@@ -685,6 +685,15 @@ config BR2_GLOBAL_PATCH_DIR
menu "Advanced"
+config BR2_DISABLE_TAINT_CHECKING
+ bool "Disable taint checking"
+ help
+ By default, selecting and using package managers such as NPM sets
+ the tainted build flag and display a warning message; however, if
+ you are confident that what you are building is from a trusted
+ source, such as a local package repository, then this option
+ disables taint checking.
+
config BR2_FORCE_HOST_BUILD
bool "Force the building of host dependencies"
help
@@ -807,6 +807,18 @@ endif # merged /usr
touch $(TARGET_DIR)/usr
+.PHONY: check-tainted
+check-tainted:
+ifneq ($(BR2_DISABLE_TAINT_CHECKING),y)
+ifneq ($(BR2_TAINTED_BY),)
+ @echo "Your buildroot configuration is tainted by: $(BR2_TAINTED_BY)"
+else
+ @echo "Your buildroot configuration is not tainted"
+endif
+else
+ @echo "Taint checking disabled"
+endif
+
# Note: this will run in the filesystem context, so will use a copy
# of target/, not the real one, so the files are still available on
# re-builds (foo-rebuild, etc...)
@@ -822,6 +834,10 @@ target-post-image: $(TARGETS_ROOTFS) target-finalize staging-finalize
@$(foreach s, $(call qstrip,$(BR2_ROOTFS_POST_IMAGE_SCRIPT)), \
$(call MESSAGE,"Executing post-image script $(s)"); \
$(EXTRA_ENV) $(s) $(BINARIES_DIR) $(call qstrip,$(BR2_ROOTFS_POST_SCRIPT_ARGS))$(sep))
+ifneq ($(BR2_DISABLE_TAINT_CHECKING),y)
+ $(if $(BR2_TAINTED_BY), @echo "WARNING: Your buildroot configuration is tainted by: $(BR2_TAINTED_BY)!")
+endif
+
.PHONY: source
source: $(foreach p,$(PACKAGES),$(p)-all-source)
@@ -1188,6 +1204,7 @@ help:
@echo ' source - download all sources needed for offline-build'
@echo ' external-deps - list external packages used'
@echo ' legal-info - generate info about license compliance'
+ @echo ' check-tainted - check if any selected package harms build reproducibility or licensing'
@echo ' show-info - generate info about packages, as a JSON blurb'
@echo ' pkg-stats - generate info about packages as JSON and HTML'
@echo ' printvars - dump internal variables selected with VARS=...'
@@ -1102,6 +1102,17 @@ else
$(2)_KCONFIG_VAR = BR2_PACKAGE_$(2)
endif
+ifneq ($(BR2_DISABLE_TAINT_CHECKING),y)
+ifdef $(2)_TAINTS
+ifeq ($$($$($(2)_KCONFIG_VAR)),y)
+BR2_TAINTED_BY+=$$($(2)_RAWNAME)
+endif
+ifeq ($$($(2)_TYPE),host)
+$$(error "Host package $(1) has $(2)_TAINTS set: not supported)
+endif
+endif
+endif
+
# legal-info: declare dependencies and set values used later for the manifest
ifneq ($$($(2)_LICENSE_FILES),)
$(2)_MANIFEST_LICENSE_FILES = $$($(2)_LICENSE_FILES)
@@ -1141,6 +1152,14 @@ else
$(Q)$$(foreach F,$$($(2)_LICENSE_FILES),$$(call legal-license-file,$$($(2)_RAWNAME),$$($(2)_BASENAME_RAW),$$($(2)_HASH_FILE),$$(F),$$($(2)_DIR)/$$(F),$$(call UPPERCASE,$(4)))$$(sep))
endif # license files
+ifneq ($(BR2_DISABLE_TAINT_CHECKING),y)
+ifeq ($$(call qstrip,$$($(2)_TAINTS)),YES)
+ifeq ($$($$($(2)_KCONFIG_VAR)),y)
+ $(Q)$$(call legal-warning-pkg,$$($(2)_RAWNAME),unknown license for additional modules or dependencies)
+endif
+endif
+endif
+
ifeq ($$($(2)_REDISTRIBUTE),YES)
ifeq ($$($(2)_SITE_METHOD),local)
# Packages without a tarball: don't save and warn
Packages that may harm the build reproducibility or licensing of a build should declare the ${PKG_NAME}_TAINTS variable. If a package taints the build, add its name to a list of tainting packages. The build ends with a warning message if the tainting packages list is not empty. Moreover, legal info will show a warning in the presence of a tainting package. However, as pointed out by Yann, a user may be using a local repository for their packages (I.E., NPM). Below are three examples: BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="http://myserver/node-mods/VERSION/foo" - The user manages the repository and guarantees that it is reproducible. BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="$(BR2_EXTERANL_MY_TREE_PATH)/mods/foo" - Reproducible by way of being in a git-versioned br2-external tree. BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL="foo@1.2.3" - Reproducible because the version is specified. As there is no way of reading a user's mind, we introduce a new option: BR2_DISABLE_TAINT_CHECKING, which does what the option name suggests: The option allows a user to explicitly turn off taint checking if they want to do so. Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- Config.in | 9 +++++++++ Makefile | 17 +++++++++++++++++ package/pkg-generic.mk | 19 +++++++++++++++++++ 3 files changed, 45 insertions(+)