reproducibility?

[merge]

I simply cloned the repo 2 times and built, ./build.sh X230. The resuting images differ. diffoscope shows they differ quite significantly. 4 times the build-time is in there, but a large binary chunk difffers too. Why?

thanks.

[Thrilleratplay]

Interesting. I can do the same with just the --clean-slate option. Even though there are git repos used with the payloads, which I should change, even when they are the same commit, there are variations. I will need to investigate this more. Thank you for noticing this.

EDIT: It looks like payloads cause variations. If this is the case, I will add a config that generates a reproducible build and try to match it to the hash generated by Coreboot.

[Thrilleratplay]

This is an example of Coreboot's reproducible build output. The output suggest it is executing the abuild script under coreboot's util directory but, as best as I can determine, uses this config which seems to be missing key information. At this point, I think I need to ask the Coreboot build team about how much of the project is reproducible.

[merge]

Thats a lot for taking the lead on this

[Thrilleratplay]

@merge Just to give you an update, I received a response from the Coreboot mailing list. I need to test removing the secondary payloads and using diffoscope to better determine what is causing variations in checksum hashes.

[Thrilleratplay]

@merge I think the build issue was fixed around a week ago. Using the --bleeding-edge flag, last Saturday and just now I was able to compile Coreboot and generate the same sha256 everytime. Could you try again to confirm this?

[merge]

thanks. will do so during next week.

Am 16. Juni 2018 05:26:55 MESZ schrieb Tom Hiller notifications@github.com:

@merge I think the build issue was fixed around a week ago. Using the --bleeding-edge flag, last Saturday and just now I was able to compile Coreboot and generate the same sha256 everytime. Could you try again to confirm this?

-- Martin Kepplinger http://martinkepplinger.com sent from mobile

[merge]

I can confirm. Nice!

Is there an option to choose one coreboot git commit to build already?

thanks!

[merge]

at least build-tested everything and I'd love to directly include your scripts in the Skulls project...

[Thrilleratplay]

It looks like you found the commit flag and already incorporated many of the same elements of the scripts into Skulls. Please do! I want to focus on using the docker image to build Coreboot and internal flashing. I will point those who need to flash externally to skulls in the readme.

You may want to run Shellcheck across Skulls if you want to make the scripts more cross shell compatible. It also helps with maintaining sanity while writing bash scripts. I tried to make a PR to fix a number of them but kept rewriting the while spaces when I did and never could seem to match the original. I am not sure what editor you use, but to keep that style, you may want to add a editorConfig file to Skulls.