[tor-commits] [Git][tpo/applications/tor-browser-build][main] Bug 40102: Use Debian Stretch for Linux builds
boklm (@boklm)
git at gitlab.torproject.org
Tue Jun 27 14:54:38 UTC 2023
boklm pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
c606a927 by Nicolas Vigier at 2023-06-27T16:53:41+02:00
Bug 40102: Use Debian Stretch for Linux builds
- - - - -
18 changed files:
- projects/binutils/build
- projects/binutils/config
- − projects/bison/build
- − projects/bison/config
- projects/cmake/build
- projects/container-image/config
- projects/firefox/build
- projects/firefox/config
- projects/firefox/mozconfig
- projects/gcc/build
- projects/gcc/config
- − projects/mmdebstrap-image/apt-key-allow-expired-key.patch
- projects/mmdebstrap-image/config
- projects/ninja/build
- projects/rust/build
- projects/sqlcipher/build
- projects/stemns/build
- rbm.conf
Changes:
=====================================
projects/binutils/build
=====================================
@@ -2,17 +2,7 @@
[% c("var/set_default_env") -%]
mkdir /var/tmp/dist
distdir=/var/tmp/dist/binutils
-[% IF c("var/linux") %]
- # Config options for hardening-wrapper
- export DEB_BUILD_HARDENING=1
- export DEB_BUILD_HARDENING_STACKPROTECTOR=1
- export DEB_BUILD_HARDENING_FORTIFY=1
- export DEB_BUILD_HARDENING_FORMAT=1
- export DEB_BUILD_HARDENING_PIE=1
-
- tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/bison') %]
- export PATH=/var/tmp/dist/bison/bin:$PATH
-[% END %]
+[% IF c("var/linux"); GET c("var/set_hardened_build_flags"); END %]
tar xf [% project %]-[% c("version") %].tar.xz
cd [% project %]-[% c("version") %]
@@ -23,20 +13,6 @@ cd [% project %]-[% c("version") %]
make -j[% c("num_procs") %] MAKEINFO=true
make install MAKEINFO=true
-# gold is disabled for linux-cross, because of
-# https://sourceware.org/bugzilla/show_bug.cgi?id=14995
-# Once we upgrade to glibc 2.26, we might be able to enable gold for
-# linux-cross.
-[% IF c("var/linux") && ! c("var/linux-cross") %]
- # Make sure gold is used with the hardening wrapper for full RELRO, see #13031.
- cd $distdir/bin
- rm ld
- cp /usr/bin/hardened-ld ./
- mv ld.gold ld.gold.real
- ln -sf hardened-ld ld.gold
- ln -sf ld.gold ld
-[% END %]
-
cd /var/tmp/dist
[% c('tar', {
tar_src => [ project ],
=====================================
projects/binutils/config
=====================================
@@ -22,7 +22,3 @@ input_files:
file_gpg_id: 1
gpg_keyring: binutils.gpg
- project: container-image
- - project: bison
- name: bison
- # We try to use system's bison, but Jessie's is too old
- enable: '[% c("var/linux") %]'
=====================================
projects/bison/build deleted
=====================================
@@ -1,13 +0,0 @@
-#!/bin/bash
-[% c("var/set_default_env") -%]
-distdir=/var/tmp/dist/bison
-tar xf [% project %]-[% c("version") %].tar.xz
-cd [% project %]-[% c("version") %]
-./configure --prefix=$distdir
-make -j[% c("num_procs") %]
-make install
-cd /var/tmp/dist
-[% c('tar', {
- tar_src => [ project ],
- tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
- }) %]
=====================================
projects/bison/config deleted
=====================================
@@ -1,10 +0,0 @@
-# vim: filetype=yaml sw=2
-version: 3.8.2
-filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
-container:
- use_container: 1
-
-input_files:
- - URL: https://ftp.gnu.org/gnu/bison/bison-[% c("version") %].tar.xz
- sha256: 9bba0214ccf7f1079c5d59210045227bcf619519840ebfa80cd3849cff5a5bf2
- - project: container-image
=====================================
projects/cmake/build
=====================================
@@ -5,7 +5,7 @@ distdir=/var/tmp/dist/[% project %]
[% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'),
hardened_gcc => 0 }) %]
[% END -%]
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
cd /var/tmp/build/[% project %]-[% c('version') %]
./bootstrap --prefix=$distdir
=====================================
projects/container-image/config
=====================================
@@ -11,8 +11,8 @@ var:
lsb_release:
id: Debian
- codename: jessie
- release: 8.11
+ codename: stretch
+ release: 9.13
targets:
no_containers:
@@ -33,18 +33,13 @@ pre: |
# version of required packages.
apt-get update -y -q
[% IF pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) -%]
- [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
- [% IF c("var/linux-cross") -%]
- dpkg --add-architecture [% c("var/arch_debian") %]
- [% END -%]
- [% IF c("var/container/suite") == "jessie" -%]
- # We need to use faketime to run `apt-get update` on jessie, because of
- # expired key. See tor-browser-build#40693
- dpkg -i ./libfaketime_0.9.6-3_amd64.deb ./faketime_0.9.6-3_amd64.deb
- [% END -%]
- # Update the package cache again because `pre_pkginst` may change the
- # package manager configuration.
- [% IF c("var/container/suite") == "jessie" %]faketime '2018-12-24 08:15:42' [% END %]apt-get update -y -q
+ [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
+ [% IF c("var/linux-cross") -%]
+ dpkg --add-architecture [% c("var/arch_debian") %]
+ [% END -%]
+ # Update the package cache again because `pre_pkginst` may change the
+ # package manager configuration.
+ apt-get update -y -q
[% END -%]
apt-get upgrade -y -q
[%
@@ -87,9 +82,3 @@ input_files:
- project: mmdebstrap-image
target:
- '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
- - URL: http://archive.debian.org/debian/pool/main/f/faketime/faketime_0.9.6-3_amd64.deb
- sha256sum: 19b2a01a2fae7e6d5a8b741fc0bc626451cb4c2cc884ee79f1136dd3c2c26213
- enable: '[% c("var/container/suite") == "jessie" %]'
- - URL: http://archive.debian.org/debian/pool/main/f/faketime/libfaketime_0.9.6-3_amd64.deb
- sha256sum: 82747d5815b226cfed7f6f9a751bf8c20d457f3ba786add6017d6904dea4fdb4
- enable: '[% c("var/container/suite") == "jessie" %]'
=====================================
projects/firefox/build
=====================================
@@ -1,6 +1,9 @@
#!/bin/bash
[% c("var/set_default_env") -%]
-[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
+[% pc(c('var/compiler'), 'var/setup', {
+ compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')),
+ hardened_gcc => 0, # don't set hardened_gcc since firefox is setting the hardened flags
+ }) %]
distdir=/var/tmp/dist/[% project %]
mkdir -p /var/tmp/build
mkdir -p [% dest_dir _ '/' _ c('filename') %]
=====================================
projects/firefox/config
=====================================
@@ -96,7 +96,6 @@ targets:
- libgtk-3-dev
- libdbus-glib-1-dev
- libxt-dev
- - hardening-wrapper
# To pass configure since ESR 31
- libpulse-dev
# To pass configure since ESR 52
@@ -116,7 +115,6 @@ targets:
- libgtk-3-dev:i386
- libdbus-glib-1-dev:i386
- libxt-dev:i386
- - hardening-wrapper
# To pass configure since ESR 31
- libpulse-dev:i386
# To pass configure since ESR 52
=====================================
projects/firefox/mozconfig
=====================================
@@ -10,6 +10,9 @@
HOST_CXX=$CXX
export BINDGEN_CFLAGS='--gcc-toolchain=/var/tmp/dist/gcc'
+
+ # set LDFLAGS for Full RELRO
+ export LDFLAGS="-Wl,-z,relro -Wl,-z,now"
[% END -%]
[% IF c("var/windows") -%]
=====================================
projects/gcc/build
=====================================
@@ -1,23 +1,23 @@
#!/bin/sh
[% c("var/set_default_env") -%]
-[% IF c("var/linux") -%]
- # Config options for hardening-wrapper
+mkdir -p /var/tmp/build
+[% IF c("var/linux") && ! c("var/linux-cross") -%]
+ # Config options for hardening
export DEB_BUILD_HARDENING=1
- export DEB_BUILD_HARDENING_STACKPROTECTOR=1
- export DEB_BUILD_HARDENING_FORTIFY=1
# Since r223796 landed on GCC master enforcing PIE breaks GCC compilation.
# The compiler gets built with `-fno-PIE` and linked with `-no-pie` as not
# doing so would make precompiled headers (PCH) fail.
# It is okay for us to omit this right now as it does not change any hardening
# flags in the resulting bundles.
- export DEB_BUILD_HARDENING_PIE=0
+ #
# We need to disable `-Werror=format-security` as GCC does not build with it
# anymore. It seems it got audited for those problems already:
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817.
- export DEB_BUILD_HARDENING_FORMAT=0
+ export DEB_BUILD_OPTIONS=hardening=+bindnow,+relro,-pie,+fortify,+stackprotector,+stackprotectorstrong,-format
+ eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
+ export OPT_LDFLAGS="$LDFLAGS"
[% END -%]
distdir=/var/tmp/dist/[% c("var/distdir") %]
-mkdir /var/tmp/build
[% IF c("var/linux-cross") -%]
=====================================
projects/gcc/config
=====================================
@@ -18,26 +18,7 @@ var:
[% IF ! c("var/linux-cross") -%]
export LD_LIBRARY_PATH=/var/tmp/dist/[% c("var/distdir") %]/lib64:/var/tmp/dist/[% c("var/distdir") %]/lib32
[% END -%]
-
- [% IF c("hardened_gcc") -%]
- # Config options for hardening-wrapper
- export DEB_BUILD_HARDENING=1
- export DEB_BUILD_HARDENING_STACKPROTECTOR=1
- export DEB_BUILD_HARDENING_FORTIFY=1
- export DEB_BUILD_HARDENING_FORMAT=1
- export DEB_BUILD_HARDENING_PIE=1
-
- # Make sure we use the hardening wrapper
- pushd /var/tmp/dist/[% c("var/distdir") %]/bin
- cp /usr/bin/hardened-cc ./
- mv [% c("var/target_prefix") %]gcc [% c("var/target_prefix") %]gcc.real
- mv [% c("var/target_prefix") %]c++ [% c("var/target_prefix") %]c++.real
- mv [% c("var/target_prefix") %]g++ [% c("var/target_prefix") %]g++.real
- ln -sf hardened-cc [% c("var/target_prefix") %]gcc
- ln -sf hardened-cc [% c("var/target_prefix") %]c++
- ln -sf hardened-cc [% c("var/target_prefix") %]g++
- popd
- [% END -%]
+ [% IF c("hardened_gcc"); GET c("var/set_hardened_build_flags"); END %]
targets:
windows:
@@ -51,7 +32,6 @@ targets:
var:
configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
arch_deps:
- - hardening-wrapper
- libc6-dev-i386
linux-cross:
var:
@@ -64,7 +44,6 @@ targets:
glibc_version: 2.26
linux_version: 4.10.1
arch_deps:
- - hardening-wrapper
- libc6-dev-i386
- gawk
linux-arm:
=====================================
projects/mmdebstrap-image/apt-key-allow-expired-key.patch deleted
=====================================
@@ -1,23 +0,0 @@
---- o/apt-key 2022-11-30 14:57:12.742026261 +0000
-+++ n/apt-key 2022-12-01 08:38:08.170140893 +0000
-@@ -815,11 +815,18 @@
- create_gpg_home
- fi
- setup_merged_keyring
-+ tmpfile=$(mktemp)
-+ set +e
- if [ -n "$FORCED_KEYRING" ]; then
-- "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
-+ (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@")
- else
-- "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
-+ (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@")
- fi
-+ err=$?
-+ set -e
-+ cat "$tmpfile" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' >&${GPGSTATUSFD}
-+ rm -f "$tmpfile"
-+ exit $err
- ;;
- help)
- usage
=====================================
projects/mmdebstrap-image/config
=====================================
@@ -6,7 +6,7 @@ container:
use_container: 1
var:
- ubuntu_version: 22.04.1
+ ubuntu_version: 22.04.2
pre: |
#!/bin/sh
@@ -16,14 +16,6 @@ pre: |
apt-get update -y -q
apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg
- [% IF c("var/container/suite") == "jessie" -%]
- apt-get install -y -q patch
- cd /usr/bin
- # The gpg key for jessie is expired. We patch apt-key to accept expired keys.
- patch -p1 < $rootdir/apt-key-allow-expired-key.patch
- cd $rootdir
- [% END -%]
-
export SOURCE_DATE_EPOCH='[% c("timestamp") %]'
tar -xf [% c('input_files_by_name/mmdebstrap') %]
./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %]
@@ -39,16 +31,16 @@ pre: |
mv output.tar.gz [% dest_dir %]/[% c("filename") %]
targets:
- jessie-amd64:
+ stretch-amd64:
var:
- minimal_apt_version: 1.0.9.8.6
-
+ minimal_apt_version: 1.4.11
container:
- suite: jessie
+ suite: stretch
arch: amd64
debian_mirror: >
- "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian/ jessie main"
- "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian-security/ jessie/updates main"
+ "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian/ stretch main"
+ "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian-security/ stretch/updates main"
+
bullseye-amd64:
var:
@@ -62,6 +54,4 @@ input_files:
name: mmdebstrap
- URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
- sha256sum: e1f9200c99da008a473c9ae7b51e13f5ea05dc4c2e12beb43f0f9cbbbf6216f4
- - filename: apt-key-allow-expired-key.patch
- enable: '[% c("var/container/suite") == "jessie" %]'
+ sha256sum: 373f064df30519adc3344a08d774f437caabd1479d846fa2ca6fed727ea7a53d
=====================================
projects/ninja/build
=====================================
@@ -8,7 +8,7 @@ distdir=/var/tmp/dist/[% project %]
[% IF c("var/linux") -%]
[% pc('python', 'var/setup', { python_tarfile => c('input_files_by_name/python') }) %]
[% END -%]
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
cd /var/tmp/build/[% project %]-[% c('version') %]
=====================================
projects/rust/build
=====================================
@@ -50,7 +50,7 @@ EOF
[% END %]
cd $rootdir
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
tar -C /var/tmp/build -xf [% c('input_files_by_name/rust') %]
cd /var/tmp/build/rustc-[% c('version') %]-src
=====================================
projects/sqlcipher/build
=====================================
@@ -3,7 +3,7 @@
[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
distdir=/var/tmp/dist/sqlcipher
builddir=/var/tmp/build/[% project %]
-mkdir /var/tmp/build
+mkdir -p /var/tmp/build
tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]
[% IF ! c("var/sqlcipher-linux-x86_64") -%]
=====================================
projects/stemns/build
=====================================
@@ -1,8 +1,8 @@
#!/bin/sh
[% c("var/set_default_env") -%]
distdir=/var/tmp/dist/StemNS
-mkdir /var/tmp/build
-mkdir /var/tmp/dist
+mkdir -p /var/tmp/build
+mkdir -p /var/tmp/dist
# Extract StemNS
tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
=====================================
rbm.conf
=====================================
@@ -491,7 +491,7 @@ targets:
# Temporarily disabled until we have a fix for tor-browser-build#40845
#namecoin: '[% c("var/nightly") && c("var/tor-browser") %]'
container:
- suite: jessie
+ suite: stretch
arch: amd64
pre_pkginst: dpkg --add-architecture i386
deps:
@@ -503,13 +503,18 @@ targets:
- build-essential
- python
- bison
- - hardening-wrapper
- automake
- libtool
- zip
- unzip
- xz-utils
- patch
+ - less
+ set_hardened_build_flags: |
+ export DEB_BUILD_HARDENING=1
+ export DEB_BUILD_OPTIONS='hardening=+bindnow,+relro,+pie,+fortify,+stackprotector,+stackprotectorstrong,+format'
+ mkdir -p /var/tmp/build
+ eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
linux-asan:
var:
asan: 1
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/c606a927d30e1cb74c8c5f752fdb8b3a57113d7c
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/c606a927d30e1cb74c8c5f752fdb8b3a57113d7c
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230627/3f9b6dce/attachment-0001.htm>
More information about the tor-commits
mailing list