[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 1/2] No insert of the build timestamp into the x86 xen efi binary

To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Fri, 30 Oct 2020 13:48:52 +0100
Cc: Frédéric Pierret (fepitre) <frederic.pierret@xxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 30 Oct 2020 12:49:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 30.10.2020 13:23, Marek Marczykowski-Górecki wrote:
> On Fri, Oct 30, 2020 at 01:08:44PM +0100, Jan Beulich wrote:
>> On 30.10.2020 13:03, Frédéric Pierret (fepitre) wrote:
>>
>>> --- a/xen/arch/x86/Makefile
>>> +++ b/xen/arch/x86/Makefile
>>> @@ -170,6 +170,7 @@ EFI_LDFLAGS += --major-image-version=$(XEN_VERSION)
>>>  EFI_LDFLAGS += --minor-image-version=$(XEN_SUBVERSION)
>>>  EFI_LDFLAGS += --major-os-version=2 --minor-os-version=0
>>>  EFI_LDFLAGS += --major-subsystem-version=2 --minor-subsystem-version=0
>>> +EFI_LDFLAGS += --no-insert-timestamp
>>
>> Generally I prefer binaries to carry timestamps, when they are
>> intended to do so (i.e. when they have a respective field). So
>> I think if no timestamp is wanted, it should be as an option
>> (not sure about the default).
> 
> What about setting it to the SOURCE_DATE_EPOCH[1] variable value, if
> present? Of course if there is an option to set explicit timestamp
> value.
> 
> [1] https://reproducible-builds.org/docs/source-date-epoch/

Why not.

>> This said, I didn't think time stamps got meaningfully in the
>> way of reproducible builds - ignoring the minor differences
>> cause by them, especially when they sit at well known offsets
>> in the binaries, shouldn't be a big deal.
> 
> It is a big deal. There is a huge difference between running sha256sum
> (or your other favorite hash) on two build artifacts, and using a
> specialized tool/script to compare each file separately. Note the
> xen.efi may be buried very deep in the thing you compare, for example
> inside deb/rpm and then ISO image (installation image), at which point
> it's far from "they sit at well known offsets".

If you care about checking images / blobs where binaries with time
stamps are merely constituent parts, why not strip the time stamps
at the time of creation of those images / blobs (or as a minor
intermediate step, in case you want to e.g. record the hashes for
later reference)?

Jan

Follow-Ups:
- Re: [PATCH v1 1/2] No insert of the build timestamp into the x86 xen efi binary
  - From: Andrew Cooper

References:
- [PATCH v1 0/2] Improve reproducible builds
  - From: Frédéric Pierret (fepitre)
- [PATCH v1 1/2] No insert of the build timestamp into the x86 xen efi binary
  - From: Frédéric Pierret (fepitre)
- Re: [PATCH v1 1/2] No insert of the build timestamp into the x86 xen efi binary
  - From: Jan Beulich
- Re: [PATCH v1 1/2] No insert of the build timestamp into the x86 xen efi binary
  - From: Marek Marczykowski-Górecki

Prev by Date: Re: [PATCH v2 6/8] evtchn: convert vIRQ lock to an r/w one
Next by Date: Re: [PATCH v2 5/8] evtchn: drop acquiring of per-channel lock from send_guest_{global,vcpu}_virq()
Previous by thread: Re: [PATCH v1 1/2] No insert of the build timestamp into the x86 xen efi binary
Next by thread: Re: [PATCH v1 1/2] No insert of the build timestamp into the x86 xen efi binary
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.