From dfde9c44afc5badf6ba3c097dc92bb28cda912fb Mon Sep 17 00:00:00 2001
From: Euan Kemp <euan.kemp@coreos.com>
Date: Sun, 3 Sep 2017 17:17:56 -0700
Subject: [PATCH] app-emulation/docker: build reproducibly

The docker client and engine both include a 'BuildTime' variable set in
their build scripts.
Overriding that to a consistent value is sufficient for them to build
reproducibly as best I can tell.

This CLI's build scripts have a mechanism for doing this. The engine has
an upstream patch (included starting with 17.07) that allows doing the
same.

This modifies the build to apply the above build patch, and set a build
time for both.

It's expected that the build time will be set by the ebuild author each
time the ebuild is modified, thus turning the 'build time' output to
really be the 'package created time', which I think is a reasonable
difference.
---
 ...7.06.1.ebuild => docker-17.06.1-r1.ebuild} |  0
 .../app-emulation/docker/docker-9999.ebuild   | 16 +++++++++-
 .../files/allow-override-build-date.patch     | 30 +++++++++++++++++++
 .../app-torcx/docker/docker-17.06.ebuild      |  2 +-
 4 files changed, 46 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/app-emulation/docker/{docker-17.06.1.ebuild => docker-17.06.1-r1.ebuild} (100%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1-r1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
index 2b63b648bb..9364c0d7a2 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@@ -20,9 +20,14 @@ else
 		MY_PV="$PV-ce"
 	fi
 	DOCKER_GITCOMMIT="874a737"
+	# Unix timestamp to use for this build. Set to `date +%s` each time an ebuild
+	# is edited.
+	# This is required for a reproducible build
+	DOCKER_BUILD_DATE="1504482497"
 	SRC_URI="https://${COREOS_GO_PACKAGE}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 	KEYWORDS="amd64 arm64"
 	[ "$DOCKER_GITCOMMIT" ] || die "DOCKER_GITCOMMIT must be added manually for each bump!"
+	[ "$DOCKER_BUILD_DATE" ] || die "DOCKER_BUILD_DATE must be added manually for each bump!"
 fi
 inherit bash-completion-r1 coreos-go-depend linux-info systemd udev user
 
@@ -74,6 +79,10 @@ RESTRICT="installsources strip"
 
 S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
 
+PATCHES=(
+	"${FILESDIR}/allow-override-build-date.patch"
+)
+
 # see "contrib/check-config.sh" from upstream's sources
 CONFIG_CHECK="
 	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
@@ -205,6 +214,7 @@ src_unpack() {
 	else
 		git-r3_src_unpack
 		DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
+		DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct")
 	fi
 }
 
@@ -248,14 +258,18 @@ src_compile() {
 	fi
 
 	# build daemon
-	./hack/make.sh dynbinary || die 'dynbinary failed'
+	SOURCE_DATE_EPOCH="${DOCKER_BUILD_DATE}" ./hack/make.sh dynbinary || die 'dynbinary failed'
 
 	popd || die # components/engine
 
 	pushd components/cli || die
 
+
+	# Imitating https://github.com/docker/docker-ce/blob/v17.06.1-ce/components/cli/scripts/build/.variables#L7
+	CLI_BUILDTIME="$(date -d "@${DOCKER_BUILD_DATE}" --utc --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')"
 	# build cli
 	emake \
+		BUILDTIME="${CLI_BUILDTIME}" \
 		LDFLAGS="$(usex hardened "-extldflags \"-fno-PIC $LDFLAGS\"" '')" \
 		VERSION="$(cat ../../VERSION)" \
 		GITCOMMIT="${DOCKER_GITCOMMIT}" \
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch
new file mode 100644
index 0000000000..38e0606779
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch
@@ -0,0 +1,30 @@
+From 336f19edea1f15d9a96ebee604f160df43653503 Mon Sep 17 00:00:00 2001
+From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
+Date: Wed, 19 Jul 2017 06:17:19 +0200
+Subject: [PATCH] Allow to override build date
+
+in order to make builds reproducible.
+See https://reproducible-builds.org/ for why this is good
+and https://reproducible-builds.org/specs/source-date-epoch/
+for the definition of this variable.
+
+Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
+Upstream-commit: 760763e9957840f1983a5006f4e66d6920ec496e
+Component: engine
+---
+ components/engine/hack/make.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
+index b7d59ba94a..7d18d649b5 100755
+--- a/components/engine/hack/make.sh
++++ b/components/engine/hack/make.sh
+@@ -68,7 +68,7 @@ DEFAULT_BUNDLES=(
+ )
+ 
+ VERSION=$(< ./VERSION)
+-! BUILDTIME=$(date --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
++! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
+ if [ "$DOCKER_GITCOMMIT" ]; then
+ 	GITCOMMIT="$DOCKER_GITCOMMIT"
+ elif command -v git &> /dev/null && [ -d .git ] && git rev-parse &> /dev/null; then
diff --git a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild
index dfc99014e9..9dbf040ac2 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild
@@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"
 
 # Explicitly list all packages that will be built into the image.
 RDEPEND="
-	=app-emulation/docker-17.06.1
+	=app-emulation/docker-17.06.1-r1
 	=app-emulation/containerd-0.2.9_p7
 	=app-emulation/docker-proxy-0.8.0_p20170410-r1
 	=app-emulation/docker-runc-1.0.0_rc3_p53