search

linuxboot / heads-wiki

Documentation for the Heads firmware project
85 stars 44 forks source link

Verifying Heads Before Compiling #111

Closed newbieAtGithub closed 1 year ago

newbieAtGithub commented 1 year ago

hi @tlaurion,

Below are some steps to verify Heads before compiling:

  1. git clone Heads from Github
  2. download Heads' artifact, from latest commit & build in Circle CI
  3. verify all files in cloned Heads with hashes.txt from step 2

Please kindly add on or modify the steps above, for a better verification.

Thanks and Regards,

newbieAtGithub commented 1 year ago

hi @tlaurion

i refer to Circle CI hashes.txt i found some files, actually have same name, with files in Heads Github repo

for example, ./bin/kexec are the same as /heads/modules/kexec ./bin/cryptsetup are the same as /heads/modules/cryptsetup

so, maybe we can use these checksum in hashes.txt from Circle CI, to verify some files, cloned from Heads' repo, before local compiling, although the built ROM will have different checksum, due to reproducibility issue,

do you think, it is good idea, for verification, before local compiling ? or maybe, it is a wrong way for verification ?

thanks and regards,

tlaurion commented 1 year ago

modules/cryptsetup is the build recipe to build cryptsetup and cryptsetup-reencrypt binaries. Same for all other modules building different libraries/binaries that are packed in the final ROM's payload.

Those modules include expected hashes of tarballs doenloaded as part if the build recipe, verified after download and prior of extraction. Then patches are applied from patches/ files, and then that module build starts. Board configuration tells which modules are expected for a board, as well as board specific tweaks.

Everything built leaves at trace under hashes.txt in the board build directory.

So verifying before compiling here relies on git. git will tell you if any of the files maintained in the repository are as expected, prior of compiling.

git status under heads directory will tell you what is different from the upstream repository, and will create a commit-dirty version if compiled. Dirty here would mean the ROM didn't come from a clean got repository, the ROM has been built from a repository containing changes.

newbieAtGithub commented 1 year ago

hi @tlaurion

i see, so it is not necessary, to do manual verification, before local compiling, because Heads can rely on git status, to do it automatically for us, & it will create commit-dirty version of ROM, in case the ROM is not clean / containing change.

okay, understand now,

thanks and regards,