Support reproducible builds
Recent development versions of makepkg support reproducible builds through the environment variable SOURCE_DATE_EPOCH. Pass this variable through makechrootpkg to makepkg when available. Also initialize SOURCE_DATE_EPOCH whenever running archbuild to enforce reproducible builds for repository packages. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
Eli Schwartz
Levente Polyak
parent
2a308821b3
commit
eab5aba9b0
|
|
@ -39,7 +39,7 @@ while getopts 'hcr:' arg; do
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
check_root
|
check_root SOURCE_DATE_EPOCH
|
||||||
|
|
||||||
# Pass all arguments after -- right to makepkg
|
# Pass all arguments after -- right to makepkg
|
||||||
makechrootpkg_args+=("${@:$OPTIND}")
|
makechrootpkg_args+=("${@:$OPTIND}")
|
||||||
|
|
@ -74,5 +74,10 @@ else
|
||||||
pacman -Syu --noconfirm || abort
|
pacman -Syu --noconfirm || abort
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Always build official packages reproducibly
|
||||||
|
if [[ ! -v SOURCE_DATE_EPOCH ]]; then
|
||||||
|
export SOURCE_DATE_EPOCH=$(date +%s)
|
||||||
|
fi
|
||||||
|
|
||||||
msg "Building in chroot for [%s] (%s)..." "${repo}" "${arch}"
|
msg "Building in chroot for [%s] (%s)..." "${repo}" "${arch}"
|
||||||
exec makechrootpkg -r "${chroots}/${repo}-${arch}" "${makechrootpkg_args[@]}"
|
exec makechrootpkg -r "${chroots}/${repo}-${arch}" "${makechrootpkg_args[@]}"
|
||||||
|
|
|
||||||
|
|
@ -6,13 +6,15 @@
|
||||||
CHROOT_VERSION='v4'
|
CHROOT_VERSION='v4'
|
||||||
|
|
||||||
##
|
##
|
||||||
# usage : check_root
|
# usage : check_root $keepenv
|
||||||
##
|
##
|
||||||
orig_argv=("$0" "$@")
|
orig_argv=("$0" "$@")
|
||||||
check_root() {
|
check_root() {
|
||||||
|
local keepenv=$1
|
||||||
|
|
||||||
(( EUID == 0 )) && return
|
(( EUID == 0 )) && return
|
||||||
if type -P sudo >/dev/null; then
|
if type -P sudo >/dev/null; then
|
||||||
exec sudo -- "${orig_argv[@]}"
|
exec sudo --preserve-env=$keepenv -- "${orig_argv[@]}"
|
||||||
else
|
else
|
||||||
exec su root -c "$(printf ' %q' "${orig_argv[@]}")"
|
exec su root -c "$(printf ' %q' "${orig_argv[@]}")"
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -205,6 +205,7 @@ EOF
|
||||||
{
|
{
|
||||||
printf '#!/bin/bash\n'
|
printf '#!/bin/bash\n'
|
||||||
declare -f _chrootbuild
|
declare -f _chrootbuild
|
||||||
|
declare -p SOURCE_DATE_EPOCH 2>/dev/null
|
||||||
printf '_chrootbuild "$@" || exit\n'
|
printf '_chrootbuild "$@" || exit\n'
|
||||||
|
|
||||||
if $run_namcap; then
|
if $run_namcap; then
|
||||||
|
|
@ -231,7 +232,7 @@ _chrootbuild() {
|
||||||
# use "$" in arguments to commands with "sudo -i". ${foo} or
|
# use "$" in arguments to commands with "sudo -i". ${foo} or
|
||||||
# ${1} is OK, but $foo or $1 isn't.
|
# ${1} is OK, but $foo or $1 isn't.
|
||||||
# https://bugzilla.sudo.ws/show_bug.cgi?id=765
|
# https://bugzilla.sudo.ws/show_bug.cgi?id=765
|
||||||
sudo -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
|
sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
_chrootnamcap() {
|
_chrootnamcap() {
|
||||||
|
|
@ -343,7 +344,7 @@ main() {
|
||||||
[[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.'
|
[[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.'
|
||||||
makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}}
|
makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}}
|
||||||
|
|
||||||
check_root
|
check_root SOURCE_DATE_EPOCH
|
||||||
|
|
||||||
# Canonicalize chrootdir, getting rid of trailing /
|
# Canonicalize chrootdir, getting rid of trailing /
|
||||||
chrootdir=$(readlink -e "$passeddir")
|
chrootdir=$(readlink -e "$passeddir")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue