Bug#845034: initramfs-tools: please ensure initrd images are reproducible
Source: initramfs-tools
Version: 0.125
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps toolchain
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
Hi,
Whilst working on the Reproducible Builds effort [0] on behalf of
Tails [1], I noticed that mkinitramfs generates non-reproducible
ramdisk images.
Patch attached.
[0] https://reproducible-builds.org/
[1] https://tails.boum.org/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/mkinitramfs b/mkinitramfs
index 27349ea..2c2f767 100755
--- a/mkinitramfs
+++ b/mkinitramfs
@@ -151,6 +151,7 @@ if dpkg --compare-versions "${version}" lt "2.6.38" 2>/dev/null; then
echo "linux-2.6 likely misses ${COMPRESS} support, using gzip"
fi
+[ "${compress}" = gzip ] && "${SOURCE_DATE_EPOCH}" != "" ] && compress="gzip -n"
[ "${compress}" = lzop ] && compress="lzop -9"
[ "${compress}" = xz ] && compress="xz --check=crc32"
@@ -372,8 +373,14 @@ fi
# preserve permissions if root builds the image, see #633582
[ "$(id -ru)" != 0 ] && cpio_owner_root="-R 0:0"
+# if SOURCE_DATE_EPOCH is set, ensure that no timestamps are newer than this
+if [ "${SOURCE_DATE_EPOCH}" != "" ]; then
+ find "${DESTDIR}" -newermt "@${SOURCE_DATE_EPOCH}" -print0 | \
+ xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+fi
+
# work around lack of "set -o pipefail" for the following pipe:
-# cd "${DESTDIR}" && find . | cpio --quiet $cpio_owner_root -o -H newc | gzip >>"${outfile}" || exit 1
+# cd "${DESTDIR}" && find . | LC_ALL=C sort | cpio --quiet $cpio_owner_root -o -H newc | gzip >>"${outfile}" || exit 1
exec 3>&1
eval `
# http://cfaj.freeshell.org/shell/cus-faq-2.html
@@ -382,6 +389,8 @@ eval `
{
find . 4>&-; echo "ec1=$?;" >&4
} | {
+ LC_ALL=C sort
+ } | {
cpio --quiet $cpio_owner_root -o -H newc 4>&-; echo "ec2=$?;" >&4
} | ${compress} >>"${outfile}"
echo "ec3=$?;" >&4
diff --git a/mkinitramfs.8 b/mkinitramfs.8
index 0a109f6..d0fad27 100644
--- a/mkinitramfs.8
+++ b/mkinitramfs.8
@@ -105,6 +105,12 @@ should not be mounted with the
.B noexec
mount option.
+If
+.B SOURCE_DATE_EPOCH
+is set,
+.B mkinitramfs
+attempts to generate a reproducible ramdisk.
+
.SH FILES
.TP
.I /etc/initramfs-tools/initramfs.conf
Reply to: