[Buildroot] [PATCH 0/3] Add tainting support
Yann E. MORIN
yann.morin.1998 at free.fr
Fri Nov 3 21:31:25 UTC 2023
Adam, All,
On 2023-11-03 12:27 -0600, Adam Duskett spake thusly:
> Originally taken from Angelo Compagnucci's patch series:
> https://patchwork.ozlabs.org/project/buildroot/list/?series=64340
>
> When the original patch series was submitted, Buildroot was quite a bit
> smaller! With almost 1,000 packages added since then and more and more external
> package managers being available for various languages, it is not possible to
> package every single dependency needed for some packages.
>
> Indeed, looking at NPM, for example, some packages rely on tens, if not
> hundreds, of others. While this could be better and is indeed quite bad, it is,
> unfortunately, the reality we must deal with.
>
> With this patch series, we add initial tainting support to Buildroot with the
> added option to turn the support off by way of the BR2_DISABLE_TAINT_CHECKING
> option. This option gives us the best of both worlds: A sane default and an
> option for advanced users to turn off the check if they understand the risks
> and can guarantee their build is reproducible.
It does not require any such thing as tainted, and is just as simple as
this:
diff --git a/package/nodejs/nodejs-src/nodejs-src.mk b/package/nodejs/nodejs-src/nodejs-src.mk
index 3452c93728..2d716d8547 100644
--- a/package/nodejs/nodejs-src/nodejs-src.mk
+++ b/package/nodejs/nodejs-src/nodejs-src.mk
@@ -241,6 +241,7 @@ NODEJS_SRC_MODULES_LIST= $(call qstrip,\
# We can only call NPM if there's something to install.
#
ifneq ($(NODEJS_SRC_MODULES_LIST),)
+NODEJS_SRC_LICENSE += , vendored dependencies licenses probably not listed
NODEJS_SRC_DEPENDENCIES += host-nodejs
define NODEJS_SRC_INSTALL_MODULES
# If you're having trouble with module installation, adding -d
# to the
As for reproducibility: if the package is not reproducible, either it is
fixed so that it is reproducible, or if that is not possible, then the
package should be hidden away behind depends on !BR2_REPRODUCIBLE
That's as simple as that, I would say.
Regards,
Yann E. MORIN.
>
> This patch series has two significant benefits:
> - Taint checking paves the way for additional package managers to be
> incorporated into Buildroot while maintaining reproducible integrity for
> packages provided by Buildroot.
>
> - It tells the user their build is tainted and what packages they
> have selected are causing the taint.
>
> - It makes support easier. If a user has a build that is tainted and the
> the problem they are experiencing is with a tainted package; it is
> more straightforward to tell the user they are on their own.
>
> Adam Duskett (3):
> Makefile: add tainting support
> docs/manual: add information about tainting
> package/nodejs: taint the build when using external modules
>
> Config.in | 9 +++++++++
> Makefile | 17 +++++++++++++++++
> docs/manual/adding-packages-generic.adoc | 9 +++++++++
> docs/manual/legal-notice.adoc | 24 ++++++++++++++++++++++++
> package/nodejs/Config.in | 3 +++
> package/nodejs/nodejs-src/nodejs-src.mk | 1 +
> package/pkg-generic.mk | 19 +++++++++++++++++++
> 7 files changed, 82 insertions(+)
>
> --
> 2.41.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list