From 8f7255657a3e2df0d87f3112fd8d1e9718a0386c Mon Sep 17 00:00:00 2001 From: Morten Linderud Date: Thu, 20 Jun 2019 23:14:18 +0200 Subject: Support SOURCE_DATE_EPOCH Build artifacts embeds the current date of the build into the artifact. If anyone want to reproduce the software at a later date there is no way to pass a recorded date or fake it in the build system at a later point. https://reproducible-builds.org/docs/source-date-epoch/ Signed-off-by: Morten Linderud --- Makefile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 881236452..fe90076d1 100644 --- a/Makefile +++ b/Makefile @@ -49,14 +49,20 @@ SELINUXOPT ?= $(shell test -x /usr/sbin/selinuxenabled && selinuxenabled && echo COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true) GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),${COMMIT_NO}-dirty,${COMMIT_NO}) -BUILD_INFO ?= $(shell date +%s) +DATE_FMT = %s +ifdef SOURCE_DATE_EPOCH + BUILD_INFO ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+$(DATE_FMT)" 2>/dev/null || date -u "+$(DATE_FMT)") + ISODATE ?= $(shell date -d "@$(SOURCE_DATE_EPOCH)" --iso-8601) +else + BUILD_INFO ?= $(shell date "+$(DATE_FMT)") + ISODATE ?= $(shell date --iso-8601) +endif LIBPOD := ${PROJECT}/libpod LDFLAGS_PODMAN ?= $(LDFLAGS) \ -X $(LIBPOD).gitCommit=$(GIT_COMMIT) \ -X $(LIBPOD).buildInfo=$(BUILD_INFO) \ -X $(LIBPOD).installPrefix=$(PREFIX) \ -X $(LIBPOD).etcDir=$(ETCDIR) -ISODATE ?= $(shell date --iso-8601) #Update to LIBSECCOMP_COMMIT should reflect in Dockerfile too. LIBSECCOMP_COMMIT := release-2.3 -- cgit v1.2.3-54-g00ecf From 156ebcbdf9264750b6e49ebd11aeff21e610f491 Mon Sep 17 00:00:00 2001 From: Morten Linderud Date: Thu, 20 Jun 2019 23:17:53 +0200 Subject: Support Reproducible Builds by removing build path An issue for achieving reproducible builds is build artifacts where build paths are embedded. We remove them by passing the current working directory to -gcflags and -asmflags which prefix trims the paths. Note: Go 1.13 includes `-trimpath` https://reproducible-builds.org/docs/build-path/ Signed-off-by: Morten Linderud --- Makefile | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index fe90076d1..8dbce2b75 100644 --- a/Makefile +++ b/Makefile @@ -58,6 +58,8 @@ else ISODATE ?= $(shell date --iso-8601) endif LIBPOD := ${PROJECT}/libpod +GCFLAGS ?= all=-trimpath=${PWD} +ASMFLAGS ?= all=-trimpath=${PWD} LDFLAGS_PODMAN ?= $(LDFLAGS) \ -X $(LIBPOD).gitCommit=$(GIT_COMMIT) \ -X $(LIBPOD).buildInfo=$(BUILD_INFO) \ @@ -138,16 +140,16 @@ test/goecho/goecho: .gopathok $(wildcard test/goecho/*.go) $(GO) build -ldflags '$(LDFLAGS)' -o $@ $(PROJECT)/test/goecho podman: .gopathok $(PODMAN_VARLINK_DEPENDENCIES) ## Build with podman - $(GO) build -ldflags '$(LDFLAGS_PODMAN)' -tags "$(BUILDTAGS)" -o bin/$@ $(PROJECT)/cmd/podman + $(GO) build -gcflags '$(GCFLAGS)' -asmflags '$(ASMFLAGS)' -ldflags '$(LDFLAGS_PODMAN)' -tags "$(BUILDTAGS)" -o bin/$@ $(PROJECT)/cmd/podman podman-remote: .gopathok $(PODMAN_VARLINK_DEPENDENCIES) ## Build with podman on remote environment - $(GO) build -ldflags '$(LDFLAGS_PODMAN)' -tags "$(BUILDTAGS) remoteclient" -o bin/$@ $(PROJECT)/cmd/podman + $(GO) build -gcflags '$(GCFLAGS)' -asmflags '$(ASMFLAGS)' -ldflags '$(LDFLAGS_PODMAN)' -tags "$(BUILDTAGS) remoteclient" -o bin/$@ $(PROJECT)/cmd/podman podman-remote-darwin: .gopathok $(PODMAN_VARLINK_DEPENDENCIES) ## Build with podman on remote OSX environment - GOOS=darwin $(GO) build -ldflags '$(LDFLAGS_PODMAN)' -tags "remoteclient containers_image_openpgp exclude_graphdriver_devicemapper" -o bin/$@ $(PROJECT)/cmd/podman + GOOS=darwin $(GO) build -gcflags '$(GCFLAGS)' -asmflags '$(ASMFLAGS)' -ldflags '$(LDFLAGS_PODMAN)' -tags "remoteclient containers_image_openpgp exclude_graphdriver_devicemapper" -o bin/$@ $(PROJECT)/cmd/podman podman-remote-windows: .gopathok $(PODMAN_VARLINK_DEPENDENCIES) ## Build with podman for a remote windows environment - GOOS=windows $(GO) build -ldflags '$(LDFLAGS_PODMAN)' -tags "remoteclient containers_image_openpgp exclude_graphdriver_devicemapper" -o bin/$@.exe $(PROJECT)/cmd/podman + GOOS=windows $(GO) build -gcflags '$(GCFLAGS)' -asmflags '$(ASMFLAGS)' -ldflags '$(LDFLAGS_PODMAN)' -tags "remoteclient containers_image_openpgp exclude_graphdriver_devicemapper" -o bin/$@.exe $(PROJECT)/cmd/podman local-cross: $(CROSS_BUILD_TARGETS) ## Cross local compilation @@ -155,7 +157,7 @@ bin/podman.cross.%: .gopathok TARGET="$*"; \ GOOS="$${TARGET%%.*}" \ GOARCH="$${TARGET##*.}" \ - $(GO) build -ldflags '$(LDFLAGS_PODMAN)' -tags '$(BUILDTAGS_CROSS)' -o "$@" $(PROJECT)/cmd/podman + $(GO) build -gcflags '$(GCFLAGS)' -asmflags '$(ASMFLAGS)' -ldflags '$(LDFLAGS_PODMAN)' -tags '$(BUILDTAGS_CROSS)' -o "$@" $(PROJECT)/cmd/podman clean: ## Clean artifacts rm -rf \ -- cgit v1.2.3-54-g00ecf