /dev/null
+++ b/mk/repro/ar
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ $# -ge 2 ]; then
+ args="$1"
+ mod="$2"
+ shift 2
+
+ exec /usr/bin/ar "$mod$args" "$@"
+else
+ exec /usr/bin/ar "$@"
+fi
diff --git a/mk/repro/repro.mk b/mk/repro/repro.mk
new file mode 100644
index 00000000000..eb821cb397c
--- /dev/null
+++ b/mk/repro/repro.mk
@@ -0,0 +1,15 @@
+# $NetBSD: repro.mk,v 1.1 2017/11/12 13:34:14 khorben Exp $
+#
+# Infrastructure support for PKGSRC_MKREPRO.
+#
+# Keywords: reproducible
+#
+
+.if ${_PKGSRC_MKREPRO} == "yes"
+
+# force ar(1) to be deterministic
+TOOLS_CREATE+= ar
+TOOLS_PATH.ar?= ${PKGSRCDIR}/mk/repro/ar
+TOOLS_ARGS.ar?= D
+
+.endif