Using reproducible build information to help GPL compliance

  • spectrum of violations in the wild:
    • didn’t include license or source - beyond help
    • middle ground: partial source: missing patches, or all dependencies, or build information
  • distributors know they need to, want to, but source isn’t complete

  • compliance with GPL

  • GPL defines what’s necessary for compliance (Makefiles, other scripts for running build tools)

  • violators who aren’t totally clueless, but don’t really care either:

    • incomplete source code: downloaded tarball from upstream, without patches or incomplate patches

    • failure to document the full process for build environment (e.g. needs to be built from a specific homedir by specific user)

    • shipping full toolchain as a tarball

  • using buildinfo files

    • useful documentation for compliance issues

    • distro used to build
    • versions of toolchain
    • locale settings
  • gaps

    • distribution level reproducibility has been the focus

    • many violations are on systems that don’t even run a traditional distro, just a thin layer of binaries

    • move tooling from the distributions into the lower levels

      • gcc to generate a buildinfo file
  • we’re really not talking about distros necessarily
  • provide an SDK
    • include common toolchain for embedded development that generates proper reproducibility with .buildinfo or related information necessary to build
    • talk to linaro to ensure that their toolchains contains reproducibility information
  • GCC
    • generate buildinfo files
    • embedding hashes of includes and other build source in binaries
  • contacting embedded distros
    • get openembedded, angstrom, etc. using reproducibility toolchains
  • source code tarball tool
    • tool that looks at a source release, and .buildinfo and identifies missing pieces from the source code

-