Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: b0b67b81 by Pier Angelo Vendrame at 2025-12-10T21:38:25+01:00 Bug 41627: Build OpenSSL in the Python package. Build OpenSSL with Python, so that the ssl module can be imported. We do not use the openssl project to avoid re-building a consistent part of the Linux toolchain every time we bump it. Also, bump the Python version since we are at it (we downgraded to be able to build it with OpenSSL 1.1.x, now we don't have that requirement anymore), and bump ninja, as the old version didn't build with our new version of Python. - - - - - 75825497 by Pier Angelo Vendrame at 2025-12-10T21:39:51+01:00 Bug 41662: Add python-zstandard to desktop containers. They are needed when we build artifacts. - - - - - 12 changed files: - projects/common/list_toolchain_updates-common-firefox-geckoview - projects/firefox/build - projects/firefox/config - projects/ninja/build - projects/ninja/config - − projects/ninja/python3.patch - + projects/python-zstandard/README.md - + projects/python-zstandard/build - + projects/python-zstandard/config - projects/python/README.md - projects/python/build - projects/python/config Changes: ===================================== projects/common/list_toolchain_updates-common-firefox-geckoview ===================================== @@ -159,7 +159,7 @@ if (m/^\\s*MINIMUM_MINOR_VERSION = ([0-9]+)/) { } EOF needed=3.$(cat python/mozboot/bin/bootstrap.py | perl -ne "$p") -current="3.9" # 3.11.x on Debian bookworm, 3.9.20 on our python project +current="3.9" # 3.11.x on Debian bookworm, 3.13.11 on our python project check_update_needed python "$needed" "$current" ===================================== projects/firefox/build ===================================== @@ -34,6 +34,8 @@ export PATH="/var/tmp/dist/rust/bin:/var/tmp/dist/cbindgen:/var/tmp/dist/node/bi tar -C /var/tmp/dist -xf [% c('input_files_by_name/clang') %] tar -C /var/tmp/dist -xf [% c('input_files_by_name/python') %] export PATH="/var/tmp/dist/python/bin:$PATH" + # For OpenSSL, see Python's README.md. + export LD_LIBRARY_PATH=/var/tmp/dist/python/lib:$LD_LIBRARY_PATH [% IF ! c("var/linux-cross") -%] tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/binutils') %] export PATH="/var/tmp/dist/binutils/bin:$PATH" @@ -48,6 +50,9 @@ export PATH="/var/tmp/dist/rust/bin:/var/tmp/dist/cbindgen:/var/tmp/dist/node/bi # down properly in that case. Thus, we set it here in the build script. export PKG_CONFIG_PATH="${PKG_CONFIG_PATH}:/usr/lib/[% c("var/crosstarget") %]/pkgconfig" [% END -%] + [% IF c("var/dev_artifacts") -%] + python3 -m pip install $rootdir/[% c('input_files_by_name/python-zstandard') %]/*.whl + [% END -%] [% END -%] [% IF c("var/macos") && c("var/dev_artifacts") %] ===================================== projects/firefox/config ===================================== @@ -154,6 +154,7 @@ targets: arch_deps: - python3 - python3-distutils + - python3-zstandard - rsync windows: @@ -161,6 +162,7 @@ targets: arch_deps: - python3 - python3-distutils + - python3-zstandard - wine input_files: @@ -228,6 +230,9 @@ input_files: enable: '[% c("var/mullvad-browser") && c("var/has_l10n") %]' - filename: marsigner.der enable: '[% c("var/override_updater_url") %]' + - project: python-zstandard + enable: '[% c("var/linux") && c("var/dev_artifacts") %]' + name: python-zstandard - filename: dmg-root enable: '[% c("var/macos") && c("var/dev_artifacts") %]' - project: hfsplus-tools ===================================== projects/ninja/build ===================================== @@ -12,8 +12,6 @@ mkdir -p /var/tmp/build tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_tar') %] cd /var/tmp/build/[% project %]-[% c('version') %] -patch -p1 < "$rootdir/python3.patch" - ./configure.py --bootstrap mkdir -p $distdir ===================================== projects/ninja/config ===================================== @@ -1,7 +1,7 @@ # vim: filetype=yaml sw=2 -version: '[% c("abbrev") %]' +version: '1.13.2' git_url: https://github.com/ninja-build/ninja.git -git_hash: a524bf3f6bacd1b4ad85d719eed2737d8562f27a #v1.11.1 +git_hash: 3441b633c2fe2c494e958780ba0f4227b1327634 # v1.13.2 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]' container: use_container: 1 @@ -16,4 +16,3 @@ input_files: - name: python project: python enable: '[% c("var/linux") %]' - - filename: python3.patch ===================================== projects/ninja/python3.patch deleted ===================================== @@ -1,95 +0,0 @@ -From 6a17e84370064eec6f22cfb1717ab80cf898d82b Mon Sep 17 00:00:00 2001 -From: Nico Weber <thakis@chromium.org> -Date: Tue, 10 Jan 2023 10:46:45 -0500 -Subject: [PATCH] Use python3 in all run lines - -We already did this in some, this converts the rest. -Also chmod +x on write_fake_manifests.py while here. ---- - configure.py | 4 +--- - misc/measure.py | 4 +--- - misc/ninja_syntax_test.py | 2 +- - misc/write_fake_manifests.py | 2 +- - src/browse.py | 4 +--- - 5 files changed, 5 insertions(+), 11 deletions(-) - mode change 100644 => 100755 misc/write_fake_manifests.py - -diff --git a/configure.py b/configure.py -index 09c5b283e0..588250aa8a 100755 ---- a/configure.py -+++ b/configure.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # - # Copyright 2001 Google Inc. All Rights Reserved. - # -@@ -19,8 +19,6 @@ - Projects that use ninja themselves should either write a similar script - or use a meta-build system that supports Ninja output.""" - --from __future__ import print_function -- - from optparse import OptionParser - import os - import pipes -diff --git a/misc/measure.py b/misc/measure.py -index 8ce95e696b..f3825efbb0 100755 ---- a/misc/measure.py -+++ b/misc/measure.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - - # Copyright 2011 Google Inc. All Rights Reserved. - # -@@ -17,8 +17,6 @@ - """measure the runtime of a command by repeatedly running it. - """ - --from __future__ import print_function -- - import time - import subprocess - import sys -diff --git a/misc/ninja_syntax_test.py b/misc/ninja_syntax_test.py -index 90ff9c6bdb..61fb177d43 100755 ---- a/misc/ninja_syntax_test.py -+++ b/misc/ninja_syntax_test.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - - # Copyright 2011 Google Inc. All Rights Reserved. - # -diff --git a/misc/write_fake_manifests.py b/misc/write_fake_manifests.py -old mode 100644 -new mode 100755 -index abcb677e18..bf9cf7de92 ---- a/misc/write_fake_manifests.py -+++ b/misc/write_fake_manifests.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - - """Writes large manifest files, for manifest parser performance testing. - -diff --git a/src/browse.py b/src/browse.py -index 653cbe91f6..b125e805a9 100755 ---- a/src/browse.py -+++ b/src/browse.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - # - # Copyright 2001 Google Inc. All Rights Reserved. - # -@@ -20,8 +20,6 @@ - it when needed. - """ - --from __future__ import print_function -- - try: - import http.server as httpserver - import socketserver ===================================== projects/python-zstandard/README.md ===================================== @@ -0,0 +1,4 @@ +Mozilla uses the python-zstandard module for various tasks in their CI, but +they do not vendor it in Firefox's source tree. + +Since we build our own Python on Linux, we also need to build this module. ===================================== projects/python-zstandard/build ===================================== @@ -0,0 +1,14 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +outdir=[% dest_dir _ '/' _ c('filename') %] +mkdir -p /var/tmp/dist $outdir + +tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/python') %] +export PATH=/var/tmp/dist/python/bin:$PATH + +python3 -m pip install *.whl + +tar -xf [% project %]-[% c('version') %].tar.[% c('compress_tar') %] +cd [% project %]-[% c('version') %] +python3 setup.py bdist_wheel +mv dist/*.whl $outdir/ ===================================== projects/python-zstandard/config ===================================== @@ -0,0 +1,19 @@ +version: 0.24.0 +filename: 'python-zstandard-[% c("version") %]-[% c("var/build_id") %]' +git_url: https://github.com/indygreg/python-zstandard.git +git_hash: 9223924b1db8f36cf1c7c2dcd55232093890d145 # 0.24.0 +container: + use_container: 1 + +input_files: + - project: container-image + - project: python + name: python + # This contains only binaries for Windows. + - name: setuptools + URL: https://files.pythonhosted.org/packages/a3/dc/17031897dae0efacfea57dfd3a82fd... + sha256sum: 062d34222ad13e0cc312a4c02d73f059e86a4acbfbdea8f8f76b28c99f306922 + # This contains only Python. + - name: packaging + URL: https://files.pythonhosted.org/packages/20/12/38679034af332785aac8774540895e... + sha256sum: 29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484 ===================================== projects/python/README.md ===================================== @@ -17,3 +17,17 @@ image. `browser` is a notable exception: we redefine `var/deps` for all platforms and already add `python3` there. + +## OpenSSL + +Some Python module complain about the OpenSSL version of the container being +too old. Therefore, we also build OpenSSL in this project, and other projects +needing it must add `/var/tmp/dist/python/lib` to `LD_LIBRARY_PATH`. + +We do it here instead of using the `openssl` project because we do not want to +rebuild a big part of the toolchain for each OpenSSL update (the module would +be used mostly for HTTP requests, which will not go through in our builds, +since they happen offline). + +When updating to a newever version of Debian for Linux containers, we might +stop building OpenSSL and go back to using the system library. ===================================== projects/python/build ===================================== @@ -6,14 +6,28 @@ [% END -%] distdir=/var/tmp/dist/[% project %] -mkdir -p $distdir +openssldir=/var/tmp/dist/openssl +mkdir -p $distdir $openssldir + +tar -xf $rootdir/[% c('input_files_by_name/openssl') %] +pushd openssl-3.5.4 +./Configure --prefix=$openssldir --libdir=lib +make -j[% c("num_procs") %] +make -j[% c("num_procs") %] install +# Python will try to load OpenSSL during its build process. +export LD_LIBRARY_PATH=$openssldir/lib:$LD_LIBRARY_PATH +popd + tar xf [% c('input_files_by_name/python') %] cd Python-[% c('version') %] -./configure --prefix=$distdir --enable-optimizations +./configure --prefix=$distdir --enable-optimizations --with-openssl=$openssldir make -j[% c("num_procs") %] make prefix=$distdir install + +cp -a $openssldir/lib/lib*.so* $distdir/lib/ + cd /var/tmp/dist [% c('tar', { - tar_src => 'python', - tar_args => '-caf ' _ dest_dir _ '/' _ c('filename'), - }) %] + tar_src => 'python', + tar_args => '-caf ' _ dest_dir _ '/' _ c('filename'), + }) %] ===================================== projects/python/config ===================================== @@ -1,6 +1,6 @@ # vim: filetype=yaml sw=2 -version: 3.9.20 -filename: 'python-[% c("var/build_id") %].tar.[% c("compress_tar") %]' +version: 3.13.11 +filename: 'python-[% c("version") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]' container: use_container: 1 var: @@ -12,7 +12,6 @@ var: - libffi-dev - libncurses-dev - libsqlite3-dev - - libssl-dev - zlib1g-dev setup: | @@ -24,7 +23,14 @@ input_files: - project: container-image - name: python URL: 'https://www.python.org/ftp/python/[% c("version") %]/Python-[% c("version") %].tar.xz' - sha256sum: 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c + sha256sum: 16ede7bb7cdbfa895d11b0642fa0e523f291e6487194d53cf6d3b338c3a17ea2 - name: '[% c("var/compiler") %]' project: '[% c("var/compiler") %]' enable: '[% c("var/linux") %]' + # We do not use the same we use as tor dependency because we do not want to + # rebuild Clang, Rust and other projects at each OpenSSL update. + # FWIW, these OpenSSL would be used for requests that will not go through, + # as our builds run offline. + - name: openssl + URL: 'https://github.com/openssl/openssl/releases/download/openssl-3.5.4/openssl-3...' + sha256sum: 967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99 View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8... You're receiving this email because of your account on gitlab.torproject.org.