Bug#845034: initramfs-tools: please ensure initrd images are reproducible
Hi Ben,
> initramfs-tools: please ensure initrd images are reproducible
Thanks for the review; updated patch attached.
> Control: block -1 with 804063
[..]
> I'd much prefer to add a versioned dependency on the new cpio (when
> available) than to probe for it ar run-time
The new cpio is now available in experimental. Obviously, uploading
this patch to != experimental right now would currently make us
uninstallable, but do you fancy making an upload there?
> I also have a coding style nit-pick - please use [ -n "..." ] rather
> than [ "..." != "" ]
Sure.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/control b/debian/control
index 3be7ff5..0f8c587 100644
--- a/debian/control
+++ b/debian/control
@@ -25,7 +25,7 @@ Package: initramfs-tools-core
Architecture: all
Multi-Arch: foreign
Recommends: ${busybox:Recommends}
-Depends: klibc-utils (>= 2.0.4-8~), cpio, kmod | module-init-tools, udev, ${misc:Depends}
+Depends: klibc-utils (>= 2.0.4-8~), cpio (>= 2.12), kmod | module-init-tools, udev, ${misc:Depends}
Suggests: bash-completion
Breaks: initramfs-tools (<< 0.121~)
Replaces: initramfs-tools (<< 0.121~)
diff --git a/mkinitramfs b/mkinitramfs
index 9f207a0..fd68709 100755
--- a/mkinitramfs
+++ b/mkinitramfs
@@ -151,6 +151,7 @@ if dpkg --compare-versions "${version}" lt "2.6.38" 2>/dev/null; then
echo "linux-2.6 likely misses ${COMPRESS} support, using gzip"
fi
+[ "${compress}" = gzip ] && [ -n "${SOURCE_DATE_EPOCH}" ] && compress="gzip -n"
[ "${compress}" = lzop ] && compress="lzop -9"
[ "${compress}" = xz ] && compress="xz --check=crc32"
@@ -371,8 +372,18 @@ fi
# preserve permissions if root builds the image, see #633582
[ "$(id -ru)" != 0 ] && cpio_owner_root="-R 0:0"
+# if SOURCE_DATE_EPOCH is set, try and create a reproducible image
+if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+ # ensure that no timestamps are newer than $SOURCE_DATE_EPOCH
+ find "${DESTDIR}" -newermt "@${SOURCE_DATE_EPOCH}" -print0 | \
+ xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+
+ # --reproducible requires cpio >= 2.12
+ cpio_reproducible="--reproducible"
+fi
+
# work around lack of "set -o pipefail" for the following pipe:
-# cd "${DESTDIR}" && find . | cpio --quiet $cpio_owner_root -o -H newc | gzip >>"${outfile}" || exit 1
+# cd "${DESTDIR}" && find . | LC_ALL=C sort | cpio --quiet $cpio_owner_root $cpio_reproducible -o -H newc | gzip >>"${outfile}" || exit 1
exec 3>&1
eval `
# http://cfaj.freeshell.org/shell/cus-faq-2.html
@@ -381,7 +392,9 @@ eval `
{
find . 4>&-; echo "ec1=$?;" >&4
} | {
- cpio --quiet $cpio_owner_root -o -H newc 4>&-; echo "ec2=$?;" >&4
+ LC_ALL=C sort
+ } | {
+ cpio --quiet $cpio_owner_root $cpio_reproducible -o -H newc 4>&-; echo "ec2=$?;" >&4
} | ${compress} >>"${outfile}"
echo "ec3=$?;" >&4
`
diff --git a/mkinitramfs.8 b/mkinitramfs.8
index 4c8bae5..b61fdeb 100644
--- a/mkinitramfs.8
+++ b/mkinitramfs.8
@@ -105,6 +105,12 @@ should not be mounted with the
.B noexec
mount option.
+If
+.B SOURCE_DATE_EPOCH
+is set,
+.B mkinitramfs
+attempts to generate a reproducible ramdisk.
+
.SH FILES
.TP
.I /etc/initramfs-tools/initramfs.conf
Reply to: