pungi: add patches for making the output reproducible

2018-10-04 23:51:29 +02:00 · 2018-10-04 23:51:29 +02:00 · 94ccc1a19a
commit 94ccc1a19a
parent 45c201932b
7 changed files with 324 additions and 1 deletions
--- a/pungi/0001-Use-SOURCE_DATE_EPOCH-if-set-in-discinfo-file.patch
+++ b/pungi/0001-Use-SOURCE_DATE_EPOCH-if-set-in-discinfo-file.patch
@ -0,0 +1,45 @@
 From 1b0ff7f98bdce87deb7bc61d6c227be21fa43a94 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
 Date: Thu, 4 Oct 2018 23:36:15 +0200
 Subject: [PATCH 1/6] Use $SOURCE_DATE_EPOCH (if set) in discinfo file
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Organization: Invisible Things Lab
 Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 This helps the output image to be reproducible.
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
 pungi/compose_metadata/discinfo.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/pungi/compose_metadata/discinfo.py b/pungi/compose_metadata/discinfo.py
 index df61ca0..758feef 100644
 --- a/pungi/compose_metadata/discinfo.py
 +++ b/pungi/compose_metadata/discinfo.py
@@ -32,6 +32,7 @@ __all__ = (
 )
 +import os
 import time
@@ -43,7 +44,10 @@ def write_discinfo(file_path, description, arch, disc_numbers=None, timestamp=No
     if not isinstance(disc_numbers, list):
         raise TypeError("Invalid type: disc_numbers type is %s; expected: <list>" % type(disc_numbers))
     if not timestamp:
 -        timestamp = "%f" % time.time()
 +        if 'SOURCE_DATE_EPOCH' in os.environ:
 +            timestamp = os.environ['SOURCE_DATE_EPOCH']
 +        else:
 +            timestamp = "%f" % time.time()
     with open(file_path, "w") as f:
         f.write("%s\n" % timestamp)
         f.write("%s\n" % description)
 -- 
 2.17.1
--- a/pungi/0002-Use-xorriso-instead-of-genisoimage.patch
+++ b/pungi/0002-Use-xorriso-instead-of-genisoimage.patch
@ -0,0 +1,49 @@
 From d33b8f9995070d68472c25779dfa543d6d7535db Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
 Date: Thu, 4 Oct 2018 23:37:35 +0200
 Subject: [PATCH 2/6] Use xorriso instead of genisoimage
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Organization: Invisible Things Lab
 Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 xorriso make the image reproducible (given the same input files),
 including support for SOURCE_DATE_EPOCH in various metadata.
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
 pungi.spec      | 2 +-
 pungi/gather.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/pungi.spec b/pungi.spec
 index 6a23a63..d7bdc66 100644
 --- a/pungi.spec
 +++ b/pungi.spec
@@ -35,7 +35,7 @@ Requires:       jigdo
 Requires:       cvs
 Requires:       yum-utils
 Requires:       isomd5sum
 -Requires:       genisoimage
 +Requires:       xorriso
 Requires:       gettext
 Requires:       syslinux
 Requires:       git
 diff --git a/pungi/gather.py b/pungi/gather.py
 index 20cc33d..15dfcee 100644
 --- a/pungi/gather.py
 +++ b/pungi/gather.py
@@ -1709,7 +1709,7 @@ class Pungi(PungiBase):
                            clean=True) # This is risky...
         # setup the base command
 -        mkisofs = ['/usr/bin/mkisofs']
 +        mkisofs = ['/usr/bin/xorriso', '-as', 'mkisofs']
         mkisofs.extend(['-v', '-U', '-J', '-R', '-T', '-m', 'repoview', '-m', 'boot.iso']) # common mkisofs flags
         x86bootargs = ['-b', 'isolinux/isolinux.bin', '-c', 'isolinux/boot.cat', 
 -- 
 2.17.1
--- a/pungi/0003-Use-constant-MBR-ID-for-isohybrid.patch
+++ b/pungi/0003-Use-constant-MBR-ID-for-isohybrid.patch
@ -0,0 +1,34 @@
 From 61ed5d6ea5b1beedb59b3962d0df99f0b3c69402 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
 Date: Thu, 4 Oct 2018 23:38:57 +0200
 Subject: [PATCH 3/6] Use constant MBR ID for isohybrid
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Organization: Invisible Things Lab
 Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 If not set explicitly, isohybrid choose it randomly, which harm
 reproducibility.
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
 pungi/gather.py | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/pungi/gather.py b/pungi/gather.py
 index 15dfcee..6f52bc6 100644
 --- a/pungi/gather.py
 +++ b/pungi/gather.py
@@ -1731,6 +1731,7 @@ class Pungi(PungiBase):
         ppcbootargs.append('-hfs-bless') # must be last
         isohybrid = ['/usr/bin/isohybrid']
 +        isohybrid.extend(['--id', '42'])
         # Check the size of the tree
         # This size checking method may be bunk, accepting patches...
 -- 
 2.17.1
--- a/pungi/0004-Make-sure-.treeinfo-file-is-sorted.patch
+++ b/pungi/0004-Make-sure-.treeinfo-file-is-sorted.patch
@ -0,0 +1,67 @@
 From 57e49f366a34e3d8fdb020d7f19bc2fec8547ec9 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
 Date: Thu, 4 Oct 2018 23:42:19 +0200
 Subject: [PATCH 4/6] Make sure .treeinfo file is sorted
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Organization: Invisible Things Lab
 Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 OrderedDict used by default by ConfigParser isn't enough because order
 of entries being added may not be deterministic (depends on directory
 list order). To solve this problem, use SortedDict as a base.
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
 pungi.spec      | 2 ++
 pungi/gather.py | 5 +++++
 2 files changed, 7 insertions(+)
 diff --git a/pungi.spec b/pungi.spec
 index d7bdc66..dcb1986 100644
 --- a/pungi.spec
 +++ b/pungi.spec
@@ -17,6 +17,7 @@ BuildRequires:  python-jsonschema
 BuildRequires:  python-enum34
 BuildRequires:  python2-dnf
 BuildRequires:  python2-multilib
 +BuildRequires:  python2-dict-sorted
 Requires:       createrepo >= 0.4.11
 Requires:       yum => 3.4.3-28
@@ -44,6 +45,7 @@ Requires:       libguestfs-tools-c
 Requires:       python-enum34
 Requires:       python2-dnf
 Requires:       python2-multilib
 +Requires:       python2-dict-sorted
 BuildArch:      noarch
 diff --git a/pungi/gather.py b/pungi/gather.py
 index 6f52bc6..1035036 100644
 --- a/pungi/gather.py
 +++ b/pungi/gather.py
@@ -26,6 +26,7 @@ import urlgrabber.progress
 import subprocess
 import createrepo
 import ConfigParser
 +from sdict import AlphaSortedDict
 from fnmatch import fnmatch
 import arch as arch_module
@@ -95,6 +96,10 @@ def is_package(po):
 class MyConfigParser(ConfigParser.ConfigParser):
     """A subclass of ConfigParser which does not lowercase options"""
 +    def __init__(self, *args, **kwargs):
 +        kwargs['dict_type'] = AlphaSortedDict
 +        ConfigParser.ConfigParser.__init__(self, *args, **kwargs)
 +
     def optionxform(self, optionstr):
         return optionstr
 -- 
 2.17.1
--- a/pungi/0005-Set-repodata-mtime-to-SOURCE_DATE_EPOCH.patch
+++ b/pungi/0005-Set-repodata-mtime-to-SOURCE_DATE_EPOCH.patch
@ -0,0 +1,60 @@
 From 8eaee0ada8caa8b509b96867b06b876ef606d64f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
 Date: Thu, 4 Oct 2018 23:44:06 +0200
 Subject: [PATCH 5/6] Set repodata mtime to SOURCE_DATE_EPOCH
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Organization: Invisible Things Lab
 Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 repodata/repomd.xml include timestamps of all the other repodata files.
 Even when those files are created reproducibly, they have current
 modification time. In general case this is a good thing (ease checking
 if repodata cache is up to date). But in case of composing installation
 image, it breaks reproducibility.
 Avoid this by reseting mtime of repodata/* to $SOURCE_DATE_EPOCH, just
 before creating repomd.xml.
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
 pungi/gather.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/pungi/gather.py b/pungi/gather.py
 index 1035036..dbe38f7 100644
 --- a/pungi/gather.py
 +++ b/pungi/gather.py
@@ -25,6 +25,7 @@ import logging
 import urlgrabber.progress
 import subprocess
 import createrepo
 +import glob
 import ConfigParser
 from sdict import AlphaSortedDict
 from fnmatch import fnmatch
@@ -1409,9 +1410,20 @@ class Pungi(PungiBase):
             conf.baseurl = baseurl
         if compress_type:
             conf.compress_type = compress_type
 +        if 'SOURCE_DATE_EPOCH' in os.environ:
 +            conf.revision = os.environ['SOURCE_DATE_EPOCH']
         repomatic = createrepo.MetaDataGenerator(conf)
         self.logger.info('Making repodata')
         repomatic.doPkgMetadata()
 +
 +        # set mtime to $SOURCE_DATE_EPOCH, do that just before creating
 +        # repomd.xml, because it includes timestamps of referenced files
 +        if 'SOURCE_DATE_EPOCH' in os.environ:
 +            s_d_e = int(os.environ['SOURCE_DATE_EPOCH'])
 +            for repo_file in glob.glob(
 +                    os.path.join(conf.outputdir, conf.tempdir, "*")):
 +                os.utime(repo_file, (s_d_e, s_d_e))
 +
         repomatic.doRepoMetadata()
         repomatic.doFinalMove()
 -- 
 2.17.1
--- a/pungi/0006-Monkey-patch-createrepo-to-clamp-repodata-mtime.patch
+++ b/pungi/0006-Monkey-patch-createrepo-to-clamp-repodata-mtime.patch
@ -0,0 +1,53 @@
 From aaae0547c9bfefac7aa0d431cc4065eb369a7605 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
 Date: Fri, 5 Oct 2018 15:26:36 +0200
 Subject: [PATCH 6/6] Monkey patch createrepo to clamp repodata mtime
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Organization: Invisible Things Lab
 Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 Unfortunately some files are created during repomatic.doRepoMetadata(),
 so clamping mtime before the call isn't enough. To limit changes to just
 one component, monkey patch createrepo function.
 Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
 ---
 pungi/gather.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 diff --git a/pungi/gather.py b/pungi/gather.py
 index dbe38f7..9963dc6 100644
 --- a/pungi/gather.py
 +++ b/pungi/gather.py
@@ -1424,6 +1424,25 @@ class Pungi(PungiBase):
                     os.path.join(conf.outputdir, conf.tempdir, "*")):
                 os.utime(repo_file, (s_d_e, s_d_e))
 +            # unfortunately the above is not enough, because some files are created
 +            # during doRepoMetadata(). This include:
 +            #  - compressed sqlite versions of the metadata - needed by repoview
 +            #  - group file (compressed and not) - this is needed, so the timestamp
 +            #    problem needs to be solved anyway
 +            orig_createRepoDataObject = repomatic._createRepoDataObject
 +            def wrapped_createRepoDataObject(*args, **kwargs):
 +                repodata = orig_createRepoDataObject(*args, **kwargs)
 +                if int(repodata.timestamp) > s_d_e:
 +                    repodata.timestamp = str(s_d_e)
 +                return repodata
 +            repomatic._createRepoDataObject = wrapped_createRepoDataObject
 +
 +            orig_compressFile = createrepo.utils.compressFile
 +            def wrapped_compressFile(source, dest, compress_type):
 +                orig_compressFile(source, dest, compress_type)
 +                os.utime(dest, (s_d_e, s_d_e))
 +            createrepo.utils.compressFile = wrapped_compressFile
 +
         repomatic.doRepoMetadata()
         repomatic.doFinalMove()
 -- 
 2.17.1
--- a/pungi/pungi.spec
+++ b/pungi/pungi.spec
@ -14,6 +14,13 @@ Patch3:         disable-efi.patch
 Patch4:         Hacky-way-to-pass-gpgkey-to-lorax.patch
 #Patch5:         fix-recursive-partition-table-on-iso-image.patch
 #Patch6:         disable-upgrade.patch
 Patch7:         0001-Use-SOURCE_DATE_EPOCH-if-set-in-discinfo-file.patch
 Patch8:         0002-Use-xorriso-instead-of-genisoimage.patch
 Patch9:         0003-Use-constant-MBR-ID-for-isohybrid.patch
 Patch10:       	0004-Make-sure-.treeinfo-file-is-sorted.patch
 Patch11:       	0005-Set-repodata-mtime-to-SOURCE_DATE_EPOCH.patch
 Patch12:        0006-Monkey-patch-createrepo-to-clamp-repodata-mtime.patch
 BuildRequires:  python-nose, python-mock
 BuildRequires:  python-devel, python-setuptools, python2-productmd >= 1.3
 BuildRequires:  python-lockfile, kobo, kobo-rpmlib, python-kickstart, createrepo_c
@ -24,6 +31,7 @@ BuildRequires:  python-jsonschema
 BuildRequires:  python-enum34
 BuildRequires:  python2-dnf
 BuildRequires:  python2-multilib
 BuildRequires:  python2-dict-sorted
 #deps for doc building
 BuildRequires:  python-sphinx, texlive-latex-bin-bin, texlive-collection-fontsrecommended
@ -52,7 +60,7 @@ Requires:       koji >= 1.10.1-13
 Requires:       cvs
 Requires:       yum-utils
 Requires:       isomd5sum
-Requires:       genisoimage
+Requires:       xorriso
 Requires:       gettext
 # this is x86 only 
 #Requires:       syslinux
@ -61,6 +69,7 @@ Requires:       python-jsonschema
 Requires:       python-enum34
 Requires:       python2-dnf
 Requires:       python2-multilib
 Requires:       python2-dict-sorted
 BuildArch:      noarch
@ -86,6 +95,12 @@ notification to Fedora Message Bus.
 %patch4 -p1
 #%%patch5 -p1
 #%%patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %build
 %{__python} setup.py build