Date: Sat, 10 Aug 2002 11:58:56 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Colin Percival <Colin_Percival@sfu.ca> Cc: freebsd-hackers@freebsd.org Subject: Re: release variability Message-ID: <3D556270.CACF724B@mindspring.com> References: <5.0.2.1.1.20020808000218.01fcd120@popserver.sfu.ca> <5.0.2.1.1.20020810024458.02035e48@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Colin Percival wrote: > At 00:41 08/08/2002 -0700, Terry Lambert wrote: > >Colin Percival wrote: > > > If two people `make release` on different machines, how much difference > > > will there be between the results? Obviously the kernel will be different > > > because it contains the user and host names from its build; should > > > everything else be the same? > > > >Assuming identical source trees, and that the build takes place > >on systems installed with the same software, the only things that > >should be different are user, host, and time stamps. The kernel > >is one place that's stamped; the boot code is another. > > And, unfortunately, there's a hell of a lot more. [ ... good list of generated files containing timestamps ... ] > Files which are always the same size, but seem to have completely different > contents: > /usr/share/games/fortune/*.dat > /var/games/phantasia/void This is disturbing. > This raises two questions: > 1. Is there any way I can set up my system to consistently build the same > world? The user and host are of course easy to fix; I'd consider running a > daemon to reset my clock every second in order to keep the time stamps > consistent, except that I don't think it would work, and I worry that it > might break `make` anyway. For library files, there's nothing you can do, since it's the archive date, and .o files are assembled from multiple source files. Some of the generated files with timestamps really want to use the timestamp of the modification date of the sources, rather than the creation date of hte object. Correcting this is relatively minor; it's one of the reasons I suggested NFS mounting the sources; I imagine you would have a much worse time otherwise. > 2. Is this really a desireable state of affairs at all? As it is, it is > practically impossible for someone to `make release` on their own and > compare their version to the official version to ensure that the build was > correct. Reproducibility and verifiability are rather important matters > when it comes to security. I personally agree. The hardest part has got to be the archive files; I don't see how it could be avoided, without destroying information, at least in the archive update case, and probably in the archive recreation from object files case. The main problem here is that there isn't a "derivation date" stamp on object files, that can be used instead of the date of last modification or creation date. I think changing the modification date vs. create date would break "make". -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D556270.CACF724B>