GitLab

at 2023-06-27T16:53:41+02:00

Bug 40102: Use Debian Stretch for Linux builds

 [% c("var/set_default_env") -%]

 mkdir /var/tmp/dist

 distdir=/var/tmp/dist/binutils

-[% IF c("var/linux") %]

-  # Config options for hardening-wrapper

-  export DEB_BUILD_HARDENING=1

-  export DEB_BUILD_HARDENING_STACKPROTECTOR=1

-  export DEB_BUILD_HARDENING_FORTIFY=1

-  export DEB_BUILD_HARDENING_FORMAT=1

-  export DEB_BUILD_HARDENING_PIE=1

-

-  tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/bison') %]

-  export PATH=/var/tmp/dist/bison/bin:$PATH

-[% END %]

+[% IF c("var/linux"); GET c("var/set_hardened_build_flags"); END %]

 tar xf [% project %]-[% c("version") %].tar.xz

 cd [% project %]-[% c("version") %]

 make -j[% c("num_procs") %] MAKEINFO=true

 make install MAKEINFO=true

-# gold is disabled for linux-cross, because of

-# https://sourceware.org/bugzilla/show_bug.cgi?id=14995

-# Once we upgrade to glibc 2.26, we might be able to enable gold for

-# linux-cross.

-[% IF c("var/linux") && ! c("var/linux-cross") %]

-  # Make sure gold is used with the hardening wrapper for full RELRO, see #13031.

-  cd $distdir/bin

-  rm ld

-  cp /usr/bin/hardened-ld ./

-  mv ld.gold ld.gold.real

-  ln -sf hardened-ld ld.gold

-  ln -sf ld.gold ld

-[% END %]

-

 cd /var/tmp/dist

 [% c('tar', {

         tar_src => [ project ],

     file_gpg_id: 1

     gpg_keyring: binutils.gpg

   - project: container-image
-  - project: bison

-    name: bison

-    # We try to use system's bison, but Jessie's is too old

-    enable: '[% c("var/linux") %]'
-#!/bin/bash

-[% c("var/set_default_env") -%]

-distdir=/var/tmp/dist/bison

-tar xf [% project %]-[% c("version") %].tar.xz

-cd [% project %]-[% c("version") %]

-./configure --prefix=$distdir

-make -j[% c("num_procs") %]

-make install

-cd /var/tmp/dist

-[% c('tar', {

-        tar_src => [ project ],

-        tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),

-        }) %]
-# vim: filetype=yaml sw=2

-version: 3.8.2

-filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'

-container:

-  use_container: 1

-

-input_files:

-  - URL: https://ftp.gnu.org/gnu/bison/bison-[% c("version") %].tar.xz

-    sha256: 9bba0214ccf7f1079c5d59210045227bcf619519840ebfa80cd3849cff5a5bf2

-  - project: container-image
   [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'),

                               hardened_gcc => 0 }) %]

 [% END -%]

-mkdir /var/tmp/build

+mkdir -p /var/tmp/build

 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz

 cd /var/tmp/build/[% project %]-[% c('version') %]

 ./bootstrap --prefix=$distdir

 lsb_release:

   id: Debian

-  codename: jessie

-  release: 8.11

+  codename: stretch

+  release: 9.13

 targets:

   no_containers:

   # version of required packages.

   apt-get update -y -q

   [% IF pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) -%]

-  [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]

-  [% IF c("var/linux-cross") -%]

-    dpkg --add-architecture [% c("var/arch_debian") %]

-  [% END -%]

-  [% IF c("var/container/suite") == "jessie" -%]

-    # We need to use faketime to run `apt-get update` on jessie, because of

-    # expired key. See tor-browser-build#40693

-    dpkg -i ./libfaketime_0.9.6-3_amd64.deb ./faketime_0.9.6-3_amd64.deb

-  [% END -%]

-  # Update the package cache again because `pre_pkginst` may change the

-  # package manager configuration.

-  [% IF c("var/container/suite") == "jessie" %]faketime '2018-12-24 08:15:42' [% END %]apt-get update -y -q

+    [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]

+    [% IF c("var/linux-cross") -%]

+      dpkg --add-architecture [% c("var/arch_debian") %]

+    [% END -%]

+    # Update the package cache again because `pre_pkginst` may change the

+    # package manager configuration.

+    apt-get update -y -q

   [% END -%]

   apt-get upgrade -y -q

   [%

   - project: mmdebstrap-image

     target:

       - '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
-  - URL: http://archive.debian.org/debian/pool/main/f/faketime/faketime_0.9.6-3_amd64.deb

-    sha256sum: 19b2a01a2fae7e6d5a8b741fc0bc626451cb4c2cc884ee79f1136dd3c2c26213

-    enable: '[% c("var/container/suite") == "jessie" %]'

-  - URL: http://archive.debian.org/debian/pool/main/f/faketime/libfaketime_0.9.6-3_amd64.deb

-    sha256sum: 82747d5815b226cfed7f6f9a751bf8c20d457f3ba786add6017d6904dea4fdb4

-    enable: '[% c("var/container/suite") == "jessie" %]'
 #!/bin/bash

 [% c("var/set_default_env") -%]

-[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]

+[% pc(c('var/compiler'), 'var/setup', {

+        compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')),

+        hardened_gcc => 0, # don't set hardened_gcc since firefox is setting the hardened flags

+      }) %]

 distdir=/var/tmp/dist/[% project %]

 mkdir -p /var/tmp/build

 mkdir -p [% dest_dir _ '/' _ c('filename') %]

         - libgtk-3-dev

         - libdbus-glib-1-dev

         - libxt-dev

-        - hardening-wrapper

         # To pass configure since ESR 31

         - libpulse-dev

         # To pass configure since ESR 52

         - libgtk-3-dev:i386

         - libdbus-glib-1-dev:i386

         - libxt-dev:i386

-        - hardening-wrapper

         # To pass configure since ESR 31

         - libpulse-dev:i386

         # To pass configure since ESR 52

   HOST_CXX=$CXX

   export BINDGEN_CFLAGS='--gcc-toolchain=/var/tmp/dist/gcc'

+

+  # set LDFLAGS for Full RELRO

+  export LDFLAGS="-Wl,-z,relro -Wl,-z,now"

 [% END -%]

 [% IF c("var/windows") -%]

 #!/bin/sh

 [% c("var/set_default_env") -%]

-[% IF c("var/linux") -%]

-  # Config options for hardening-wrapper

+mkdir -p /var/tmp/build

+[% IF c("var/linux") && ! c("var/linux-cross") -%]

+  # Config options for hardening

   export DEB_BUILD_HARDENING=1

-  export DEB_BUILD_HARDENING_STACKPROTECTOR=1

-  export DEB_BUILD_HARDENING_FORTIFY=1

   # Since r223796 landed on GCC master enforcing PIE breaks GCC compilation.

   # The compiler gets built with `-fno-PIE` and linked with `-no-pie` as not

   # doing so would make precompiled headers (PCH) fail.

   # It is okay for us to omit this right now as it does not change any hardening

   # flags in the resulting bundles.

-  export DEB_BUILD_HARDENING_PIE=0

+  #

   # We need to disable `-Werror=format-security` as GCC does not build with it

   # anymore. It seems it got audited for those problems already:

   # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817.

-  export DEB_BUILD_HARDENING_FORMAT=0

+  export DEB_BUILD_OPTIONS=hardening=+bindnow,+relro,-pie,+fortify,+stackprotector,+stackprotectorstrong,-format

+  eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)

+  export OPT_LDFLAGS="$LDFLAGS"

 [% END -%]

 distdir=/var/tmp/dist/[% c("var/distdir") %]

-mkdir /var/tmp/build

 [% IF c("var/linux-cross") -%]

     [% IF ! c("var/linux-cross") -%]

       export LD_LIBRARY_PATH=/var/tmp/dist/[% c("var/distdir") %]/lib64:/var/tmp/dist/[% c("var/distdir") %]/lib32

     [% END -%]

-

-    [% IF c("hardened_gcc") -%]

-      # Config options for hardening-wrapper

-      export DEB_BUILD_HARDENING=1

-      export DEB_BUILD_HARDENING_STACKPROTECTOR=1

-      export DEB_BUILD_HARDENING_FORTIFY=1

-      export DEB_BUILD_HARDENING_FORMAT=1

-      export DEB_BUILD_HARDENING_PIE=1

-

-      # Make sure we use the hardening wrapper

-      pushd /var/tmp/dist/[% c("var/distdir") %]/bin

-      cp /usr/bin/hardened-cc ./

-      mv [% c("var/target_prefix") %]gcc [% c("var/target_prefix") %]gcc.real

-      mv [% c("var/target_prefix") %]c++ [% c("var/target_prefix") %]c++.real

-      mv [% c("var/target_prefix") %]g++ [% c("var/target_prefix") %]g++.real

-      ln -sf hardened-cc [% c("var/target_prefix") %]gcc

-      ln -sf hardened-cc [% c("var/target_prefix") %]c++

-      ln -sf hardened-cc [% c("var/target_prefix") %]g++

-      popd

-    [% END -%]

+    [% IF c("hardened_gcc"); GET c("var/set_hardened_build_flags"); END %]

 targets:

   windows:

     var:

       configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686

       arch_deps:

-        - hardening-wrapper

         - libc6-dev-i386

   linux-cross:

     var:

       glibc_version: 2.26

       linux_version: 4.10.1

       arch_deps:

-        - hardening-wrapper

         - libc6-dev-i386

         - gawk

   linux-arm:

---- o/apt-key	2022-11-30 14:57:12.742026261 +0000

-+++ n/apt-key	2022-12-01 08:38:08.170140893 +0000

-@@ -815,11 +815,18 @@

- 	    create_gpg_home

- 	fi

- 	setup_merged_keyring

-+	tmpfile=$(mktemp)

-+	set +e

- 	if [ -n "$FORCED_KEYRING" ]; then

--	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"

-+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@")

- 	else

--	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"

-+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@")

- 	fi

-+	err=$?

-+	set -e

-+	cat "$tmpfile" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' >&${GPGSTATUSFD}

-+	rm -f "$tmpfile"

-+	exit $err

- 	;;

-     help)

-         usage
   use_container: 1

 var:

-  ubuntu_version: 22.04.1

+  ubuntu_version: 22.04.2

 pre: |

   #!/bin/sh

   apt-get update -y -q

   apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg

-  [% IF c("var/container/suite") == "jessie" -%]

-    apt-get install -y -q patch

-    cd /usr/bin

-    # The gpg key for jessie is expired. We patch apt-key to accept expired keys.

-    patch -p1 < $rootdir/apt-key-allow-expired-key.patch

-    cd $rootdir

-  [% END -%]

-

   export SOURCE_DATE_EPOCH='[% c("timestamp") %]'

   tar -xf [% c('input_files_by_name/mmdebstrap') %]

   ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %]

   mv output.tar.gz [% dest_dir %]/[% c("filename") %]

 targets:

-  jessie-amd64:

+  stretch-amd64:

     var:

-      minimal_apt_version: 1.0.9.8.6

-

+      minimal_apt_version: 1.4.11

       container:

-        suite: jessie

+        suite: stretch

         arch: amd64

         debian_mirror: >

-          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian/ jessie main"

-          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian-security/ jessie/updates main"

+          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian/ stretch main"

+          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian-security/ stretch/updates main"

+

   bullseye-amd64:

     var:

     name: mmdebstrap

   - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'

     filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'

-    sha256sum: e1f9200c99da008a473c9ae7b51e13f5ea05dc4c2e12beb43f0f9cbbbf6216f4

-  - filename: apt-key-allow-expired-key.patch

-    enable: '[% c("var/container/suite") == "jessie" %]'
+    sha256sum: 373f064df30519adc3344a08d774f437caabd1479d846fa2ca6fed727ea7a53d
 [% IF c("var/linux") -%]

   [% pc('python', 'var/setup', { python_tarfile => c('input_files_by_name/python') }) %]

 [% END -%]

-mkdir /var/tmp/build

+mkdir -p /var/tmp/build

 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz

 cd /var/tmp/build/[% project %]-[% c('version') %]

 [% END %]

 cd $rootdir

-mkdir /var/tmp/build

+mkdir -p /var/tmp/build

 tar -C /var/tmp/build -xf  [% c('input_files_by_name/rust') %]

 cd /var/tmp/build/rustc-[% c('version') %]-src

 [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]

 distdir=/var/tmp/dist/sqlcipher

 builddir=/var/tmp/build/[% project %]

-mkdir /var/tmp/build

+mkdir -p /var/tmp/build

 tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]

 [% IF ! c("var/sqlcipher-linux-x86_64") -%]

 #!/bin/sh

 [% c("var/set_default_env") -%]

 distdir=/var/tmp/dist/StemNS

-mkdir /var/tmp/build

-mkdir /var/tmp/dist

+mkdir -p /var/tmp/build

+mkdir -p /var/tmp/dist

 # Extract StemNS

 tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz

       # Temporarily disabled until we have a fix for tor-browser-build#40845

       #namecoin: '[% c("var/nightly") && c("var/tor-browser") %]'

       container:

-        suite: jessie

+        suite: stretch

         arch: amd64

       pre_pkginst: dpkg --add-architecture i386

       deps:

         - build-essential

         - python

         - bison

-        - hardening-wrapper

         - automake

         - libtool

         - zip

         - unzip

         - xz-utils

         - patch

+        - less

+      set_hardened_build_flags: |

+        export DEB_BUILD_HARDENING=1

+        export DEB_BUILD_OPTIONS='hardening=+bindnow,+relro,+pie,+fortify,+stackprotector,+stackprotectorstrong,+format'

+        mkdir -p /var/tmp/build

+        eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)

   linux-asan:

     var:

       asan: 1

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

18 changed files:

Changes: