[tbb-commits] [Git][tpo/applications/tor-browser-build][main] Bug 40102: Use Debian Stretch for Linux builds

boklm (@boklm) git at gitlab.torproject.org
Tue Jun 27 14:54:38 UTC 2023



boklm pushed to branch main at The Tor Project / Applications / tor-browser-build


Commits:
c606a927 by Nicolas Vigier at 2023-06-27T16:53:41+02:00
Bug 40102: Use Debian Stretch for Linux builds

- - - - -


18 changed files:

- projects/binutils/build
- projects/binutils/config
- − projects/bison/build
- − projects/bison/config
- projects/cmake/build
- projects/container-image/config
- projects/firefox/build
- projects/firefox/config
- projects/firefox/mozconfig
- projects/gcc/build
- projects/gcc/config
- − projects/mmdebstrap-image/apt-key-allow-expired-key.patch
- projects/mmdebstrap-image/config
- projects/ninja/build
- projects/rust/build
- projects/sqlcipher/build
- projects/stemns/build
- rbm.conf


Changes:

=====================================
projects/binutils/build
=====================================
@@ -2,17 +2,7 @@
 [% c("var/set_default_env") -%]
 mkdir /var/tmp/dist
 distdir=/var/tmp/dist/binutils
-[% IF c("var/linux") %]
-  # Config options for hardening-wrapper
-  export DEB_BUILD_HARDENING=1
-  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
-  export DEB_BUILD_HARDENING_FORTIFY=1
-  export DEB_BUILD_HARDENING_FORMAT=1
-  export DEB_BUILD_HARDENING_PIE=1
-
-  tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/bison') %]
-  export PATH=/var/tmp/dist/bison/bin:$PATH
-[% END %]
+[% IF c("var/linux"); GET c("var/set_hardened_build_flags"); END %]
 
 tar xf [% project %]-[% c("version") %].tar.xz
 cd [% project %]-[% c("version") %]
@@ -23,20 +13,6 @@ cd [% project %]-[% c("version") %]
 make -j[% c("num_procs") %] MAKEINFO=true
 make install MAKEINFO=true
 
-# gold is disabled for linux-cross, because of
-# https://sourceware.org/bugzilla/show_bug.cgi?id=14995
-# Once we upgrade to glibc 2.26, we might be able to enable gold for
-# linux-cross.
-[% IF c("var/linux") && ! c("var/linux-cross") %]
-  # Make sure gold is used with the hardening wrapper for full RELRO, see #13031.
-  cd $distdir/bin
-  rm ld
-  cp /usr/bin/hardened-ld ./
-  mv ld.gold ld.gold.real
-  ln -sf hardened-ld ld.gold
-  ln -sf ld.gold ld
-[% END %]
-
 cd /var/tmp/dist
 [% c('tar', {
         tar_src => [ project ],


=====================================
projects/binutils/config
=====================================
@@ -22,7 +22,3 @@ input_files:
     file_gpg_id: 1
     gpg_keyring: binutils.gpg
   - project: container-image
-  - project: bison
-    name: bison
-    # We try to use system's bison, but Jessie's is too old
-    enable: '[% c("var/linux") %]'


=====================================
projects/bison/build deleted
=====================================
@@ -1,13 +0,0 @@
-#!/bin/bash
-[% c("var/set_default_env") -%]
-distdir=/var/tmp/dist/bison
-tar xf [% project %]-[% c("version") %].tar.xz
-cd [% project %]-[% c("version") %]
-./configure --prefix=$distdir
-make -j[% c("num_procs") %]
-make install
-cd /var/tmp/dist
-[% c('tar', {
-        tar_src => [ project ],
-        tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
-        }) %]


=====================================
projects/bison/config deleted
=====================================
@@ -1,10 +0,0 @@
-# vim: filetype=yaml sw=2
-version: 3.8.2
-filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-container:
-  use_container: 1
-
-input_files:
-  - URL: https://ftp.gnu.org/gnu/bison/bison-[% c("version") %].tar.xz
-    sha256: 9bba0214ccf7f1079c5d59210045227bcf619519840ebfa80cd3849cff5a5bf2
-  - project: container-image


=====================================
projects/cmake/build
=====================================
@@ -5,7 +5,7 @@ distdir=/var/tmp/dist/[% project %]
   [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'),
                               hardened_gcc => 0 }) %]
 [% END -%]
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
 cd /var/tmp/build/[% project %]-[% c('version') %]
 ./bootstrap --prefix=$distdir


=====================================
projects/container-image/config
=====================================
@@ -11,8 +11,8 @@ var:
 
 lsb_release:
   id: Debian
-  codename: jessie
-  release: 8.11
+  codename: stretch
+  release: 9.13
 
 targets:
   no_containers:
@@ -33,18 +33,13 @@ pre: |
   # version of required packages.
   apt-get update -y -q
   [% IF pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) -%]
-  [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
-  [% IF c("var/linux-cross") -%]
-    dpkg --add-architecture [% c("var/arch_debian") %]
-  [% END -%]
-  [% IF c("var/container/suite") == "jessie" -%]
-    # We need to use faketime to run `apt-get update` on jessie, because of
-    # expired key. See tor-browser-build#40693
-    dpkg -i ./libfaketime_0.9.6-3_amd64.deb ./faketime_0.9.6-3_amd64.deb
-  [% END -%]
-  # Update the package cache again because `pre_pkginst` may change the
-  # package manager configuration.
-  [% IF c("var/container/suite") == "jessie" %]faketime '2018-12-24 08:15:42' [% END %]apt-get update -y -q
+    [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
+    [% IF c("var/linux-cross") -%]
+      dpkg --add-architecture [% c("var/arch_debian") %]
+    [% END -%]
+    # Update the package cache again because `pre_pkginst` may change the
+    # package manager configuration.
+    apt-get update -y -q
   [% END -%]
   apt-get upgrade -y -q
   [%
@@ -87,9 +82,3 @@ input_files:
   - project: mmdebstrap-image
     target:
       - '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
-  - URL: http://archive.debian.org/debian/pool/main/f/faketime/faketime_0.9.6-3_amd64.deb
-    sha256sum: 19b2a01a2fae7e6d5a8b741fc0bc626451cb4c2cc884ee79f1136dd3c2c26213
-    enable: '[% c("var/container/suite") == "jessie" %]'
-  - URL: http://archive.debian.org/debian/pool/main/f/faketime/libfaketime_0.9.6-3_amd64.deb
-    sha256sum: 82747d5815b226cfed7f6f9a751bf8c20d457f3ba786add6017d6904dea4fdb4
-    enable: '[% c("var/container/suite") == "jessie" %]'


=====================================
projects/firefox/build
=====================================
@@ -1,6 +1,9 @@
 #!/bin/bash
 [% c("var/set_default_env") -%]
-[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
+[% pc(c('var/compiler'), 'var/setup', {
+        compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')),
+        hardened_gcc => 0, # don't set hardened_gcc since firefox is setting the hardened flags
+      }) %]
 distdir=/var/tmp/dist/[% project %]
 mkdir -p /var/tmp/build
 mkdir -p [% dest_dir _ '/' _ c('filename') %]


=====================================
projects/firefox/config
=====================================
@@ -96,7 +96,6 @@ targets:
         - libgtk-3-dev
         - libdbus-glib-1-dev
         - libxt-dev
-        - hardening-wrapper
         # To pass configure since ESR 31
         - libpulse-dev
         # To pass configure since ESR 52
@@ -116,7 +115,6 @@ targets:
         - libgtk-3-dev:i386
         - libdbus-glib-1-dev:i386
         - libxt-dev:i386
-        - hardening-wrapper
         # To pass configure since ESR 31
         - libpulse-dev:i386
         # To pass configure since ESR 52


=====================================
projects/firefox/mozconfig
=====================================
@@ -10,6 +10,9 @@
   HOST_CXX=$CXX
 
   export BINDGEN_CFLAGS='--gcc-toolchain=/var/tmp/dist/gcc'
+
+  # set LDFLAGS for Full RELRO
+  export LDFLAGS="-Wl,-z,relro -Wl,-z,now"
 [% END -%]
 
 [% IF c("var/windows") -%]


=====================================
projects/gcc/build
=====================================
@@ -1,23 +1,23 @@
 #!/bin/sh
 [% c("var/set_default_env") -%]
-[% IF c("var/linux") -%]
-  # Config options for hardening-wrapper
+mkdir -p /var/tmp/build
+[% IF c("var/linux") && ! c("var/linux-cross") -%]
+  # Config options for hardening
   export DEB_BUILD_HARDENING=1
-  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
-  export DEB_BUILD_HARDENING_FORTIFY=1
   # Since r223796 landed on GCC master enforcing PIE breaks GCC compilation.
   # The compiler gets built with `-fno-PIE` and linked with `-no-pie` as not
   # doing so would make precompiled headers (PCH) fail.
   # It is okay for us to omit this right now as it does not change any hardening
   # flags in the resulting bundles.
-  export DEB_BUILD_HARDENING_PIE=0
+  #
   # We need to disable `-Werror=format-security` as GCC does not build with it
   # anymore. It seems it got audited for those problems already:
   # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817.
-  export DEB_BUILD_HARDENING_FORMAT=0
+  export DEB_BUILD_OPTIONS=hardening=+bindnow,+relro,-pie,+fortify,+stackprotector,+stackprotectorstrong,-format
+  eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
+  export OPT_LDFLAGS="$LDFLAGS"
 [% END -%]
 distdir=/var/tmp/dist/[% c("var/distdir") %]
-mkdir /var/tmp/build
 
 [% IF c("var/linux-cross") -%]
 


=====================================
projects/gcc/config
=====================================
@@ -18,26 +18,7 @@ var:
     [% IF ! c("var/linux-cross") -%]
       export LD_LIBRARY_PATH=/var/tmp/dist/[% c("var/distdir") %]/lib64:/var/tmp/dist/[% c("var/distdir") %]/lib32
     [% END -%]
-
-    [% IF c("hardened_gcc") -%]
-      # Config options for hardening-wrapper
-      export DEB_BUILD_HARDENING=1
-      export DEB_BUILD_HARDENING_STACKPROTECTOR=1
-      export DEB_BUILD_HARDENING_FORTIFY=1
-      export DEB_BUILD_HARDENING_FORMAT=1
-      export DEB_BUILD_HARDENING_PIE=1
-
-      # Make sure we use the hardening wrapper
-      pushd /var/tmp/dist/[% c("var/distdir") %]/bin
-      cp /usr/bin/hardened-cc ./
-      mv [% c("var/target_prefix") %]gcc [% c("var/target_prefix") %]gcc.real
-      mv [% c("var/target_prefix") %]c++ [% c("var/target_prefix") %]c++.real
-      mv [% c("var/target_prefix") %]g++ [% c("var/target_prefix") %]g++.real
-      ln -sf hardened-cc [% c("var/target_prefix") %]gcc
-      ln -sf hardened-cc [% c("var/target_prefix") %]c++
-      ln -sf hardened-cc [% c("var/target_prefix") %]g++
-      popd
-    [% END -%]
+    [% IF c("hardened_gcc"); GET c("var/set_hardened_build_flags"); END %]
 
 targets:
   windows:
@@ -51,7 +32,6 @@ targets:
     var:
       configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
       arch_deps:
-        - hardening-wrapper
         - libc6-dev-i386
   linux-cross:
     var:
@@ -64,7 +44,6 @@ targets:
       glibc_version: 2.26
       linux_version: 4.10.1
       arch_deps:
-        - hardening-wrapper
         - libc6-dev-i386
         - gawk
   linux-arm:


=====================================
projects/mmdebstrap-image/apt-key-allow-expired-key.patch deleted
=====================================
@@ -1,23 +0,0 @@
---- o/apt-key	2022-11-30 14:57:12.742026261 +0000
-+++ n/apt-key	2022-12-01 08:38:08.170140893 +0000
-@@ -815,11 +815,18 @@
- 	    create_gpg_home
- 	fi
- 	setup_merged_keyring
-+	tmpfile=$(mktemp)
-+	set +e
- 	if [ -n "$FORCED_KEYRING" ]; then
--	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
-+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@")
- 	else
--	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
-+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@")
- 	fi
-+	err=$?
-+	set -e
-+	cat "$tmpfile" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' >&${GPGSTATUSFD}
-+	rm -f "$tmpfile"
-+	exit $err
- 	;;
-     help)
-         usage


=====================================
projects/mmdebstrap-image/config
=====================================
@@ -6,7 +6,7 @@ container:
   use_container: 1
 
 var:
-  ubuntu_version: 22.04.1
+  ubuntu_version: 22.04.2
 
 pre: |
   #!/bin/sh
@@ -16,14 +16,6 @@ pre: |
   apt-get update -y -q
   apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg
 
-  [% IF c("var/container/suite") == "jessie" -%]
-    apt-get install -y -q patch
-    cd /usr/bin
-    # The gpg key for jessie is expired. We patch apt-key to accept expired keys.
-    patch -p1 < $rootdir/apt-key-allow-expired-key.patch
-    cd $rootdir
-  [% END -%]
-
   export SOURCE_DATE_EPOCH='[% c("timestamp") %]'
   tar -xf [% c('input_files_by_name/mmdebstrap') %]
   ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %]
@@ -39,16 +31,16 @@ pre: |
   mv output.tar.gz [% dest_dir %]/[% c("filename") %]
 
 targets:
-  jessie-amd64:
+  stretch-amd64:
     var:
-      minimal_apt_version: 1.0.9.8.6
-
+      minimal_apt_version: 1.4.11
       container:
-        suite: jessie
+        suite: stretch
         arch: amd64
         debian_mirror: >
-          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian/ jessie main"
-          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian-security/ jessie/updates main"
+          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian/ stretch main"
+          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian-security/ stretch/updates main"
+
 
   bullseye-amd64:
     var:
@@ -62,6 +54,4 @@ input_files:
     name: mmdebstrap
   - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
     filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
-    sha256sum: e1f9200c99da008a473c9ae7b51e13f5ea05dc4c2e12beb43f0f9cbbbf6216f4
-  - filename: apt-key-allow-expired-key.patch
-    enable: '[% c("var/container/suite") == "jessie" %]'
+    sha256sum: 373f064df30519adc3344a08d774f437caabd1479d846fa2ca6fed727ea7a53d


=====================================
projects/ninja/build
=====================================
@@ -8,7 +8,7 @@ distdir=/var/tmp/dist/[% project %]
 [% IF c("var/linux") -%]
   [% pc('python', 'var/setup', { python_tarfile => c('input_files_by_name/python') }) %]
 [% END -%]
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
 cd /var/tmp/build/[% project %]-[% c('version') %]
 


=====================================
projects/rust/build
=====================================
@@ -50,7 +50,7 @@ EOF
 [% END %]
 
 cd $rootdir
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
 tar -C /var/tmp/build -xf  [% c('input_files_by_name/rust') %]
 cd /var/tmp/build/rustc-[% c('version') %]-src
 


=====================================
projects/sqlcipher/build
=====================================
@@ -3,7 +3,7 @@
 [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
 distdir=/var/tmp/dist/sqlcipher
 builddir=/var/tmp/build/[% project %]
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
 tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]
 
 [% IF ! c("var/sqlcipher-linux-x86_64") -%]


=====================================
projects/stemns/build
=====================================
@@ -1,8 +1,8 @@
 #!/bin/sh
 [% c("var/set_default_env") -%]
 distdir=/var/tmp/dist/StemNS
-mkdir /var/tmp/build
-mkdir /var/tmp/dist
+mkdir -p /var/tmp/build
+mkdir -p /var/tmp/dist
 
 # Extract StemNS
 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz


=====================================
rbm.conf
=====================================
@@ -491,7 +491,7 @@ targets:
       # Temporarily disabled until we have a fix for tor-browser-build#40845
       #namecoin: '[% c("var/nightly") && c("var/tor-browser") %]'
       container:
-        suite: jessie
+        suite: stretch
         arch: amd64
       pre_pkginst: dpkg --add-architecture i386
       deps:
@@ -503,13 +503,18 @@ targets:
         - build-essential
         - python
         - bison
-        - hardening-wrapper
         - automake
         - libtool
         - zip
         - unzip
         - xz-utils
         - patch
+        - less
+      set_hardened_build_flags: |
+        export DEB_BUILD_HARDENING=1
+        export DEB_BUILD_OPTIONS='hardening=+bindnow,+relro,+pie,+fortify,+stackprotector,+stackprotectorstrong,+format'
+        mkdir -p /var/tmp/build
+        eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
   linux-asan:
     var:
       asan: 1



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/c606a927d30e1cb74c8c5f752fdb8b3a57113d7c

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/c606a927d30e1cb74c8c5f752fdb8b3a57113d7c
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20230627/e59143f7/attachment-0001.htm>


More information about the tbb-commits mailing list