From 8f0f60bfd50c5b2dc05b34c2ddd8d544beaeace9 Mon Sep 17 00:00:00 2001 From: Jared Bents Date: Thu, 19 Jul 2018 09:18:58 -0500 Subject: [PATCH] README: Add description of automated process Update to add description of automated process as a proof of trust for the toolchains hosted by Bootlin. Signed-off-by: Jared Bents --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index aff3588cb6..89d4418fb5 100644 --- a/README.md +++ b/README.md @@ -29,3 +29,19 @@ probably this script your looking for. All these scripts can be called without arguments to get their usage informations. + + +# Hosted Toolchains Build Process + +The automated process for the toolchains hosted at [Bootlin](https://toolchains.bootlin.com/) +begins with git clones of [bootlin toolchains-builder](https://github.com/bootlin/toolchains-builder) +and [bootlin buildroot-toolchains](https://github.com/bootlin/buildroot-toolchains). Once the +repositories are cloned, the tags specified by the CI configuration are checked out and the CI +starts the builds. After the build is completed, a qemu test is run to verify the toolchains. The +toolchains are then archived, the sha256 are posted alongside the tarballs of the toolchains, and +build logs are published. + +The chain of trust can be verified with multiple steps. The sha256 of the tarball can be compared +with the listed sha256. The timestamps of the tarball and sha256 file can be compared. The build +log can be compared with the summary.csv that is included in the tarball to verify the buildroot +version used.