boklm pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

18 changed files:

Changes:

  • projects/binutils/build
    ... ... @@ -2,17 +2,7 @@
    2 2
     [% c("var/set_default_env") -%]
    
    3 3
     mkdir /var/tmp/dist
    
    4 4
     distdir=/var/tmp/dist/binutils
    
    5
    -[% IF c("var/linux") %]
    
    6
    -  # Config options for hardening-wrapper
    
    7
    -  export DEB_BUILD_HARDENING=1
    
    8
    -  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    
    9
    -  export DEB_BUILD_HARDENING_FORTIFY=1
    
    10
    -  export DEB_BUILD_HARDENING_FORMAT=1
    
    11
    -  export DEB_BUILD_HARDENING_PIE=1
    
    12
    -
    
    13
    -  tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/bison') %]
    
    14
    -  export PATH=/var/tmp/dist/bison/bin:$PATH
    
    15
    -[% END %]
    
    5
    +[% IF c("var/linux"); GET c("var/set_hardened_build_flags"); END %]
    
    16 6
     
    
    17 7
     tar xf [% project %]-[% c("version") %].tar.xz
    
    18 8
     cd [% project %]-[% c("version") %]
    
    ... ... @@ -23,20 +13,6 @@ cd [% project %]-[% c("version") %]
    23 13
     make -j[% c("num_procs") %] MAKEINFO=true
    
    24 14
     make install MAKEINFO=true
    
    25 15
     
    
    26
    -# gold is disabled for linux-cross, because of
    
    27
    -# https://sourceware.org/bugzilla/show_bug.cgi?id=14995
    
    28
    -# Once we upgrade to glibc 2.26, we might be able to enable gold for
    
    29
    -# linux-cross.
    
    30
    -[% IF c("var/linux") && ! c("var/linux-cross") %]
    
    31
    -  # Make sure gold is used with the hardening wrapper for full RELRO, see #13031.
    
    32
    -  cd $distdir/bin
    
    33
    -  rm ld
    
    34
    -  cp /usr/bin/hardened-ld ./
    
    35
    -  mv ld.gold ld.gold.real
    
    36
    -  ln -sf hardened-ld ld.gold
    
    37
    -  ln -sf ld.gold ld
    
    38
    -[% END %]
    
    39
    -
    
    40 16
     cd /var/tmp/dist
    
    41 17
     [% c('tar', {
    
    42 18
             tar_src => [ project ],
    

  • projects/binutils/config
    ... ... @@ -22,7 +22,3 @@ input_files:
    22 22
         file_gpg_id: 1
    
    23 23
         gpg_keyring: binutils.gpg
    
    24 24
       - project: container-image
    25
    -  - project: bison
    
    26
    -    name: bison
    
    27
    -    # We try to use system's bison, but Jessie's is too old
    
    28
    -    enable: '[% c("var/linux") %]'

  • projects/bison/build deleted
    1
    -#!/bin/bash
    
    2
    -[% c("var/set_default_env") -%]
    
    3
    -distdir=/var/tmp/dist/bison
    
    4
    -tar xf [% project %]-[% c("version") %].tar.xz
    
    5
    -cd [% project %]-[% c("version") %]
    
    6
    -./configure --prefix=$distdir
    
    7
    -make -j[% c("num_procs") %]
    
    8
    -make install
    
    9
    -cd /var/tmp/dist
    
    10
    -[% c('tar', {
    
    11
    -        tar_src => [ project ],
    
    12
    -        tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
    
    13
    -        }) %]

  • projects/bison/config deleted
    1
    -# vim: filetype=yaml sw=2
    
    2
    -version: 3.8.2
    
    3
    -filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
    
    4
    -container:
    
    5
    -  use_container: 1
    
    6
    -
    
    7
    -input_files:
    
    8
    -  - URL: https://ftp.gnu.org/gnu/bison/bison-[% c("version") %].tar.xz
    
    9
    -    sha256: 9bba0214ccf7f1079c5d59210045227bcf619519840ebfa80cd3849cff5a5bf2
    
    10
    -  - project: container-image

  • projects/cmake/build
    ... ... @@ -5,7 +5,7 @@ distdir=/var/tmp/dist/[% project %]
    5 5
       [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'),
    
    6 6
                                   hardened_gcc => 0 }) %]
    
    7 7
     [% END -%]
    
    8
    -mkdir /var/tmp/build
    
    8
    +mkdir -p /var/tmp/build
    
    9 9
     tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
    
    10 10
     cd /var/tmp/build/[% project %]-[% c('version') %]
    
    11 11
     ./bootstrap --prefix=$distdir
    

  • projects/container-image/config
    ... ... @@ -11,8 +11,8 @@ var:
    11 11
     
    
    12 12
     lsb_release:
    
    13 13
       id: Debian
    
    14
    -  codename: jessie
    
    15
    -  release: 8.11
    
    14
    +  codename: stretch
    
    15
    +  release: 9.13
    
    16 16
     
    
    17 17
     targets:
    
    18 18
       no_containers:
    
    ... ... @@ -33,18 +33,13 @@ pre: |
    33 33
       # version of required packages.
    
    34 34
       apt-get update -y -q
    
    35 35
       [% IF pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) -%]
    
    36
    -  [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
    
    37
    -  [% IF c("var/linux-cross") -%]
    
    38
    -    dpkg --add-architecture [% c("var/arch_debian") %]
    
    39
    -  [% END -%]
    
    40
    -  [% IF c("var/container/suite") == "jessie" -%]
    
    41
    -    # We need to use faketime to run `apt-get update` on jessie, because of
    
    42
    -    # expired key. See tor-browser-build#40693
    
    43
    -    dpkg -i ./libfaketime_0.9.6-3_amd64.deb ./faketime_0.9.6-3_amd64.deb
    
    44
    -  [% END -%]
    
    45
    -  # Update the package cache again because `pre_pkginst` may change the
    
    46
    -  # package manager configuration.
    
    47
    -  [% IF c("var/container/suite") == "jessie" %]faketime '2018-12-24 08:15:42' [% END %]apt-get update -y -q
    
    36
    +    [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
    
    37
    +    [% IF c("var/linux-cross") -%]
    
    38
    +      dpkg --add-architecture [% c("var/arch_debian") %]
    
    39
    +    [% END -%]
    
    40
    +    # Update the package cache again because `pre_pkginst` may change the
    
    41
    +    # package manager configuration.
    
    42
    +    apt-get update -y -q
    
    48 43
       [% END -%]
    
    49 44
       apt-get upgrade -y -q
    
    50 45
       [%
    
    ... ... @@ -87,9 +82,3 @@ input_files:
    87 82
       - project: mmdebstrap-image
    
    88 83
         target:
    
    89 84
           - '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
    90
    -  - URL: http://archive.debian.org/debian/pool/main/f/faketime/faketime_0.9.6-3_amd64.deb
    
    91
    -    sha256sum: 19b2a01a2fae7e6d5a8b741fc0bc626451cb4c2cc884ee79f1136dd3c2c26213
    
    92
    -    enable: '[% c("var/container/suite") == "jessie" %]'
    
    93
    -  - URL: http://archive.debian.org/debian/pool/main/f/faketime/libfaketime_0.9.6-3_amd64.deb
    
    94
    -    sha256sum: 82747d5815b226cfed7f6f9a751bf8c20d457f3ba786add6017d6904dea4fdb4
    
    95
    -    enable: '[% c("var/container/suite") == "jessie" %]'

  • projects/firefox/build
    1 1
     #!/bin/bash
    
    2 2
     [% c("var/set_default_env") -%]
    
    3
    -[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
    
    3
    +[% pc(c('var/compiler'), 'var/setup', {
    
    4
    +        compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')),
    
    5
    +        hardened_gcc => 0, # don't set hardened_gcc since firefox is setting the hardened flags
    
    6
    +      }) %]
    
    4 7
     distdir=/var/tmp/dist/[% project %]
    
    5 8
     mkdir -p /var/tmp/build
    
    6 9
     mkdir -p [% dest_dir _ '/' _ c('filename') %]
    

  • projects/firefox/config
    ... ... @@ -96,7 +96,6 @@ targets:
    96 96
             - libgtk-3-dev
    
    97 97
             - libdbus-glib-1-dev
    
    98 98
             - libxt-dev
    
    99
    -        - hardening-wrapper
    
    100 99
             # To pass configure since ESR 31
    
    101 100
             - libpulse-dev
    
    102 101
             # To pass configure since ESR 52
    
    ... ... @@ -116,7 +115,6 @@ targets:
    116 115
             - libgtk-3-dev:i386
    
    117 116
             - libdbus-glib-1-dev:i386
    
    118 117
             - libxt-dev:i386
    
    119
    -        - hardening-wrapper
    
    120 118
             # To pass configure since ESR 31
    
    121 119
             - libpulse-dev:i386
    
    122 120
             # To pass configure since ESR 52
    

  • projects/firefox/mozconfig
    ... ... @@ -10,6 +10,9 @@
    10 10
       HOST_CXX=$CXX
    
    11 11
     
    
    12 12
       export BINDGEN_CFLAGS='--gcc-toolchain=/var/tmp/dist/gcc'
    
    13
    +
    
    14
    +  # set LDFLAGS for Full RELRO
    
    15
    +  export LDFLAGS="-Wl,-z,relro -Wl,-z,now"
    
    13 16
     [% END -%]
    
    14 17
     
    
    15 18
     [% IF c("var/windows") -%]
    

  • projects/gcc/build
    1 1
     #!/bin/sh
    
    2 2
     [% c("var/set_default_env") -%]
    
    3
    -[% IF c("var/linux") -%]
    
    4
    -  # Config options for hardening-wrapper
    
    3
    +mkdir -p /var/tmp/build
    
    4
    +[% IF c("var/linux") && ! c("var/linux-cross") -%]
    
    5
    +  # Config options for hardening
    
    5 6
       export DEB_BUILD_HARDENING=1
    
    6
    -  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    
    7
    -  export DEB_BUILD_HARDENING_FORTIFY=1
    
    8 7
       # Since r223796 landed on GCC master enforcing PIE breaks GCC compilation.
    
    9 8
       # The compiler gets built with `-fno-PIE` and linked with `-no-pie` as not
    
    10 9
       # doing so would make precompiled headers (PCH) fail.
    
    11 10
       # It is okay for us to omit this right now as it does not change any hardening
    
    12 11
       # flags in the resulting bundles.
    
    13
    -  export DEB_BUILD_HARDENING_PIE=0
    
    12
    +  #
    
    14 13
       # We need to disable `-Werror=format-security` as GCC does not build with it
    
    15 14
       # anymore. It seems it got audited for those problems already:
    
    16 15
       # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817.
    
    17
    -  export DEB_BUILD_HARDENING_FORMAT=0
    
    16
    +  export DEB_BUILD_OPTIONS=hardening=+bindnow,+relro,-pie,+fortify,+stackprotector,+stackprotectorstrong,-format
    
    17
    +  eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
    
    18
    +  export OPT_LDFLAGS="$LDFLAGS"
    
    18 19
     [% END -%]
    
    19 20
     distdir=/var/tmp/dist/[% c("var/distdir") %]
    
    20
    -mkdir /var/tmp/build
    
    21 21
     
    
    22 22
     [% IF c("var/linux-cross") -%]
    
    23 23
     
    

  • projects/gcc/config
    ... ... @@ -18,26 +18,7 @@ var:
    18 18
         [% IF ! c("var/linux-cross") -%]
    
    19 19
           export LD_LIBRARY_PATH=/var/tmp/dist/[% c("var/distdir") %]/lib64:/var/tmp/dist/[% c("var/distdir") %]/lib32
    
    20 20
         [% END -%]
    
    21
    -
    
    22
    -    [% IF c("hardened_gcc") -%]
    
    23
    -      # Config options for hardening-wrapper
    
    24
    -      export DEB_BUILD_HARDENING=1
    
    25
    -      export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    
    26
    -      export DEB_BUILD_HARDENING_FORTIFY=1
    
    27
    -      export DEB_BUILD_HARDENING_FORMAT=1
    
    28
    -      export DEB_BUILD_HARDENING_PIE=1
    
    29
    -
    
    30
    -      # Make sure we use the hardening wrapper
    
    31
    -      pushd /var/tmp/dist/[% c("var/distdir") %]/bin
    
    32
    -      cp /usr/bin/hardened-cc ./
    
    33
    -      mv [% c("var/target_prefix") %]gcc [% c("var/target_prefix") %]gcc.real
    
    34
    -      mv [% c("var/target_prefix") %]c++ [% c("var/target_prefix") %]c++.real
    
    35
    -      mv [% c("var/target_prefix") %]g++ [% c("var/target_prefix") %]g++.real
    
    36
    -      ln -sf hardened-cc [% c("var/target_prefix") %]gcc
    
    37
    -      ln -sf hardened-cc [% c("var/target_prefix") %]c++
    
    38
    -      ln -sf hardened-cc [% c("var/target_prefix") %]g++
    
    39
    -      popd
    
    40
    -    [% END -%]
    
    21
    +    [% IF c("hardened_gcc"); GET c("var/set_hardened_build_flags"); END %]
    
    41 22
     
    
    42 23
     targets:
    
    43 24
       windows:
    
    ... ... @@ -51,7 +32,6 @@ targets:
    51 32
         var:
    
    52 33
           configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
    
    53 34
           arch_deps:
    
    54
    -        - hardening-wrapper
    
    55 35
             - libc6-dev-i386
    
    56 36
       linux-cross:
    
    57 37
         var:
    
    ... ... @@ -64,7 +44,6 @@ targets:
    64 44
           glibc_version: 2.26
    
    65 45
           linux_version: 4.10.1
    
    66 46
           arch_deps:
    
    67
    -        - hardening-wrapper
    
    68 47
             - libc6-dev-i386
    
    69 48
             - gawk
    
    70 49
       linux-arm:
    

  • projects/mmdebstrap-image/apt-key-allow-expired-key.patch deleted
    1
    ---- o/apt-key	2022-11-30 14:57:12.742026261 +0000
    
    2
    -+++ n/apt-key	2022-12-01 08:38:08.170140893 +0000
    
    3
    -@@ -815,11 +815,18 @@
    
    4
    - 	    create_gpg_home
    
    5
    - 	fi
    
    6
    - 	setup_merged_keyring
    
    7
    -+	tmpfile=$(mktemp)
    
    8
    -+	set +e
    
    9
    - 	if [ -n "$FORCED_KEYRING" ]; then
    
    10
    --	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
    
    11
    -+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@")
    
    12
    - 	else
    
    13
    --	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
    
    14
    -+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@")
    
    15
    - 	fi
    
    16
    -+	err=$?
    
    17
    -+	set -e
    
    18
    -+	cat "$tmpfile" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' >&${GPGSTATUSFD}
    
    19
    -+	rm -f "$tmpfile"
    
    20
    -+	exit $err
    
    21
    - 	;;
    
    22
    -     help)
    
    23
    -         usage

  • projects/mmdebstrap-image/config
    ... ... @@ -6,7 +6,7 @@ container:
    6 6
       use_container: 1
    
    7 7
     
    
    8 8
     var:
    
    9
    -  ubuntu_version: 22.04.1
    
    9
    +  ubuntu_version: 22.04.2
    
    10 10
     
    
    11 11
     pre: |
    
    12 12
       #!/bin/sh
    
    ... ... @@ -16,14 +16,6 @@ pre: |
    16 16
       apt-get update -y -q
    
    17 17
       apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg
    
    18 18
     
    
    19
    -  [% IF c("var/container/suite") == "jessie" -%]
    
    20
    -    apt-get install -y -q patch
    
    21
    -    cd /usr/bin
    
    22
    -    # The gpg key for jessie is expired. We patch apt-key to accept expired keys.
    
    23
    -    patch -p1 < $rootdir/apt-key-allow-expired-key.patch
    
    24
    -    cd $rootdir
    
    25
    -  [% END -%]
    
    26
    -
    
    27 19
       export SOURCE_DATE_EPOCH='[% c("timestamp") %]'
    
    28 20
       tar -xf [% c('input_files_by_name/mmdebstrap') %]
    
    29 21
       ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %]
    
    ... ... @@ -39,16 +31,16 @@ pre: |
    39 31
       mv output.tar.gz [% dest_dir %]/[% c("filename") %]
    
    40 32
     
    
    41 33
     targets:
    
    42
    -  jessie-amd64:
    
    34
    +  stretch-amd64:
    
    43 35
         var:
    
    44
    -      minimal_apt_version: 1.0.9.8.6
    
    45
    -
    
    36
    +      minimal_apt_version: 1.4.11
    
    46 37
           container:
    
    47
    -        suite: jessie
    
    38
    +        suite: stretch
    
    48 39
             arch: amd64
    
    49 40
             debian_mirror: >
    
    50
    -          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian/ jessie main"
    
    51
    -          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian-security/ jessie/updates main"
    
    41
    +          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian/ stretch main"
    
    42
    +          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian-security/ stretch/updates main"
    
    43
    +
    
    52 44
     
    
    53 45
       bullseye-amd64:
    
    54 46
         var:
    
    ... ... @@ -62,6 +54,4 @@ input_files:
    62 54
         name: mmdebstrap
    
    63 55
       - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
    
    64 56
         filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
    
    65
    -    sha256sum: e1f9200c99da008a473c9ae7b51e13f5ea05dc4c2e12beb43f0f9cbbbf6216f4
    
    66
    -  - filename: apt-key-allow-expired-key.patch
    
    67
    -    enable: '[% c("var/container/suite") == "jessie" %]'
    57
    +    sha256sum: 373f064df30519adc3344a08d774f437caabd1479d846fa2ca6fed727ea7a53d

  • projects/ninja/build
    ... ... @@ -8,7 +8,7 @@ distdir=/var/tmp/dist/[% project %]
    8 8
     [% IF c("var/linux") -%]
    
    9 9
       [% pc('python', 'var/setup', { python_tarfile => c('input_files_by_name/python') }) %]
    
    10 10
     [% END -%]
    
    11
    -mkdir /var/tmp/build
    
    11
    +mkdir -p /var/tmp/build
    
    12 12
     tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
    
    13 13
     cd /var/tmp/build/[% project %]-[% c('version') %]
    
    14 14
     
    

  • projects/rust/build
    ... ... @@ -50,7 +50,7 @@ EOF
    50 50
     [% END %]
    
    51 51
     
    
    52 52
     cd $rootdir
    
    53
    -mkdir /var/tmp/build
    
    53
    +mkdir -p /var/tmp/build
    
    54 54
     tar -C /var/tmp/build -xf  [% c('input_files_by_name/rust') %]
    
    55 55
     cd /var/tmp/build/rustc-[% c('version') %]-src
    
    56 56
     
    

  • projects/sqlcipher/build
    ... ... @@ -3,7 +3,7 @@
    3 3
     [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
    
    4 4
     distdir=/var/tmp/dist/sqlcipher
    
    5 5
     builddir=/var/tmp/build/[% project %]
    
    6
    -mkdir /var/tmp/build
    
    6
    +mkdir -p /var/tmp/build
    
    7 7
     tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]
    
    8 8
     
    
    9 9
     [% IF ! c("var/sqlcipher-linux-x86_64") -%]
    

  • projects/stemns/build
    1 1
     #!/bin/sh
    
    2 2
     [% c("var/set_default_env") -%]
    
    3 3
     distdir=/var/tmp/dist/StemNS
    
    4
    -mkdir /var/tmp/build
    
    5
    -mkdir /var/tmp/dist
    
    4
    +mkdir -p /var/tmp/build
    
    5
    +mkdir -p /var/tmp/dist
    
    6 6
     
    
    7 7
     # Extract StemNS
    
    8 8
     tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
    

  • rbm.conf
    ... ... @@ -491,7 +491,7 @@ targets:
    491 491
           # Temporarily disabled until we have a fix for tor-browser-build#40845
    
    492 492
           #namecoin: '[% c("var/nightly") && c("var/tor-browser") %]'
    
    493 493
           container:
    
    494
    -        suite: jessie
    
    494
    +        suite: stretch
    
    495 495
             arch: amd64
    
    496 496
           pre_pkginst: dpkg --add-architecture i386
    
    497 497
           deps:
    
    ... ... @@ -503,13 +503,18 @@ targets:
    503 503
             - build-essential
    
    504 504
             - python
    
    505 505
             - bison
    
    506
    -        - hardening-wrapper
    
    507 506
             - automake
    
    508 507
             - libtool
    
    509 508
             - zip
    
    510 509
             - unzip
    
    511 510
             - xz-utils
    
    512 511
             - patch
    
    512
    +        - less
    
    513
    +      set_hardened_build_flags: |
    
    514
    +        export DEB_BUILD_HARDENING=1
    
    515
    +        export DEB_BUILD_OPTIONS='hardening=+bindnow,+relro,+pie,+fortify,+stackprotector,+stackprotectorstrong,+format'
    
    516
    +        mkdir -p /var/tmp/build
    
    517
    +        eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
    
    513 518
       linux-asan:
    
    514 519
         var:
    
    515 520
           asan: 1