kerberos5: Avoid embedding full paths in generated files
AbandonedPublic
Actions

Authored by markj on Jun 20 2025, 5:13 PM.

Details

Reviewers

emaste
brooks
bnovkov
kevans
imp
cy

Summary

When reproducible builds are enabled, we want to use /usr/src and
/usr/obj as the canonical src and obj paths.

Various files generated by the Heimdal Kerberos builds embed the
original source path in generated files. It doesn't look like the
utilities which generate those files can be taught to perform
substitution, so the easiest thing to do is fix them up after the fact.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 64996
Build 61879: arc lint + arc unit

Event Timeline

markj requested review of this revision.Jun 20 2025, 5:13 PM

markj created this revision.

Harbormaster completed remote builds in B64996: Diff 157386.Jun 20 2025, 5:13 PM

markj added a parent revision: D50951: share/mk: Substitute reproducible prefixes in dwarf info.Jun 20 2025, 5:13 PM

markj added a child revision: D50953: sys/conf: Remap paths for reproducibility.

markj added a reviewer: cy.Jun 20 2025, 5:15 PM

emaste mentioned this in D50955: ncurses: Provide reproducible paths.Jul 14 2025, 3:46 PM

No objection from me

This revision is now accepted and ready to land.Aug 6 2025, 12:20 AM

lgtm

I fear the underlying code code isn't safe. The problem is that each of the value of GEN_* is a target on its own. As a demonstrator I created a trivial makefile:

GEN=a b c d
${GEN}:
        touch ${GEN}

I you ask it to make multiple targets in parallel with something like make -j40 a b c d the generator runs more than once:

--- a ---
--- b ---
--- c ---
--- d ---
--- a ---
touch a b c d
--- b ---
touch a b c d
--- c ---
touch a b c d
--- d ---
touch a b c d

It probably works out ok in practice because it just recreates the files with the same contents, but I'm afraid adding the sed will introduce more races. I'm not sure what the correct solution is. Make doesn't really deal well with multiple outputs.

In D50952#1182272, @brooks wrote:
I fear the underlying code code isn't safe. The problem is that each of the value of GEN_* is a target on its own. As a demonstrator I created a trivial makefile:
GEN=a b c d
${GEN}:
        touch ${GEN}
I you ask it to make multiple targets in parallel with something like make -j40 a b c d the generator runs more than once:
--- a ---
--- b ---
--- c ---
--- d ---
--- a ---
touch a b c d
--- b ---
touch a b c d
--- c ---
touch a b c d
--- d ---
touch a b c d
It probably works out ok in practice because it just recreates the files with the same contents, but I'm afraid adding the sed will introduce more races. I'm not sure what the correct solution is. Make doesn't really deal well with multiple outputs.

Ah, I hadn't realized this. Absent a clear solution and given that Heimdal kerberos is no longer the default (and krb5 doesn't have any reproducibility problems that I've found), I'm inclined to just drop this.

Note that all of these have .ORDER declarations a few lines up that effectively serializes all of the generated targets.