From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Adam Duskett <adam.duskett@amarulasolutions.com>
Cc: Angelo Compagnucci <angelo.compagnucci@gmail.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 0/3] Add tainting support
Date: Fri, 3 Nov 2023 22:31:25 +0100 [thread overview]
Message-ID: <20231103213125.GB2875@scaer> (raw)
In-Reply-To: <20231103182745.903344-1-adam.duskett@amarulasolutions.com>
Adam, All,
On 2023-11-03 12:27 -0600, Adam Duskett spake thusly:
> Originally taken from Angelo Compagnucci's patch series:
> https://patchwork.ozlabs.org/project/buildroot/list/?series=64340
>
> When the original patch series was submitted, Buildroot was quite a bit
> smaller! With almost 1,000 packages added since then and more and more external
> package managers being available for various languages, it is not possible to
> package every single dependency needed for some packages.
>
> Indeed, looking at NPM, for example, some packages rely on tens, if not
> hundreds, of others. While this could be better and is indeed quite bad, it is,
> unfortunately, the reality we must deal with.
>
> With this patch series, we add initial tainting support to Buildroot with the
> added option to turn the support off by way of the BR2_DISABLE_TAINT_CHECKING
> option. This option gives us the best of both worlds: A sane default and an
> option for advanced users to turn off the check if they understand the risks
> and can guarantee their build is reproducible.
It does not require any such thing as tainted, and is just as simple as
this:
diff --git a/package/nodejs/nodejs-src/nodejs-src.mk b/package/nodejs/nodejs-src/nodejs-src.mk
index 3452c93728..2d716d8547 100644
--- a/package/nodejs/nodejs-src/nodejs-src.mk
+++ b/package/nodejs/nodejs-src/nodejs-src.mk
@@ -241,6 +241,7 @@ NODEJS_SRC_MODULES_LIST= $(call qstrip,\
# We can only call NPM if there's something to install.
#
ifneq ($(NODEJS_SRC_MODULES_LIST),)
+NODEJS_SRC_LICENSE += , vendored dependencies licenses probably not listed
NODEJS_SRC_DEPENDENCIES += host-nodejs
define NODEJS_SRC_INSTALL_MODULES
# If you're having trouble with module installation, adding -d
# to the
As for reproducibility: if the package is not reproducible, either it is
fixed so that it is reproducible, or if that is not possible, then the
package should be hidden away behind depends on !BR2_REPRODUCIBLE
That's as simple as that, I would say.
Regards,
Yann E. MORIN.
>
> This patch series has two significant benefits:
> - Taint checking paves the way for additional package managers to be
> incorporated into Buildroot while maintaining reproducible integrity for
> packages provided by Buildroot.
>
> - It tells the user their build is tainted and what packages they
> have selected are causing the taint.
>
> - It makes support easier. If a user has a build that is tainted and the
> the problem they are experiencing is with a tainted package; it is
> more straightforward to tell the user they are on their own.
>
> Adam Duskett (3):
> Makefile: add tainting support
> docs/manual: add information about tainting
> package/nodejs: taint the build when using external modules
>
> Config.in | 9 +++++++++
> Makefile | 17 +++++++++++++++++
> docs/manual/adding-packages-generic.adoc | 9 +++++++++
> docs/manual/legal-notice.adoc | 24 ++++++++++++++++++++++++
> package/nodejs/Config.in | 3 +++
> package/nodejs/nodejs-src/nodejs-src.mk | 1 +
> package/pkg-generic.mk | 19 +++++++++++++++++++
> 7 files changed, 82 insertions(+)
>
> --
> 2.41.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-11-03 21:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-03 18:27 [Buildroot] [PATCH 0/3] Add tainting support Adam Duskett
2023-11-03 18:27 ` [Buildroot] [PATCH 1/3] Makefile: add " Adam Duskett
2023-11-03 18:27 ` [Buildroot] [PATCH 2/3] docs/manual: add information about tainting Adam Duskett
2023-11-03 18:27 ` [Buildroot] [PATCH 3/3] package/nodejs: taint the build when using external modules Adam Duskett
2023-11-03 21:31 ` Yann E. MORIN [this message]
2023-11-05 17:07 ` [Buildroot] [PATCH 0/3] Add tainting support Adam Duskett
2023-11-08 20:27 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231103213125.GB2875@scaer \
--to=yann.morin.1998@free.fr \
--cc=adam.duskett@amarulasolutions.com \
--cc=angelo.compagnucci@gmail.com \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox