public
/
toolchain
5
0
Fork 0
Code Issues 4 Pull Requests 1 Packages Projects Releases Wiki Activity
Opinionated make library providing a containerized toolchain and helpers for determinism and batteries-included workflows on most any git project.
23 Commits 2 Branches 0 Tags 336 KiB
Makefile 73%
Shell 25.6%
Dockerfile 1.4%
Go to file
Lance Vick 2e67bce822
only depend on toolchain.state in global 'toolchain' phony 		2023-02-24 13:42:59 -08:00
scripts add VERSION to environment 2023-02-15 04:09:04 -08:00
Dockerfile several multi-arch improvements 2023-02-02 21:30:11 -08:00
Makefile only depend on toolchain.state in global 'toolchain' phony 2023-02-24 13:42:59 -08:00
README.md detail update and shell 2023-01-27 17:00:24 -08:00

README.md

Toolchain

https://codeberg.org/distrust/toolchain

About

A library of opinionated make functions targeting projects that either need deterministic builds, or a deterministic toolchain shared across all who use a project.

A dev of a Toolchain enabled project should never need to have anything on their host system installed but docker, and git. Everything else will be provided via a Docker container.

Debian currently has the highest reproducibility score of any major Linux distribution, and as such it is the chosen base for Toolchain.

This was built for Distrust projects, and some of our clients. It is unlikely to meet the needs of everyone. We suggest including this in your project as a git subtree, so you can make your own changes, but also pull in changes from us as desired.

Uses

  • Ensure everyone on a team is using the exact same tools
  • Ensure all releases and artifacts build hash-for-hash identical every time
  • Control supply chain security with only signed/reproducible dependencies

Features

  • Can run a shell with all toolchain tooling in the current directory
  • Provide make functions for common tasks
    • Git clone, apply patches, etc.
  • Use a global env file as configuration
  • Hash-locking of apt dependencies from a list of top-level required packages
  • Provides release.env file with required vars to re-create old releases

Requirements

  • docker 18+
  • GNU Make 4+

Setup

  1. Clone toolchain as a git submodule somewhere in your project

    git submodule add https://codeburg.org/distrust/toolchain src/toolchain

  2. Include toolchain Makefile in your root Makefile

    include src/toolchain/Makefile

  3. Define any build/dev dependencies for toolchain container

    echo "libfaketime" >> config/toolchain/packages-base.txt
echo "build-essential" >> config/toolchain/packages-base.txt

  4. Lock a base Debian container image hash

    echo "DEBIAN_HASH=48b28b354484a7f0e683e340fa0e6e4c4bce3dc3aa0146fc2f78f443fde2c55d" >> config/global.env

  5. Generate hashlocks files for all toolchain container dependencies

    make toolchain-update

  6. Define your artifact targets

    $(OUT_DIR)/hello: toolchain \
  $(call toolchain,$(USER)," \
    cd $(SRC_DIR)/; \
    gcc hello.c -o $(OUT_DIR)/hello
  ")

  7. Define a release target for your project depending on manifest.txt

    .PHONY: release
release: $(OUT_DIR)/hello $(OUT_DIR)/manifest.txt
	mkdir -p $(RELEASE_DIR)
	cp $(OUT_DIR)/hello $(RELEASE_DIR)/hello
	cp $(OUT_DIR)/release.env $(RELEASE_DIR)/release.env
	cp $(OUT_DIR)/manifest.txt $(RELEASE_DIR)/manifest.txt

    Note that manifest.txt is optional, but it makes for an ideal single file to sign if a release will contain more than one artifact.

Usage

Build a new release

make VERSION=1.0.0rc1 release

Reproduce an existing release

make VERSION=1.0.0rc1 attest

Add and lock a new container dependency

echo "vim-nox" >> config/toolchain/packages-base.txt
make toolchain-update

Run a shell in the toolchain container

make toolchain-shell