From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v5 0/3] Add tainting support to buildroot
Date: Sun, 9 Sep 2018 16:20:19 +0200 [thread overview]
Message-ID: <20180909142019.GK2841@scaer> (raw)
In-Reply-To: <CA+_SqVafj+DAsaBtSPJkf2bwbmh_3JojRjBrzG0oT6GduKTG4g@mail.gmail.com>
Angelo, All,
On 2018-09-09 14:44 +0100, Angelo Compagnucci spake thusly:
> On Sun, Sep 9, 2018 at 2:33 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
> > On 2018-09-09 13:25 +0100, Angelo Compagnucci spake thusly:
> > > On Sun, Sep 9, 2018 at 1:10 PM Thomas Petazzoni
> > > <thomas.petazzoni@bootlin.com> wrote:
> > [--SNIP--]
> > > Thomas said evrithing exceptionally well, but I would like to
> > > underling another thing: automated building infrastructures like
> > > continuos integration.
> > >
> > > If a project hasa nedd of reproducibility, the countinous integration
> > > could check if a random developer introduced something not
> > > reproducible and mark the build as invalid. I think this is really a
> > > big plus of this solution.
> >
> > I do understand the concern, trust me, I do.
> >
> > What I am saying is that the solution you propose will not allow that,
> > because there is no way to decide whether a specific .config is or is
> > not reproducible, as per the examples I provided in the nodejs case.
> >
> > If a build is imprperly marked as tainted, then users will just
> > disregard that information and never consult it, and just not use it in
> > their automated buildsystemsd (jenkins, gitlab-ci, whatever). And even
> > if they do have a job doing the check, that job can detect a change from
> > "not tainted" to "tainted" because the job will always report "tainted".
>
> My concern here is that you start from a reproducible build, add your
> packages right and so maintain your build reproducible, buildroot will
> work as before.
So you are, like I am, in fact arguing that we should have actual packages
for such external modules? ;-)
> As soon you use a package manager tainting will be
> signaled.
This is where I disagree.
Using such package managers does not imply that the build is tainted.
This is a false dichotomy.
> Taint is mean to signal that there is a potential problem, and if you
> don't want to slip into it, you can always do the right thing and
> package your software and packaging also it's dependencies.
And what I am saying is that the heuristic you suggest to decide whether
a build should be considered tainted or not is incorrect.
> As soon as you do this, the taint disappear. I thin it could even be a
> deterrent to package the software randomly!
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2018-09-09 14:20 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 22:22 [Buildroot] [PATCH v5 0/3] Add tainting support to buildroot Angelo Compagnucci
2018-09-05 22:22 ` [Buildroot] [PATCH v5 1/3] Makefile: add tainting support Angelo Compagnucci
2018-09-06 7:44 ` Thomas Petazzoni
2018-09-06 7:46 ` Angelo Compagnucci
2018-09-05 22:22 ` [Buildroot] [PATCH v5 2/3] docs/manual: adding infos about tainting Angelo Compagnucci
2018-09-09 8:00 ` Yann E. MORIN
2018-09-05 22:22 ` [Buildroot] [PATCH v5 3/3] package/nodejs: taint the build on external modules Angelo Compagnucci
2018-09-09 7:49 ` Yann E. MORIN
2018-09-09 12:17 ` Angelo Compagnucci
2018-09-09 13:01 ` Yann E. MORIN
2018-09-09 13:29 ` Angelo Compagnucci
2018-09-06 7:42 ` [Buildroot] [PATCH v5 0/3] Add tainting support to buildroot Thomas Petazzoni
2018-09-09 7:36 ` Yann E. MORIN
2018-09-09 12:10 ` Thomas Petazzoni
2018-09-09 12:25 ` Angelo Compagnucci
2018-09-09 13:33 ` Yann E. MORIN
2018-09-09 13:44 ` Angelo Compagnucci
2018-09-09 14:20 ` Yann E. MORIN [this message]
2018-09-09 16:58 ` Angelo Compagnucci
2018-09-09 18:55 ` Yann E. MORIN
2018-09-09 20:18 ` Angelo Compagnucci
2018-09-10 7:50 ` Angelo Compagnucci
2018-09-10 15:00 ` Yann E. MORIN
2018-09-10 15:37 ` Yann E. MORIN
2018-09-10 17:10 ` Angelo Compagnucci
2018-09-10 18:07 ` Yann E. MORIN
2018-09-10 19:17 ` Angelo Compagnucci
2018-09-10 19:43 ` Yann E. MORIN
2018-09-10 20:03 ` Angelo Compagnucci
2018-09-10 20:26 ` Yann E. MORIN
2018-09-11 6:20 ` Angelo Compagnucci
2018-09-10 19:37 ` Thomas Petazzoni
2018-09-10 19:55 ` Angelo Compagnucci
2018-09-10 20:37 ` Yann E. MORIN
2018-09-09 13:27 ` Yann E. MORIN
2018-11-01 12:14 ` Arnout Vandecappelle
2018-11-01 12:25 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180909142019.GK2841@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox