Bug#845034: initramfs-tools: please ensure initrd images are reproducible

Sun, 20 Nov 2016 13:40:13 -0800 

Chris Lamb wrote:

> Patch attached.

Updated patch attached, which passes --reproducible to cpio (>= 2.12)
to ensure inode numbers are renumbered.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

diff --git a/mkinitramfs b/mkinitramfs
index 27349ea..8076cc1 100755
--- a/mkinitramfs
+++ b/mkinitramfs
@@ -151,6 +151,7 @@ if dpkg --compare-versions "${version}" lt "2.6.38" 
2>/dev/null; then
                echo "linux-2.6 likely misses ${COMPRESS} support, using gzip"
 fi
 
+[ "${compress}" = gzip ] && [ "${SOURCE_DATE_EPOCH}" != "" ] && compress="gzip 
-n"
 [ "${compress}" = lzop ] && compress="lzop -9"
 [ "${compress}" = xz ] && compress="xz --check=crc32"
 
@@ -372,8 +373,18 @@ fi
 # preserve permissions if root builds the image, see #633582
 [ "$(id -ru)" != 0 ] && cpio_owner_root="-R 0:0"
 
+# if SOURCE_DATE_EPOCH is set, try and create a reproducible image
+if [ "${SOURCE_DATE_EPOCH}" != "" ]; then
+       # ensure that no timestamps are newer than $SOURCE_DATE_EPOCH
+       find "${DESTDIR}" -newermt "@${SOURCE_DATE_EPOCH}" -print0 | \
+               xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+
+       # --reproducible requires cpio >= 2.12
+       cpio --usage | grep -qs -- "--reproducible" && 
cpio_reproducible="--reproducible"
+fi
+
 # work around lack of "set -o pipefail" for the following pipe:
-# cd "${DESTDIR}" && find . | cpio --quiet $cpio_owner_root -o -H newc | gzip 
>>"${outfile}" || exit 1
+# cd "${DESTDIR}" && find . | LC_ALL=C sort | cpio --quiet $cpio_owner_root 
$cpio_reproducible -o -H newc | gzip >>"${outfile}" || exit 1
 exec 3>&1
 eval `
        # http://cfaj.freeshell.org/shell/cus-faq-2.html
@@ -382,7 +393,9 @@ eval `
        {
                find . 4>&-; echo "ec1=$?;" >&4
        } | {
-               cpio --quiet $cpio_owner_root -o -H newc 4>&-; echo "ec2=$?;" 
>&4
+               LC_ALL=C sort
+       } | {
+               cpio --quiet $cpio_owner_root $cpio_reproducible -o -H newc 
4>&-; echo "ec2=$?;" >&4
        } | ${compress} >>"${outfile}"
        echo "ec3=$?;" >&4
 `
diff --git a/mkinitramfs.8 b/mkinitramfs.8
index 0a109f6..d0fad27 100644
--- a/mkinitramfs.8
+++ b/mkinitramfs.8
@@ -105,6 +105,12 @@ should not be mounted with the
 .B noexec
 mount option.
 
+If
+.B SOURCE_DATE_EPOCH
+is set,
+.B mkinitramfs
+attempts to generate a reproducible ramdisk.
+
 .SH FILES
 .TP
 .I /etc/initramfs-tools/initramfs.conf

Reply via email to