Add targets to create attestation input documents #64
Conversation
|
I was thinking more about changing every module makefile to get an explicit list of dependencies. And then use the said list everywhere. |
thresheek
force-pushed
the
attest
branch
3 times, most recently
from
3778f07 to
6ee0d3a
Compare
|
Thanks for the suggestion, indeed it's best not to guess but have a rather rigid dependency as defined per Makefiles. I went ahead and implemented the following:
For now, the attestation code generates space-separated output files. I originally wanted it to be tab-separated, but am having a hard time convincing gnu make to output those. Maybe we'll just stick to space-separated then. |
|
FWIW, decided to stick with the whitespaces (discussed with the security team) |
|
even though the PR touches almost every file in the repository - it feels like renaming some variables under contrib and defining dependencies is a welcomed change. I don't remember the exact reason but I was curious why it wasn't done initially. We will probably find places to simplify stuff later on. Well done, great job :) |
thresheek
changed the title
And use them to compute .deps-module-* targets
And use them to compute .deps-module-* targets
And use them to compute .deps-module-* targets
2 participants
Proposed changes
This PR adds a few targets which will be used to generate inputs for attestation documents for pkg-oss builds.
Those targets are a dependency of main ones -
base,module-%so packaging scripts will not need to call any new targets to generate them.Files that are generated (
attest-baseorattest-module-$modulename) can be fetched from the build source dir, and concatenated accordingly to produce a full input document for a given build.Currently implemented for
debian/to test the idea and gather comments, and if we settle on the implementation, it's trivial to apply the same changes for other distributions, and downstream forks like NGINX Plus packaging.