Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] The git status is dirty for releases #652

Open
naveensrinivasan opened this issue Jul 31, 2022 · 6 comments
Open

[bug] The git status is dirty for releases #652

naveensrinivasan opened this issue Jul 31, 2022 · 6 comments
Labels
area:container Issue with the generic container generator area:generate-builder Issue related to the generate-builder action area:generic Issue with the generic generator area:go Issue related to the Go ecosystem status:help wanted Extra attention is needed type:bug Something isn't working

Comments

@naveensrinivasan
Copy link
Collaborator

naveensrinivasan commented Jul 31, 2022
edited
Loading

Describe the bug
With go 1.18 the build info https://pkg.go.dev/debug/buildinfo@master is embedded within the binary.

I used this example source code to investigate the buildinfo

package main

import (
	"debug/buildinfo"
	"fmt"
	"os"
)

func main() {
	file := os.Args[1]
	x, err := buildinfo.ReadFile(file)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	for _, v := range x.Settings {
		fmt.Println(v)
	}
}

I downloaded the binaries from GitHub releases and passed them to the above example code. This is version v1.2.0

Here is the output

go run main.go ~/Downloads/slsa-builder-go-linux-amd64
{-compiler gc}
{-ldflags -s -w}
{-tags netgo}
{CGO_ENABLED 0}
{GOARCH amd64}
{GOOS linux}
{GOAMD64 v1}
{vcs git}
{vcs.revision bdd89e60dc5387d8f819bebc702987956bcd4913}
{vcs.time 2022-07-19T18:02:42Z}
{vcs.modified true}
go run main.go ~/Downloads/slsa-generator-generic-linux-amd64
{-compiler gc}
{-tags netgo}
{CGO_ENABLED 0}
{GOARCH amd64}
{GOOS linux}
{GOAMD64 v1}
{vcs git}
{vcs.revision bdd89e60dc5387d8f819bebc702987956bcd4913}
{vcs.time 2022-07-19T18:02:42Z}
{vcs.modified true}

I thought this was probably an issue with the latest build. So I tried with the previous release and realized it is the same.This is version v1.1.1

go run main.go ~/Downloads/slsa-builder-go-linux-amd64-2
{-compiler gc}
{-tags netgo}
{CGO_ENABLED 0}
{GOARCH amd64}
{GOOS linux}
{GOAMD64 v1}
{vcs git}
{vcs.revision d995948e8d53cc639c0d3ef69db31dbc243519c4}
{vcs.time 2022-06-20T21:41:41Z}
{vcs.modified true}

Actual output is

{vcs.modified true}

Expected output to be

This {vcs.modified false} should be false.
@naveensrinivasan naveensrinivasan added type:bug Something isn't working status:triage Issue that has not been triaged labels Jul 31, 2022
@naveensrinivasan naveensrinivasan changed the title [bug] Builds are build with reproducible because vcs.modified during build [bug] The git status is dirty for releases Jul 31, 2022
@laurentsimon
Copy link
Collaborator

laurentsimon commented Aug 1, 2022
edited
Loading

Is it because we run go mod vendor?

@ianlewis
Copy link
Member

ianlewis commented Aug 2, 2022

Yeah I was wondering that too, but vendor/ is in the .gitignore so it shouldn't contribute to the dirty state.

slsa-github-generator/.gitignore

Line 15 in 98d91d1

vendor/

I can't think of an obvious reason why this is happening.

@ianlewis ianlewis added area:generate-builder Issue related to the generate-builder action area:go Issue related to the Go ecosystem and removed status:triage Issue that has not been triaged labels Aug 2, 2022
@ianlewis
Copy link
Member

ianlewis commented Aug 2, 2022

@naveensrinivasan BTW you can print the build info without writing a program like follows

$ go mod vendor
$ go build -mod=vendor -o generic ./internal/builders/generic/
$ go version -m generic
generic: go1.18
...
        build   vcs=git
        build   vcs.revision=98d91d15f44c7d0d34ab643356cc5adcdf4f64e2
        build   vcs.time=2022-08-02T07:58:33Z
        build   vcs.modified=false

@naveensrinivasan
Copy link
Collaborator Author

@naveensrinivasan BTW you can print the build info without writing a program like follows

$ go mod vendor
$ go build -mod=vendor -o generic ./internal/builders/generic/
$ go version -m generic
generic: go1.18
...
        build   vcs=git
        build   vcs.revision=98d91d15f44c7d0d34ab643356cc5adcdf4f64e2
        build   vcs.time=2022-08-02T07:58:33Z
        build   vcs.modified=false

Thanks! Good to know!

@ianlewis
Copy link
Member

ianlewis commented Aug 3, 2022

This is also an issue for the generic generator

$ go version -m slsa-generator-generic-linux-amd64 | grep vcs
        build   vcs=git
        build   vcs.revision=bdd89e60dc5387d8f819bebc702987956bcd4913
        build   vcs.time=2022-07-19T18:02:42Z
        build   vcs.modified=true

@ianlewis ianlewis added area:generic Issue with the generic generator area:container Issue with the generic container generator labels Aug 3, 2022
@ianlewis ianlewis added this to the 2022 Stability improvements milestone Sep 13, 2022
@ianlewis ianlewis removed this from the 2022 Stability improvements milestone Jan 12, 2023
@ianlewis ianlewis added the status:help wanted Extra attention is needed label Apr 4, 2023
@ianlewis
Copy link
Member

BTW, this also affects user repos since we run go mod vendor users need to add vendor to their .gitignore to avoid this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:container Issue with the generic container generator area:generate-builder Issue related to the generate-builder action area:generic Issue with the generic generator area:go Issue related to the Go ecosystem status:help wanted Extra attention is needed type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @naveensrinivasan @laurentsimon