SBOMs break bottle reproducibility #17281
Comments
|
CC @SMillerDev |
|
I'll have to find where this is ignored for tabs since we can't really make sure it's the same. I can probably fix the build date though |
Yup, they will indeed be different. It isn't ignored for tabs -- they're just not stored in the bottle, so they don't affect the bottle checksum. |
|
Yes, for tabs we don't store this stuff in the bottles - we store them in GitHub Packages manifest annotations instead. |
We should do the same thing for SBOMs dates/times as we do for Tab runtime dependencies: update them after installation (based on the dates/times from the tab): brew/Library/Homebrew/formula_installer.rb Lines 825 to 830 in 1e4d119 |
|
Not sure how to resolve this. We could not write the field if the compiler is the system one maybe? Or, which affects the usefulness iyam, we could drop the bottle inclusion of the file and only write it on install. |
|
I think in an ideal world we'd detect if the compiler was actually used somehow e.g. write a temporary file on first usage of one of the compiler shims. In cases like this, it's pretty clear that the compiler isn't actually used or a dependency. |
|
If compiler information needs to be available in the bottle archive via If compiler information only needs to be available in the Cellar after |
Yes, this seems best for now. |
This is fine, but it might not be enough. The |
|
Confusingly, the SBOM also seems to contain this snippet: {
"SPDXID": "SPDXRef-Bottle-node@20",
"name": "node@20",
"versionInfo": "20.13.1",
"filesAnalyzed": false,
"licenseDeclared": "NOASSERTION",
"builtDate": "2024-05-09 05:20:38 -0400",
"licenseConcluded": "MIT",
"downloadLocation": "https://ghcr.io/v2/homebrew/core/node/20/blobs/sha256:a865d16c32d50cdffe26e341fb6a8d52b7c3f95daf10e2a390fb988c4fba0ab3",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:brew/homebrew/core/node@20@20.13.1",
"referenceType": "purl"
}
],
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "a865d16c32d50cdffe26e341fb6a8d52b7c3f95daf10e2a390fb988c4fba0ab3"
}
]
}Except that the download location (and checksum) is not for the version indicated (20.13.1). Instead, it points to the location and checksum of 20.13.0. Which kinda makes sense, because you can't really write a file containing the checksum of the bottle inside the bottle. (Or I could just be very confused about what's going on here, which is also a possibility.) |
This also should be removed at bottling time and restored at install time. |
- Remove use of (unused) `Cachable` module. - Pass whether we're bottling to determine whether to create reproducible SBOM or not. A reproducible SBOM omits the time and compiler. - Remove bottle information when bottling: we cannot know what e.g. the checksum (and, with GitHub Packages, therefore also the download location) will be before we've created the tarball contents. - Always write a bottle on installation (unless we're bottling) to provide new bottle information or freshen the existing one with the information we stripped out for reproducibility e.g. the time and compiler. - Don't need to handle a `nil` `@source_modified_time` as it's always set. Fixes #17281
- Remove use of (unused) `Cachable` module. - Pass whether we're bottling to determine whether to create reproducible SBOM or not. A reproducible SBOM omits the time and compiler. - Remove bottle information when bottling: we cannot know what e.g. the checksum (and, with GitHub Packages, therefore also the download location) will be before we've created the tarball contents. - Always write a bottle on installation (unless we're bottling) to provide new bottle information or freshen the existing one with the information we stripped out for reproducibility e.g. the time and compiler. - Don't need to handle a `nil` `@source_modified_time` as it's always set. Fixes #17281
- Remove use of (unused) `Cachable` module. - Pass whether we're bottling to determine whether to create reproducible SBOM or not. A reproducible SBOM omits the time and compiler. - Remove bottle information when bottling: we cannot know what e.g. the checksum (and, with GitHub Packages, therefore also the download location) will be before we've created the tarball contents. - Always write a bottle on installation (unless we're bottling) to provide new bottle information or freshen the existing one with the information we stripped out for reproducibility e.g. the time and compiler. - Don't need to handle a `nil` `@source_modified_time` as it's always set. Fixes #17281
|
Confirmed rebottling in Homebrew/homebrew-core#171540 post #17284 fixes the bottles 🎉 |
|
Thanks @MikeMcQuaid ❤️ |
|
This is still happening. See Homebrew/homebrew-core@fd1c80d. Diffoscope OutputThis is basically the problem I describe at #17281 (comment). |
That problem was fixed. I cannot reproduce this locally. If I run
This was not the case before that was fixed. This is because we're passing brew/Library/Homebrew/dev-cmd/bottle.rb Line 511 in cb168df These values are only being added at brew/Library/Homebrew/formula_installer.rb Line 835 in 610b80e So this is an issue with either |
No, it is not fixed. You cannot reproduce this problem with Doing which will, in general, prevent the creation of |
Ok, thanks for the reproduction command. It was not clear how to reproduce this before and not clear to me until rereading that this was an additional issue unrelated to reproducibility but related to #17370 should address this. |
brew doctoroutputVerification
brew doctoroutput" above saysYour system is ready to brew.and am still able to reproduce my issue.brew updatetwice and am still able to reproduce my issue.brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.brew configoutputWhat were you trying to do (and why)?
Figure out why we don't have an
:allbottle at Homebrew/homebrew-core@0894397 (because:allbottles are nice).To examine the differences between the bottles, I used
diffoscope.What happened (include all command output)?
diffoscopeshowed that the bottles have differingsbom.spdx.jsonfiles.diffoscope output
What did you expect to happen?
These bottles are identical, so they should not have different contents.
Step-by-step reproduction instructions (by running
brewcommands)gh run download 9046359873 -p 'bottles*' -R Homebrew/homebrew-core diffoscope bottles_ubuntu-22.04/osinfo-db--20240510.x86_64_linux.bottle.tar.gz bottles_14-arm64-9046359873/osinfo-db--20240510.arm64_sonoma.bottle.tar.gzThe text was updated successfully, but these errors were encountered: