MVL6 Tricks, Part #1
May 22nd, 2009So what do you do when you get a new toy? You race around trying out all of the fun stuff you can do with it, of course. It is no different with me now that MVL6 is in beta and being used by developers.
As previously mentioned the integration platform capability of MVL6 is a big new feature. My last post mentioned many of the benefits including more easily reproducible builds and clear traceability of all build inputs to the outputs. A simplified diagram of the system looks like this:
The entire process is controlled by recipes and there is full transparency and traceability between source and metadata inputs and the build products that are produced. What kind of build products are there? Quite a few, in fact.
- Prebuilt filesystems that can be deployed to targets
- Packages in a variety of formats that can be used for deployed device upgrades
- Various manifest files describing what was placed in the built images
- Original source archives and patches suitable for distribution to satisfy various licensing obligations
As an example, after doing a quick test build of the busybox and less software packages you can see the source code ready for distribution:
$ ls tmp/deploy/sources/*/tmp/deploy/sources/BSD/: less-418.tar.gz less-418.tar.gz.md5tmp/deploy/sources/GPL/: busybox-1.13.2-depmod.patch busybox-1.13.2-modprobe.patch busybox-1.13.2-depmod.patch.md5 busybox-1.13.2-modprobe.patch.md5 busybox-1.13.2-init.patch busybox-1.13.2.tar.gz busybox-1.13.2-init.patch.md5 busybox-1.13.2.tar.gz.md5 busybox-1.13.2-mdev.patch busybox-1.13.2-tar.patch busybox-1.13.2-mdev.patch.md5 busybox-1.13.2-tar.patch.md5
Is that source tarball actually the real original unmodified source from the upstream project? Let’s check and see by verifying the cryptographic signatures:
$ cp tmp/deploy/sources/BSD/less-418.tar.gz ./ $ wget ftp://ftp.gnu.org/gnu/less/less-418.tar.gz.sig $ gpg -v less-418.tar.gz.sig gpg: assuming signed data in `less-418.tar.gz' gpg: Signature made Tue 08 Jan 2008 05:18:56 PM EST using DSA key ID 33235259 gpg: requesting key 33235259 from hkp server subkeys.pgp.net gpg: armor header: Version: SKS 1.0.9 gpg: pub 1024D/33235259 2004-12-04 Mark Nudelman <markn@greenwoodsoftware.com> gpg: using classic trust model gpg: key 33235259: public key "Mark Nudelman <markn@greenwoodsoftware.com>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Mark Nudelman <markn@greenwoodsoftware.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AE27 252B D684 6E7D 6EAE 1DD6 F153 A7C8 3323 5259 gpg: binary signature, digest algorithm SHA1
That looks good. How about busybox?
$ cp tmp/deploy/sources/GPL/busybox-1.13.2.tar.bz2 ./ $ wget http://www.busybox.net/downloads/busybox-1.13.2.tar.bz2.sign $ gpg -v busybox-1.13.2.tar.bz2.sign gpg: armor header: Hash: SHA1 gpg: armor header: Version: GnuPG v1.4.6 (GNU/Linux) gpg: original file name='' gpg: Signature made Tue 30 Dec 2008 10:37:37 PM EST using DSA key ID ACC9965B gpg: requesting key ACC9965B from hkp server subkeys.pgp.net gpg: armor header: Version: SKS 1.0.9 gpg: pub 1024D/ACC9965B 2006-12-12 Denis Vlasenko <vda.linux@googlemail.com> gpg: using classic trust model gpg: key ACC9965B: public key "Denis Vlasenko <vda.linux@googlemail.com>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Denis Vlasenko <vda.linux@googlemail.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C9E9 416F 76E6 10DB D09D 040F 47B7 0C55 ACC9 965B gpg: textmode signature, digest algorithm SHA1
That checks out, too.
Now your developers and management can be assured that when it comes time satisfy any license obligations you have an easy and repeatable process for ensuring that the sources corresponding to distributed binaries is at hand.
