| Message ID | 20240501120001.855311-1-kumar.rakesh@siemens.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [isar-cip-core,v3] update ISAR to latest version | expand |
On 01.05.24 14:00, Rakesh Kumar wrote: > One of the changes is DEBIAN_PROVIDES, which is required to > resolve the duplicate Provides problem in secure-boot-secrets > to ensure that the build process completes successfully. > > Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com> > --- > kas-cip.yml | 2 +- > recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc | 4 +--- > .../swupdate-certificates/swupdate-certificates-key.inc | 4 +--- > .../swupdate-certificates/swupdate-certificates.inc | 4 +--- > 4 files changed, 4 insertions(+), 10 deletions(-) > > diff --git a/kas-cip.yml b/kas-cip.yml > index 2c3c8b0..1b97bd5 100644 > --- a/kas-cip.yml > +++ b/kas-cip.yml > @@ -22,7 +22,7 @@ repos: > > isar: > url: https://github.com/ilbers/isar.git > - commit: 9dc362cd7115074c0f60843e687ed89db5c9339a > + commit: 36c711e4ed6d5ca3c8ab71ffb4a51e78615aa1f0 This requires also SOURCE_DATE_EPOCHE-related changes: | FATAL ERROR: SOURCE_DATE_EPOCH and command line options can't be used at the same time to set timestamp(s) NOTE: recipe cip-core-image-1.0-r0: task do_image_squashfs: Failed I suspect we can simply drop the source_epoch block from kas-cip.yml now. Felix? > layers: > meta: > > diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc > index 2164b12..00b2a38 100644 > --- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc > +++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc > @@ -14,6 +14,7 @@ inherit dpkg-raw > DPKG_ARCH = "all" > DEBIAN_MULTI_ARCH = "foreign" > PROVIDES += "secure-boot-secrets" > +DEBIAN_PROVIDES = "${PROVIDES}" This statement is not equivalent to the original code - and it is broken. PROVIDES also contains the -native variants that make no sense to Debian, and the separator would also be wrong. I missed this while reviewing but you should have found it while testing. Which configurations did you actually test? > > SB_KEY ??= "" > SB_CERT ??= "" > @@ -31,6 +32,3 @@ do_install() { > install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem > } > > -do_prepare_build:append() { > - echo "Provides: secure-boot-secrets" >> ${S}/debian/control > -} > diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > index 944c2dc..459e288 100644 > --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc > @@ -15,6 +15,7 @@ FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" > > DPKG_ARCH = "all" > PROVIDES += "swupdate-certificates-key" > +DEBIAN_PROVIDES = "${PROVIDES}" > > SWU_SIGN_KEY ??= "" > SWU_SIGN_SCRIPT ??= "sign-swu-cms" > @@ -35,6 +36,3 @@ do_install() { > install -m 0600 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key > } > > -do_prepare_build:append() { > - echo "Provides: swupdate-certificates-key" >> ${S}/debian/control > -} > diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc > index dec9a83..02f43e6 100644 > --- a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc > +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc > @@ -16,6 +16,7 @@ FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" > DPKG_ARCH = "all" > DEBIAN_MULTI_ARCH = "foreign" > PROVIDES += "swupdate-certificates" > +DEBIAN_PROVIDES = "${PROVIDES}" > > SWU_SIGN_CERT ??= "" > > @@ -30,6 +31,3 @@ do_install() { > install -m 0700 ${WORKDIR}/${SWU_SIGN_CERT} ${TARGET}/swupdate-sign.crt > } > > -do_prepare_build:append() { > - echo "Provides: swupdate-certificates" >> ${S}/debian/control > -} Jan
On 01.05.24 22:54, Jan Kiszka wrote: > On 01.05.24 14:00, Rakesh Kumar wrote: >> One of the changes is DEBIAN_PROVIDES, which is required to >> resolve the duplicate Provides problem in secure-boot-secrets >> to ensure that the build process completes successfully. >> >> Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com> >> --- >> kas-cip.yml | 2 +- >> recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc | 4 +--- >> .../swupdate-certificates/swupdate-certificates-key.inc | 4 +--- >> .../swupdate-certificates/swupdate-certificates.inc | 4 +--- >> 4 files changed, 4 insertions(+), 10 deletions(-) >> >> diff --git a/kas-cip.yml b/kas-cip.yml >> index 2c3c8b0..1b97bd5 100644 >> --- a/kas-cip.yml >> +++ b/kas-cip.yml >> @@ -22,7 +22,7 @@ repos: >> >> isar: >> url: https://github.com/ilbers/isar.git >> - commit: 9dc362cd7115074c0f60843e687ed89db5c9339a >> + commit: 36c711e4ed6d5ca3c8ab71ffb4a51e78615aa1f0 > > This requires also SOURCE_DATE_EPOCHE-related changes: > > | FATAL ERROR: SOURCE_DATE_EPOCH and command line options can't be used at the same time to set timestamp(s) > NOTE: recipe cip-core-image-1.0-r0: task do_image_squashfs: Failed > > I suspect we can simply drop the source_epoch block from kas-cip.yml > now. Felix? > That error above is from squashfs.bbclass. IIUC, we no longer need the command line options for reproducibility, thus: diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass index bf72133e..b39be0cd 100644 --- a/classes/squashfs.bbclass +++ b/classes/squashfs.bbclass @@ -31,12 +31,6 @@ SQUASHFS_MEMLIMIT ?= "${@int(get_free_mem() * 3/4)}" SQUASHFS_CREATION_LIMITS = "-mem ${SQUASHFS_MEMLIMIT} -processors ${SQUASHFS_THREADS}" python __anonymous() { - # Set file timestamps for reproducible builds - source_date_epoch = d.getVar('SOURCE_DATE_EPOCH') - if source_date_epoch: - args = " -fstime {time}".format(time=source_date_epoch) - d.appendVar('SQUASHFS_CREATION_ARGS', args) - exclude_directories = d.getVar('SQUASHFS_EXCLUDE_DIRS').split() if len(exclude_directories) == 0: return Jan
On Wed, 2024-05-01 at 23:16 +0200, Jan Kiszka wrote: > On 01.05.24 22:54, Jan Kiszka wrote: > > On 01.05.24 14:00, Rakesh Kumar wrote: > > > One of the changes is DEBIAN_PROVIDES, which is required to > > > resolve the duplicate Provides problem in secure-boot-secrets > > > to ensure that the build process completes successfully. > > > > > > Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com> > > > --- > > > kas-cip.yml | > > > 2 +- > > > recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc | > > > 4 +--- > > > .../swupdate-certificates/swupdate-certificates-key.inc | > > > 4 +--- > > > .../swupdate-certificates/swupdate-certificates.inc | > > > 4 +--- > > > 4 files changed, 4 insertions(+), 10 deletions(-) > > > > > > diff --git a/kas-cip.yml b/kas-cip.yml > > > index 2c3c8b0..1b97bd5 100644 > > > --- a/kas-cip.yml > > > +++ b/kas-cip.yml > > > @@ -22,7 +22,7 @@ repos: > > > > > > isar: > > > url: https://github.com/ilbers/isar.git > > > - commit: 9dc362cd7115074c0f60843e687ed89db5c9339a > > > + commit: 36c711e4ed6d5ca3c8ab71ffb4a51e78615aa1f0 > > > > This requires also SOURCE_DATE_EPOCHE-related changes: > > > > > FATAL ERROR: SOURCE_DATE_EPOCH and command line options can't be > > > used at the same time to set timestamp(s) > > NOTE: recipe cip-core-image-1.0-r0: task do_image_squashfs: Failed > > > > I suspect we can simply drop the source_epoch block from kas- > > cip.yml > > now. Felix? Hi, as described in the RECIPE-API-CHANGELOG, we better just rename that to SOURCE_DATE_EPOCH_FALLBACK. While we have good ways to (heuristically) compute the SDE for packages, we don't have this for the rootfs. That's why we need a proper fallback there. To be frank, the whole reproducible story only makes sense when also building against a snapshot mirror. This now can easily be enabled by setting ISAR_USE_APT_SNAPSHOT="1". At least for the repro test we should do that. > > > > That error above is from squashfs.bbclass. IIUC, we no longer need > the > command line options for reproducibility, thus: > > diff --git a/classes/squashfs.bbclass b/classes/squashfs.bbclass > index bf72133e..b39be0cd 100644 > --- a/classes/squashfs.bbclass > +++ b/classes/squashfs.bbclass > @@ -31,12 +31,6 @@ SQUASHFS_MEMLIMIT ?= "${@int(get_free_mem() * > 3/4)}" > SQUASHFS_CREATION_LIMITS = "-mem ${SQUASHFS_MEMLIMIT} -processors > ${SQUASHFS_THREADS}" > > python __anonymous() { > - # Set file timestamps for reproducible builds > - source_date_epoch = d.getVar('SOURCE_DATE_EPOCH') > - if source_date_epoch: > - args = " -fstime {time}".format(time=source_date_epoch) > - d.appendVar('SQUASHFS_CREATION_ARGS', args) > - Yes, this part can be removed. Felix > exclude_directories = d.getVar('SQUASHFS_EXCLUDE_DIRS').split() > if len(exclude_directories) == 0: > return > > Jan >
On 01.05.24 14:00, Rakesh Kumar wrote: > One of the changes is DEBIAN_PROVIDES, which is required to > resolve the duplicate Provides problem in secure-boot-secrets > to ensure that the build process completes successfully. > We will also have to wait for https://patchwork.isar-build.org/project/isar/patch/aa9baf96-98d8-41fb-9297-9d9b20d1520e@siemens.com/ or carry this as isar patch. Jan
From: kumar.rakesh@siemens.com
Yes, I think we can wait for the mentioned patch.
https://patchwork.isar-build.org/project/isar/patch/aa9baf96-98d8-41fb-9297-9d9b20d1520e@siemens.com/
Regards,
Rakesh
diff --git a/kas-cip.yml b/kas-cip.yml index 2c3c8b0..1b97bd5 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -22,7 +22,7 @@ repos: isar: url: https://github.com/ilbers/isar.git - commit: 9dc362cd7115074c0f60843e687ed89db5c9339a + commit: 36c711e4ed6d5ca3c8ab71ffb4a51e78615aa1f0 layers: meta: diff --git a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc index 2164b12..00b2a38 100644 --- a/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc +++ b/recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc @@ -14,6 +14,7 @@ inherit dpkg-raw DPKG_ARCH = "all" DEBIAN_MULTI_ARCH = "foreign" PROVIDES += "secure-boot-secrets" +DEBIAN_PROVIDES = "${PROVIDES}" SB_KEY ??= "" SB_CERT ??= "" @@ -31,6 +32,3 @@ do_install() { install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem } -do_prepare_build:append() { - echo "Provides: secure-boot-secrets" >> ${S}/debian/control -} diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc index 944c2dc..459e288 100644 --- a/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates-key.inc @@ -15,6 +15,7 @@ FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" DPKG_ARCH = "all" PROVIDES += "swupdate-certificates-key" +DEBIAN_PROVIDES = "${PROVIDES}" SWU_SIGN_KEY ??= "" SWU_SIGN_SCRIPT ??= "sign-swu-cms" @@ -35,6 +36,3 @@ do_install() { install -m 0600 ${WORKDIR}/${SWU_SIGN_KEY} ${TARGET}/swupdate-sign.key } -do_prepare_build:append() { - echo "Provides: swupdate-certificates-key" >> ${S}/debian/control -} diff --git a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc index dec9a83..02f43e6 100644 --- a/recipes-devtools/swupdate-certificates/swupdate-certificates.inc +++ b/recipes-devtools/swupdate-certificates/swupdate-certificates.inc @@ -16,6 +16,7 @@ FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/files:" DPKG_ARCH = "all" DEBIAN_MULTI_ARCH = "foreign" PROVIDES += "swupdate-certificates" +DEBIAN_PROVIDES = "${PROVIDES}" SWU_SIGN_CERT ??= "" @@ -30,6 +31,3 @@ do_install() { install -m 0700 ${WORKDIR}/${SWU_SIGN_CERT} ${TARGET}/swupdate-sign.crt } -do_prepare_build:append() { - echo "Provides: swupdate-certificates" >> ${S}/debian/control -}
One of the changes is DEBIAN_PROVIDES, which is required to resolve the duplicate Provides problem in secure-boot-secrets to ensure that the build process completes successfully. Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com> --- kas-cip.yml | 2 +- recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc | 4 +--- .../swupdate-certificates/swupdate-certificates-key.inc | 4 +--- .../swupdate-certificates/swupdate-certificates.inc | 4 +--- 4 files changed, 4 insertions(+), 10 deletions(-)