Hi all, I was curious if anyone has created any sort of build auditing software for Yocto builds. Our company has an extensive software quality assurance program and we are trying to figure out the best methods to audit our builds.
In the past we have used clearaudit type software. The current home-grown version of our build system on Linux uses inotify to track files touched in our build repositories. We generally try to have file-based audit records that record the file path/version that can be traced to individual releases. We are currently using Mercurial as our revision control system. Right now it seems like the best solution to this issue would be to create a wrapper that would fetch our software from Mercurial, create a tar file out of it, hand those tar files to Yocto, start an inotify process to watch the build directories Yocto uses, bitbake our image, collect the list of files touched by yocto, "join" those files with the files that went into the tar files, and then "join" those records against the Mercurial checkout records to obtain changeset information/approval metadata. It would certainly be easier to resolve the revision of the Mercurial repository without individual files-touched information, but knowing which files are actually compiled has been highly useful information in the past. For example, when a CVE is released against package foo for a vulnerability in bar.c, it is reassuring to know that our releases didn't even compile bar.c. We do peer code reviews/UT along with static code analysis on many version of each file in our repositories. When we release a product build we have to show to management that each file that went into our released image underwent our QA process. It is definitely a lot of work, but it is necessary for audit/compliance. Anyone else out there challenged with these type of requirements? How are other companies handling this? Any better methods/solutions people can recommend? Thanks for your help! Barry _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto