commit 917084783c20e216ef7bfd397152e05b6b2a8ef2 Author: Nicolas Vigier boklm@torproject.org Date: Mon May 23 19:58:44 2016 +0200

Bug 18291: Remove some uses of libfaketime

Completely stop using libfaketime for Linux builds. For Windows builds we have to keep using it for the tor, pluggable-transports and bundle steps. For OSX builds, we keep it in the bundle steps for the timestamp added when creating the dmg file with genisoimage.

Note: the OS X descriptors are broken (which is okay as we only need the Linux ones) --- gitian/descriptors/linux/gitian-bundle.yml | 16 ++++------- gitian/descriptors/linux/gitian-firefox.yml | 32 +++------------------- .../linux/gitian-pluggable-transports.yml | 4 +-- gitian/descriptors/linux/gitian-tor.yml | 4 +-- gitian/descriptors/linux/gitian-utils.yml | 17 +++++------- gitian/descriptors/mac/gitian-firefox.yml | 17 ++---------- .../mac/gitian-pluggable-transports.yml | 4 +-- gitian/descriptors/mac/gitian-utils.yml | 32 +++++++++++++++------- gitian/descriptors/windows/gitian-firefox.yml | 23 ++-------------- gitian/descriptors/windows/gitian-utils.yml | 15 +++++----- .../patches/openssl-Make-build-reproducible.patch | 28 +++++++++++++++++++ 11 files changed, 80 insertions(+), 112 deletions(-)

diff --git a/gitian/descriptors/linux/gitian-bundle.yml b/gitian/descriptors/linux/gitian-bundle.yml index e25d40e..541904d 100644 --- a/gitian/descriptors/linux/gitian-bundle.yml +++ b/gitian/descriptors/linux/gitian-bundle.yml @@ -27,8 +27,6 @@ remotes: "dir": "meek" - "url": "https://github.com/googlei18n/noto-fonts.git" "dir": "noto-fonts" -- "url": "https://github.com/wolfcw/libfaketime" - "dir": "faketime" files: # TODO: Can we use an env for this file+version?? - "tor-browser-linux64-gbuilt.zip" @@ -57,21 +55,13 @@ files: script: | INSTDIR="$HOME/install" source versions + export REFERENCE_DATETIME export LIBRARY_PATH="$INSTDIR/lib" export TZ=UTC export LC_ALL=C export TORBROWSER_VERSION=`cat bare-version` umask 0022

- # Building libfaketime - cd faketime - make - DESTDIR="$INSTDIR/faketime" make install - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" - export FAKETIME=$REFERENCE_DATETIME - export FAKETIME_SKIP_CMDS="rsync" - cd .. - mkdir -p $OUTDIR/ # When we build with MULTI_LINGUAL=1, the browser will be packaged inside a # directory named tor-browser (instead of tor-browser_en-US). Therefore we @@ -192,6 +182,7 @@ script: | cp defaults/preferences/000-tor-browser.js ~/build/ # Set the locale of the bundle. echo "pref("general.useragent.locale", "en-US");" >> defaults/preferences/000-tor-browser.js + touch --date="$REFERENCE_DATETIME" defaults/preferences/000-tor-browser.js zip -Xm omni.ja defaults/preferences/000-tor-browser.js rm -rf defaults popd @@ -227,6 +218,7 @@ script: | # app.update.url). pushd ${PKG_DIR}/Browser/ echo ${PKG_LOCALE} > update.locale + touch --date="$REFERENCE_DATETIME" update.locale zip -Xm omni.ja update.locale popd fi @@ -259,6 +251,7 @@ script: | cp ~/build/000-tor-browser.js defaults/preferences/ # Set the locale of the bundle. echo "pref("general.useragent.locale", "$LANG");" >> defaults/preferences/000-tor-browser.js + touch --date="$REFERENCE_DATETIME" defaults/preferences/000-tor-browser.js zip -Xm omni.ja defaults/preferences/000-tor-browser.js rm -rf defaults popd @@ -268,6 +261,7 @@ script: | # recreate precomplete file (needs to be accurate for full MAR updates). pushd tor-browser_$LANG/Browser/ echo "$LANG" > update.locale + touch --date="$REFERENCE_DATETIME" update.locale zip -Xm omni.ja update.locale rm -rf dictionaries rm -f precomplete diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml index 22686b7..f32ee40 100644 --- a/gitian/descriptors/linux/gitian-firefox.yml +++ b/gitian/descriptors/linux/gitian-firefox.yml @@ -27,8 +27,6 @@ reference_datetime: "2000-01-01 00:00:00" remotes: - "url": "https://git.torproject.org/tor-browser.git" "dir": "tor-browser" -- "url": "https://github.com/wolfcw/libfaketime" - "dir": "faketime" - "url": "https://github.com/immunant/selfrando.git" "dir": "selfrando" files: @@ -41,6 +39,9 @@ files: script: | source versions INSTDIR="$HOME/install" + export REFERENCE_DATETIME + export CFLAGS="-frandom-seed=tor" + export CXXFLAGS="-frandom-seed=tor" export TZ=UTC export LC_ALL=C umask 0022 @@ -81,14 +82,6 @@ script: | mkdir -p $INSTDIR/Debug/Browser/components mkdir -p $INSTDIR/Debug/Browser/browser/components

- # Building libfaketime - cd faketime - make - DESTDIR="$INSTDIR/faketime" make install - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" - export FAKETIME=$REFERENCE_DATETIME - cd .. - cd tor-browser mv .mozconfig-asan .mozconfig # .git and the src takes up a lot of useless space, and we need the space to build @@ -96,33 +89,16 @@ script: | find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" rm -f configure rm -f js/src/configure - # |configure| can't cope with nano seconds faked. And even if we would revert - # that feature it would hang sometimes for unknown but to libfaketime related - # reasons. - export LD_PRELOAD="" # Self-Rando wrapper export PATH="$HOME/build/selfrando/Tools/TorBrowser/tc-wrapper/:$PATH" export SELFRANDO_skip_shuffle= + export MOZ_BUILD_DATE=$(date -d "$REFERENCE_DATETIME" +%Y%m%d%H%M%S) make -f client.mk configure CONFIGURE_ARGS="--with-tor-browser-version=${TORBROWSER_VERSION} --enable-update-channel=${TORBROWSER_UPDATE_CHANNEL} --enable-bundled-fonts" - # We need libfaketime for all the timestamps e.g. written into the libraries. - # BUT we need to exclude |make build| from it. Otherwise the build fails close - # to the end, see #12461 comment 8 and later. Additionally, we need to avoid - # breaking the ICU compilation. Exlcuding |bash| helps here. See #12461 - # comment 13. Finally, we need to exclude |python2.7| as not doing so would - # stall the build right at the beginning. See #13877. - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" - export FAKETIME_SKIP_CMDS="python2.7,bash,make" find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" # Without disabling LSan our build is blowing up: # https://bugs.torproject.org/10599#comment:52 ASAN_OPTIONS="detect_leaks=0" make $MAKEOPTS -f client.mk build - # Packaging is broken with libfaketime enabled, thus we disable it again. See - # #12461 comments 11 and 12 for details. - export LD_PRELOAD="" make -C obj-* package INNER_MAKE_PACKAGE=true - # Without libfaketime enabled we would get different omni.ja and *debug.zip - # files. - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" cp -a obj-*/dist/firefox/* $INSTDIR/Browser/ # Remove firefox-bin (we don't use it, see ticket #10126) rm -f $INSTDIR/Browser/firefox-bin diff --git a/gitian/descriptors/linux/gitian-pluggable-transports.yml b/gitian/descriptors/linux/gitian-pluggable-transports.yml index a3c994d..2793a76 100644 --- a/gitian/descriptors/linux/gitian-pluggable-transports.yml +++ b/gitian/descriptors/linux/gitian-pluggable-transports.yml @@ -6,7 +6,6 @@ suites: architectures: - "amd64" packages: -- "faketime" - "unzip" - "python-setuptools" - "python-dev" @@ -56,7 +55,7 @@ script: | INSTDIR="$HOME/install" PTDIR="$INSTDIR/Tor/PluggableTransports" mkdir -p $PTDIR - export FAKETIME=$REFERENCE_DATETIME + export REFERENCE_DATETIME export TZ=UTC export LC_ALL=C export PYTHON=python2 @@ -261,7 +260,6 @@ script: | cd ../..

# Grabbing the results and making sure timestamps don't spoil them - export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 cd $INSTDIR ~/build/dzip.sh pluggable-transports-linux$GBUILD_BITS-gbuilt.zip Tor/ Docs/ cp pluggable-transports-linux$GBUILD_BITS-gbuilt.zip $OUTDIR/ diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index f8f83e9..fa0aead 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -6,7 +6,6 @@ suites: architectures: - "amd64" packages: -- "faketime" - "unzip" - "automake" - "libtool" @@ -28,7 +27,7 @@ files: script: | INSTDIR="$HOME/install" source versions - export FAKETIME=$REFERENCE_DATETIME + export REFERENCE_DATETIME export TZ=UTC export LC_ALL=C umask 0022 @@ -91,7 +90,6 @@ script: | done

# Grabbing the results and making sure timestamps don't spoil them - export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 ~/build/dzip.sh tor-linux$GBUILD_BITS-gbuilt.zip Data/ Tor/ ~/build/dzip.sh tor-linux$GBUILD_BITS-debug.zip Debug/ cp tor-linux$GBUILD_BITS-gbuilt.zip $OUTDIR/ diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml index 15b26f4..2db8739 100644 --- a/gitian/descriptors/linux/gitian-utils.yml +++ b/gitian/descriptors/linux/gitian-utils.yml @@ -6,7 +6,6 @@ suites: architectures: - "amd64" packages: -- "faketime" - "automake" - "libtool" - "zip" @@ -36,6 +35,7 @@ files: - "binutils.tar.bz2" - "gcc.tar.bz2" - "openssl.tar.gz" +- "openssl-Make-build-reproducible.patch" - "gmp.tar.bz2" - "versions" - "dzip.sh" @@ -46,7 +46,7 @@ script: | source versions export TZ=UTC export LC_ALL=C - export FAKETIME=$REFERENCE_DATETIME + export REFERENCE_DATETIME umask 0022

# Config options for hardening-wrapper @@ -78,10 +78,6 @@ script: | # anymore. It seems it got audited for those problems already: # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817. export DEB_BUILD_HARDENING_FORMAT=0 - # libfaketime gets into our way when building GCC 4.9.x. See: - # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61314 for details. Thus, we - # avoid it for the toolchain and cross our fingers. - # TODO: Test a newer libfaketime than 0.8. # Building GCC tar xjf gcc.tar.bz2 cd gcc-* @@ -127,9 +123,9 @@ script: | cd ..

# Building OpenSSL - export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 tar xzf openssl.tar.gz cd openssl-* + patch -p1 < ../openssl-Make-build-reproducible.patch find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" ./config -shared --prefix=$INSTDIR/openssl enable-ec_nistp_64_gcc_128 # Using $MAKEOPTS breaks the build. Might be the issue mentioned on @@ -138,8 +134,6 @@ script: | make install cd ..

- export LD_PRELOAD="" - # Building GMP tar xjf gmp.tar.bz2 cd gmp-* @@ -154,7 +148,10 @@ script: | cd ..

# Grabbing the remaining results and making sure timestamps don't spoil them - export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 + # Since we stopped using libfaketime, the binutils, gcc, openssl, + # libevent archives are no longer reproducible. The main reason + # is that they include some .a archives which include timestamps. + # Those files are however not part of the files we ship. cd $INSTDIR ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils ~/build/dzip.sh gcc-$GCC_VER-linux$GBUILD_BITS-utils.zip gcc diff --git a/gitian/descriptors/mac/gitian-firefox.yml b/gitian/descriptors/mac/gitian-firefox.yml index 17c830f..302f2a4 100644 --- a/gitian/descriptors/mac/gitian-firefox.yml +++ b/gitian/descriptors/mac/gitian-firefox.yml @@ -13,8 +13,6 @@ reference_datetime: "2000-01-01 00:00:00" remotes: - "url": "https://git.torproject.org/tor-browser.git" "dir": "tor-browser" -- "url": "https://github.com/wolfcw/libfaketime" - "dir": "faketime" files: - "gcc-linux64-precise-utils.zip" - "MacOSX10.7.sdk.tar.gz" @@ -22,11 +20,11 @@ files: - "re-dzip.sh" - "dzip.sh" - "fix-info-plist.py" -- "libfaketime.patch" - "versions" script: | INSTDIR="$HOME/install/" source versions + export REFERENCE_DATETIME export TZ=UTC export LC_ALL=C umask 0022 @@ -67,20 +65,9 @@ script: | find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" rm -f configure rm -f js/src/configure - # |configure| can't cope with nano seconds faked. And even if we would revert - # that feature it would hang sometimes for unknown but to libfaketime related - # reasons. - export LD_PRELOAD="" + export MOZ_BUILD_DATE=$(date -d "$REFERENCE_DATETIME" +%Y%m%d%H%M%S) make -f client.mk configure CONFIGURE_ARGS="--with-tor-browser-version=${TORBROWSER_VERSION} --enable-update-channel=${TORBROWSER_UPDATE_CHANNEL} --enable-bundled-fonts" find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" - # We need libfaketime for all the timestamps e.g. written into the libraries. - # BUT we need to exclude |make build| from it. Otherwise the build fails close - # to the end, see #12812 comment 6 and #12461 comment 8 and later. - # Additionally, we need to exclude |rsync| due to #10153 which is reproducible - # reliably with the new libfaketime and |python2.7| as well as the build would - # stall otherwise right at the beginning. See #13877 for details. - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" - export FAKETIME_SKIP_CMDS="python2.7,rsync,make" make $MAKEOPTS -f client.mk build # make -C obj-macos package INNER_MAKE_PACKAGE=true diff --git a/gitian/descriptors/mac/gitian-pluggable-transports.yml b/gitian/descriptors/mac/gitian-pluggable-transports.yml index 5c7ecac..d6a71f2 100644 --- a/gitian/descriptors/mac/gitian-pluggable-transports.yml +++ b/gitian/descriptors/mac/gitian-pluggable-transports.yml @@ -5,7 +5,6 @@ suites: architectures: - "i386" packages: -- "faketime" - "unzip" - "python-setuptools" - "python-dev" @@ -57,8 +56,7 @@ script: | TBDIR="$INSTDIR/TorBrowserBundle.app/TorBrowser" PTDIR="$TBDIR/Tor/PluggableTransports" export LIBRARY_PATH="$INSTDIR/lib" - export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 - export FAKETIME=$REFERENCE_DATETIME + export REFERENCE_DATETIME export TZ=UTC export LC_ALL=C umask 0022 diff --git a/gitian/descriptors/mac/gitian-utils.yml b/gitian/descriptors/mac/gitian-utils.yml index d457fef..10cc0f3 100644 --- a/gitian/descriptors/mac/gitian-utils.yml +++ b/gitian/descriptors/mac/gitian-utils.yml @@ -6,7 +6,6 @@ architectures: - "i386" - "amd64" packages: -- "faketime" - "automake" - "libtool" - "zip" @@ -16,20 +15,25 @@ reference_datetime: "2000-01-01 00:00:00" remotes: - "url": "https://github.com/libevent/libevent.git" "dir": "libevent" -- "url": "https://github.com/wolfcw/libfaketime" - "dir": "faketime" +- "url": "https://github.com/llvm-mirror/llvm" + "dir": "llvm" +- "url": "https://github.com/llvm-mirror/clang" + "dir": "clang" +- "url": "https://cmake.org/cmake.git" + "dir": "cmake" files: - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "gcc.tar.bz2" - "openssl.tar.gz" +- "openssl-Make-build-reproducible.patch" - "gmp.tar.bz2" - "versions" - "dzip.sh" -- "libfaketime.patch" script: | INSTDIR="$HOME/install" source versions + export REFERENCE_DATETIME export TZ=UTC export LC_ALL=C umask 0022 @@ -59,6 +63,15 @@ script: | export FAKETIME=$REFERENCE_DATETIME cd ..

+ # Since we stopped using libfaketime, the clang archive is no longer + # reproducible. The reason is that it includes some .a archives and + # other files which include timestamps. + # Those files are however not part of the files we ship. + ~/build/dzip.sh clang-$CLANG_VER-linux64-wheezy-utils.zip clang + cp *utils.zip $OUTDIR/ + else + # dpkg requires sbin directories in the PATH + export PATH="/usr/sbin:/sbin:$PATH" sudo dpkg -i *.deb tar xaf multiarch-darwin*tar.xz export PATH="$PATH:$HOME/build/apple-osx/bin/" @@ -77,7 +90,6 @@ script: | ./autogen.sh find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" ./configure --disable-static --host=i686-apple-darwin11 --prefix=$INSTDIR/libevent - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" make $MAKEOPTS make install cd .. @@ -85,6 +97,7 @@ script: | # Building OpenSSL tar xzf openssl.tar.gz cd openssl-* + patch -p1 < ../openssl-Make-build-reproducible.patch find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" # TODO: Add enable-ec_nistp_64_gcc_128 for 64bit OS X. ./Configure --cross-compile-prefix=i686-apple-darwin11- $CFLAGS darwin64-x86_64-cc --prefix=$INSTDIR/openssl enable-ec_nistp_64_gcc_128 @@ -97,20 +110,19 @@ script: | # Building GMP tar xjf gmp.tar.bz2 cd gmp-* - # |configure| can't cope with nano seconds faked. And even if we would revert - # that feature it would hang sometimes for unknown but to libfaketime related - # reasons. - export LD_PRELOAD="" find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" # Even if we are not shipping libgmpxx anymore we still need --enable-xcc # during compile time. ./configure --host=x86_64-apple-darwin11 --prefix=$INSTDIR/gmp --disable-static --enable-shared --enable-cxx - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" make make install cd ..

# Grabbing the results + # Since we stopped using libfaketime, the openssl archive is no + # longer reproducible. The main reason is that it includes some .a + # archives which include timestamps. + # Those files are however not part of the files we ship. cd $INSTDIR ~/build/dzip.sh openssl-$OPENSSL_VER-mac64-utils.zip openssl ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-mac64-utils.zip libevent diff --git a/gitian/descriptors/windows/gitian-firefox.yml b/gitian/descriptors/windows/gitian-firefox.yml index 2686c5f..3261199 100644 --- a/gitian/descriptors/windows/gitian-firefox.yml +++ b/gitian/descriptors/windows/gitian-firefox.yml @@ -12,8 +12,6 @@ reference_datetime: "2000-01-01 00:00:00" remotes: - "url": "https://git.torproject.org/tor-browser.git" "dir": "tor-browser" -- "url": "https://github.com/wolfcw/libfaketime" - "dir": "faketime" files: - "gcc-linux32-precise-utils.zip" - "mingw-w64-win32-utils.zip" @@ -28,6 +26,7 @@ files: script: | INSTDIR="$HOME/install" source versions + export REFERENCE_DATETIME export TZ=UTC export LC_ALL=C umask 0022 @@ -44,14 +43,6 @@ script: | export LD_LIBRARY_PATH=$INSTDIR/gcc/lib export PATH=$INSTDIR/mingw-w64/bin:$INSTDIR/gcc/bin:$PATH

- # Building libfaketime - cd faketime - make - DESTDIR="$INSTDIR/faketime" make install - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" - export FAKETIME=$REFERENCE_DATETIME - cd .. - # We don't want to link against msvcrt.dll due to bug 9084. i686-w64-mingw32-g++ -dumpspecs > msvcr100.spec sed 's/msvcrt/msvcr100/' -i msvcr100.spec @@ -82,10 +73,7 @@ script: | find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" rm -f configure rm -f js/src/configure - # |configure| can't cope with nano seconds faked. And even if we would revert - # that feature it would hang sometimes for unknown but to libfaketime related - # reasons. - export LD_PRELOAD="" + export MOZ_BUILD_DATE=$(date -d "$REFERENCE_DATETIME" +%Y%m%d%H%M%S) make -f client.mk configure CONFIGURE_ARGS="--with-tor-browser-version=${TORBROWSER_VERSION} --enable-update-channel=${TORBROWSER_UPDATE_CHANNEL} --enable-bundled-fonts" find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" # @@ -93,13 +81,6 @@ script: | cp ~/build/i686* ~/build/bin/ export PATH=~/build/bin:$PATH # - # We need libfaketime for all the timestamps e.g. written into the libraries. - # BUT we need to exclude |make build| from it. Otherwise the build fails close - # to the end, see #12811 comment 14 and #12461 comment 8 and later. - # Additionally, we need to exclude |python2.7| as well as the build would - # stall otherwise right at the beginning. See #13877 for details. - export LD_PRELOAD="$INSTDIR/faketime/usr/local/lib/faketime/libfaketime.so.1" - export FAKETIME_SKIP_CMDS="python2.7,make" make $MAKEOPTS -f client.mk build # make -C obj-* package INNER_MAKE_PACKAGE=true diff --git a/gitian/descriptors/windows/gitian-utils.yml b/gitian/descriptors/windows/gitian-utils.yml index ae938af..9296724 100644 --- a/gitian/descriptors/windows/gitian-utils.yml +++ b/gitian/descriptors/windows/gitian-utils.yml @@ -5,7 +5,6 @@ suites: architectures: - "i386" packages: -- "faketime" - "automake" - "libtool" - "zip" @@ -25,6 +24,7 @@ files: - "binutils.tar.bz2" - "gcc.tar.bz2" - "openssl.tar.gz" +- "openssl-Make-build-reproducible.patch" - "gmp.tar.bz2" - "enable-reloc-section-ld.patch" - "peXXigen.patch" @@ -33,6 +33,7 @@ files: script: | INSTDIR="$HOME/install" source versions + export REFERENCE_DATETIME export TZ=UTC export LC_ALL=C umask 0022 @@ -109,13 +110,6 @@ script: | cp i686-w64-mingw32/libgcc/shlib/libgcc_s_sjlj-1.dll $INSTDIR/gcclibs cd ..

- # XXX: Build the libraries we include into the bundles deterministically. As - # libfaketime breaks the mingw-w64 build (probably due to bug 11459) we omit - # the compiler and linker from it. It seems we get away with this strategy - # and the libgcc* and libss* which we ship, too, are still built in a - # reproducible fashion. - export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 - export FAKETIME=$REFERENCE_DATETIME # Building zlib export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security" export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" @@ -137,6 +131,7 @@ script: | # Building OpenSSL tar xzf openssl.tar.gz cd openssl-* + patch -p1 < ../openssl-Make-build-reproducible.patch find -type f -print0 | xargs -0 touch --date="$REFERENCE_DATETIME" # TODO: Add enable-ec_nistp_64_gcc_128 for 64bit Windows. ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw "-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" --prefix=$INSTDIR/openssl @@ -158,6 +153,10 @@ script: | cd ..

# Grabbing the remaining results + # Since we stopped using libfaketime, the gcc, gmp, zlib, openssl, + # libevent, mingw-w64 archives are no longer reproducible. The main + # reason is that they include some .a archives which include timestamps. + # Those files are however not part of the files we ship. cd $INSTDIR # We might want to bump binutils independent of bumping mingw-w64. touch binutils-$BINUTILS_VER-win32-utils.zip diff --git a/gitian/patches/openssl-Make-build-reproducible.patch b/gitian/patches/openssl-Make-build-reproducible.patch new file mode 100644 index 0000000..d86f5ba --- /dev/null +++ b/gitian/patches/openssl-Make-build-reproducible.patch @@ -0,0 +1,28 @@ +From b88c021b5a7c539f821b7b7c47c72138cc3c3271 Mon Sep 17 00:00:00 2001 +From: Kurt Roeckx kurt@roeckx.be +Date: Fri, 2 Jan 2015 12:27:57 +0100 +Subject: [PATCH] Make build reproducible + +It contained a date on when it was build. + +Reviewed-by: Rich Salz rsalz@openssl.org +--- + crypto/cversion.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/crypto/cversion.c b/crypto/cversion.c +index 9e6f50d78182..c417d1d1121f 100644 +--- a/crypto/cversion.c ++++ b/crypto/cversion.c +@@ -68,7 +68,11 @@ const char *SSLeay_version(int t) + return OPENSSL_VERSION_TEXT; + if (t == SSLEAY_BUILT_ON) { + #ifdef DATE ++# ifdef OPENSSL_USE_BUILD_DATE + return (DATE); ++# else ++ return("built on: reproducible build, date unspecified"); ++# endif + #else + return ("built on: date not available"); + #endif