diff options
| author | khorben <khorben@pkgsrc.org> | 2017-11-12 13:34:14 +0000 |
|---|---|---|
| committer | khorben <khorben@pkgsrc.org> | 2017-11-12 13:34:14 +0000 |
| commit | 7d3f3ab2e3f90a0088ece35efa2265a79d9a302a (patch) | |
| tree | 570e7605ffffab5381ff6af23ae175bce975f3c3 /mk/repro | |
| parent | 3152ab4faca23a0563c98c4201f9299e01b67376 (diff) | |
| download | pkgsrc-7d3f3ab2e3f90a0088ece35efa2265a79d9a302a.tar.gz | |
Add initial support for building packages reproducibly
It currently tackles two problems:
- gcc(1) hard-coding full paths in debugging information (with one
caveat at the moment)
- ar(1) hard-coding user IDs in archive headers
This allows packages built from the same tree and options to produce
identical results bit by bit. This option should be combined with ASLR
and PKGSRC_MKPIE to avoid predictable address offsets for attackers
attempting to exploit security vulnerabilities.
This is still disabled by default, and only supports NetBSD so far.
As discussed on tech-pkg@
Diffstat (limited to 'mk/repro')
| -rwxr-xr-x | mk/repro/ar | 11 | ||||
| -rw-r--r-- | mk/repro/repro.mk | 15 |
2 files changed, 26 insertions, 0 deletions
diff --git a/mk/repro/ar b/mk/repro/ar new file mode 100755 index 00000000000..69878dca680 --- /dev/null +++ b/mk/repro/ar @@ -0,0 +1,11 @@ +#!/bin/sh + +if [ $# -ge 2 ]; then + args="$1" + mod="$2" + shift 2 + + exec /usr/bin/ar "$mod$args" "$@" +else + exec /usr/bin/ar "$@" +fi diff --git a/mk/repro/repro.mk b/mk/repro/repro.mk new file mode 100644 index 00000000000..eb821cb397c --- /dev/null +++ b/mk/repro/repro.mk @@ -0,0 +1,15 @@ +# $NetBSD: repro.mk,v 1.1 2017/11/12 13:34:14 khorben Exp $ +# +# Infrastructure support for PKGSRC_MKREPRO. +# +# Keywords: reproducible +# + +.if ${_PKGSRC_MKREPRO} == "yes" + +# force ar(1) to be deterministic +TOOLS_CREATE+= ar +TOOLS_PATH.ar?= ${PKGSRCDIR}/mk/repro/ar +TOOLS_ARGS.ar?= D + +.endif |