boklm pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits: c606a927 by Nicolas Vigier at 2023-06-27T16:53:41+02:00 Bug 40102: Use Debian Stretch for Linux builds
- - - - -
18 changed files:
- projects/binutils/build - projects/binutils/config - − projects/bison/build - − projects/bison/config - projects/cmake/build - projects/container-image/config - projects/firefox/build - projects/firefox/config - projects/firefox/mozconfig - projects/gcc/build - projects/gcc/config - − projects/mmdebstrap-image/apt-key-allow-expired-key.patch - projects/mmdebstrap-image/config - projects/ninja/build - projects/rust/build - projects/sqlcipher/build - projects/stemns/build - rbm.conf
Changes:
===================================== projects/binutils/build ===================================== @@ -2,17 +2,7 @@ [% c("var/set_default_env") -%] mkdir /var/tmp/dist distdir=/var/tmp/dist/binutils -[% IF c("var/linux") %] - # Config options for hardening-wrapper - export DEB_BUILD_HARDENING=1 - export DEB_BUILD_HARDENING_STACKPROTECTOR=1 - export DEB_BUILD_HARDENING_FORTIFY=1 - export DEB_BUILD_HARDENING_FORMAT=1 - export DEB_BUILD_HARDENING_PIE=1 - - tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/bison') %] - export PATH=/var/tmp/dist/bison/bin:$PATH -[% END %] +[% IF c("var/linux"); GET c("var/set_hardened_build_flags"); END %]
tar xf [% project %]-[% c("version") %].tar.xz cd [% project %]-[% c("version") %] @@ -23,20 +13,6 @@ cd [% project %]-[% c("version") %] make -j[% c("num_procs") %] MAKEINFO=true make install MAKEINFO=true
-# gold is disabled for linux-cross, because of -# https://sourceware.org/bugzilla/show_bug.cgi?id=14995 -# Once we upgrade to glibc 2.26, we might be able to enable gold for -# linux-cross. -[% IF c("var/linux") && ! c("var/linux-cross") %] - # Make sure gold is used with the hardening wrapper for full RELRO, see #13031. - cd $distdir/bin - rm ld - cp /usr/bin/hardened-ld ./ - mv ld.gold ld.gold.real - ln -sf hardened-ld ld.gold - ln -sf ld.gold ld -[% END %] - cd /var/tmp/dist [% c('tar', { tar_src => [ project ],
===================================== projects/binutils/config ===================================== @@ -22,7 +22,3 @@ input_files: file_gpg_id: 1 gpg_keyring: binutils.gpg - project: container-image - - project: bison - name: bison - # We try to use system's bison, but Jessie's is too old - enable: '[% c("var/linux") %]'
===================================== projects/bison/build deleted ===================================== @@ -1,13 +0,0 @@ -#!/bin/bash -[% c("var/set_default_env") -%] -distdir=/var/tmp/dist/bison -tar xf [% project %]-[% c("version") %].tar.xz -cd [% project %]-[% c("version") %] -./configure --prefix=$distdir -make -j[% c("num_procs") %] -make install -cd /var/tmp/dist -[% c('tar', { - tar_src => [ project ], - tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), - }) %]
===================================== projects/bison/config deleted ===================================== @@ -1,10 +0,0 @@ -# vim: filetype=yaml sw=2 -version: 3.8.2 -filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' -container: - use_container: 1 - -input_files: - - URL: https://ftp.gnu.org/gnu/bison/bison-%5B% c("version") %].tar.xz - sha256: 9bba0214ccf7f1079c5d59210045227bcf619519840ebfa80cd3849cff5a5bf2 - - project: container-image
===================================== projects/cmake/build ===================================== @@ -5,7 +5,7 @@ distdir=/var/tmp/dist/[% project %] [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'), hardened_gcc => 0 }) %] [% END -%] -mkdir /var/tmp/build +mkdir -p /var/tmp/build tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz cd /var/tmp/build/[% project %]-[% c('version') %] ./bootstrap --prefix=$distdir
===================================== projects/container-image/config ===================================== @@ -11,8 +11,8 @@ var:
lsb_release: id: Debian - codename: jessie - release: 8.11 + codename: stretch + release: 9.13
targets: no_containers: @@ -33,18 +33,13 @@ pre: | # version of required packages. apt-get update -y -q [% IF pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) -%] - [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %] - [% IF c("var/linux-cross") -%] - dpkg --add-architecture [% c("var/arch_debian") %] - [% END -%] - [% IF c("var/container/suite") == "jessie" -%] - # We need to use faketime to run `apt-get update` on jessie, because of - # expired key. See tor-browser-build#40693 - dpkg -i ./libfaketime_0.9.6-3_amd64.deb ./faketime_0.9.6-3_amd64.deb - [% END -%] - # Update the package cache again because `pre_pkginst` may change the - # package manager configuration. - [% IF c("var/container/suite") == "jessie" %]faketime '2018-12-24 08:15:42' [% END %]apt-get update -y -q + [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %] + [% IF c("var/linux-cross") -%] + dpkg --add-architecture [% c("var/arch_debian") %] + [% END -%] + # Update the package cache again because `pre_pkginst` may change the + # package manager configuration. + apt-get update -y -q [% END -%] apt-get upgrade -y -q [% @@ -87,9 +82,3 @@ input_files: - project: mmdebstrap-image target: - '[% c("var/container/suite") %]-[% c("var/container/arch") %]' - - URL: http://archive.debian.org/debian/pool/main/f/faketime/faketime_0.9.6-3_amd64... - sha256sum: 19b2a01a2fae7e6d5a8b741fc0bc626451cb4c2cc884ee79f1136dd3c2c26213 - enable: '[% c("var/container/suite") == "jessie" %]' - - URL: http://archive.debian.org/debian/pool/main/f/faketime/libfaketime_0.9.6-3_am... - sha256sum: 82747d5815b226cfed7f6f9a751bf8c20d457f3ba786add6017d6904dea4fdb4 - enable: '[% c("var/container/suite") == "jessie" %]'
===================================== projects/firefox/build ===================================== @@ -1,6 +1,9 @@ #!/bin/bash [% c("var/set_default_env") -%] -[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %] +[% pc(c('var/compiler'), 'var/setup', { + compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')), + hardened_gcc => 0, # don't set hardened_gcc since firefox is setting the hardened flags + }) %] distdir=/var/tmp/dist/[% project %] mkdir -p /var/tmp/build mkdir -p [% dest_dir _ '/' _ c('filename') %]
===================================== projects/firefox/config ===================================== @@ -96,7 +96,6 @@ targets: - libgtk-3-dev - libdbus-glib-1-dev - libxt-dev - - hardening-wrapper # To pass configure since ESR 31 - libpulse-dev # To pass configure since ESR 52 @@ -116,7 +115,6 @@ targets: - libgtk-3-dev:i386 - libdbus-glib-1-dev:i386 - libxt-dev:i386 - - hardening-wrapper # To pass configure since ESR 31 - libpulse-dev:i386 # To pass configure since ESR 52
===================================== projects/firefox/mozconfig ===================================== @@ -10,6 +10,9 @@ HOST_CXX=$CXX
export BINDGEN_CFLAGS='--gcc-toolchain=/var/tmp/dist/gcc' + + # set LDFLAGS for Full RELRO + export LDFLAGS="-Wl,-z,relro -Wl,-z,now" [% END -%]
[% IF c("var/windows") -%]
===================================== projects/gcc/build ===================================== @@ -1,23 +1,23 @@ #!/bin/sh [% c("var/set_default_env") -%] -[% IF c("var/linux") -%] - # Config options for hardening-wrapper +mkdir -p /var/tmp/build +[% IF c("var/linux") && ! c("var/linux-cross") -%] + # Config options for hardening export DEB_BUILD_HARDENING=1 - export DEB_BUILD_HARDENING_STACKPROTECTOR=1 - export DEB_BUILD_HARDENING_FORTIFY=1 # Since r223796 landed on GCC master enforcing PIE breaks GCC compilation. # The compiler gets built with `-fno-PIE` and linked with `-no-pie` as not # doing so would make precompiled headers (PCH) fail. # It is okay for us to omit this right now as it does not change any hardening # flags in the resulting bundles. - export DEB_BUILD_HARDENING_PIE=0 + # # We need to disable `-Werror=format-security` as GCC does not build with it # anymore. It seems it got audited for those problems already: # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817. - export DEB_BUILD_HARDENING_FORMAT=0 + export DEB_BUILD_OPTIONS=hardening=+bindnow,+relro,-pie,+fortify,+stackprotector,+stackprotectorstrong,-format + eval $(cd /var/tmp/build; dpkg-buildflags --export=sh) + export OPT_LDFLAGS="$LDFLAGS" [% END -%] distdir=/var/tmp/dist/[% c("var/distdir") %] -mkdir /var/tmp/build
[% IF c("var/linux-cross") -%]
===================================== projects/gcc/config ===================================== @@ -18,26 +18,7 @@ var: [% IF ! c("var/linux-cross") -%] export LD_LIBRARY_PATH=/var/tmp/dist/[% c("var/distdir") %]/lib64:/var/tmp/dist/[% c("var/distdir") %]/lib32 [% END -%] - - [% IF c("hardened_gcc") -%] - # Config options for hardening-wrapper - export DEB_BUILD_HARDENING=1 - export DEB_BUILD_HARDENING_STACKPROTECTOR=1 - export DEB_BUILD_HARDENING_FORTIFY=1 - export DEB_BUILD_HARDENING_FORMAT=1 - export DEB_BUILD_HARDENING_PIE=1 - - # Make sure we use the hardening wrapper - pushd /var/tmp/dist/[% c("var/distdir") %]/bin - cp /usr/bin/hardened-cc ./ - mv [% c("var/target_prefix") %]gcc [% c("var/target_prefix") %]gcc.real - mv [% c("var/target_prefix") %]c++ [% c("var/target_prefix") %]c++.real - mv [% c("var/target_prefix") %]g++ [% c("var/target_prefix") %]g++.real - ln -sf hardened-cc [% c("var/target_prefix") %]gcc - ln -sf hardened-cc [% c("var/target_prefix") %]c++ - ln -sf hardened-cc [% c("var/target_prefix") %]g++ - popd - [% END -%] + [% IF c("hardened_gcc"); GET c("var/set_hardened_build_flags"); END %]
targets: windows: @@ -51,7 +32,6 @@ targets: var: configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686 arch_deps: - - hardening-wrapper - libc6-dev-i386 linux-cross: var: @@ -64,7 +44,6 @@ targets: glibc_version: 2.26 linux_version: 4.10.1 arch_deps: - - hardening-wrapper - libc6-dev-i386 - gawk linux-arm:
===================================== projects/mmdebstrap-image/apt-key-allow-expired-key.patch deleted ===================================== @@ -1,23 +0,0 @@ ---- o/apt-key 2022-11-30 14:57:12.742026261 +0000 -+++ n/apt-key 2022-12-01 08:38:08.170140893 +0000 -@@ -815,11 +815,18 @@ - create_gpg_home - fi - setup_merged_keyring -+ tmpfile=$(mktemp) -+ set +e - if [ -n "$FORCED_KEYRING" ]; then -- "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@" -+ (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@") - else -- "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" -+ (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@") - fi -+ err=$? -+ set -e -+ cat "$tmpfile" | sed 's/^[GNUPG:] EXPKEYSIG /[GNUPG:] GOODSIG /' >&${GPGSTATUSFD} -+ rm -f "$tmpfile" -+ exit $err - ;; - help) - usage
===================================== projects/mmdebstrap-image/config ===================================== @@ -6,7 +6,7 @@ container: use_container: 1
var: - ubuntu_version: 22.04.1 + ubuntu_version: 22.04.2
pre: | #!/bin/sh @@ -16,14 +16,6 @@ pre: | apt-get update -y -q apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg
- [% IF c("var/container/suite") == "jessie" -%] - apt-get install -y -q patch - cd /usr/bin - # The gpg key for jessie is expired. We patch apt-key to accept expired keys. - patch -p1 < $rootdir/apt-key-allow-expired-key.patch - cd $rootdir - [% END -%] - export SOURCE_DATE_EPOCH='[% c("timestamp") %]' tar -xf [% c('input_files_by_name/mmdebstrap') %] ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %] @@ -39,16 +31,16 @@ pre: | mv output.tar.gz [% dest_dir %]/[% c("filename") %]
targets: - jessie-amd64: + stretch-amd64: var: - minimal_apt_version: 1.0.9.8.6 - + minimal_apt_version: 1.4.11 container: - suite: jessie + suite: stretch arch: amd64 debian_mirror: > - "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian/ jessie main" - "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian-security/ jessie/updates main" + "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian/ stretch main" + "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian-security/ stretch/updates main" +
bullseye-amd64: var: @@ -62,6 +54,4 @@ input_files: name: mmdebstrap - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/%5B% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz' filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz' - sha256sum: e1f9200c99da008a473c9ae7b51e13f5ea05dc4c2e12beb43f0f9cbbbf6216f4 - - filename: apt-key-allow-expired-key.patch - enable: '[% c("var/container/suite") == "jessie" %]' + sha256sum: 373f064df30519adc3344a08d774f437caabd1479d846fa2ca6fed727ea7a53d
===================================== projects/ninja/build ===================================== @@ -8,7 +8,7 @@ distdir=/var/tmp/dist/[% project %] [% IF c("var/linux") -%] [% pc('python', 'var/setup', { python_tarfile => c('input_files_by_name/python') }) %] [% END -%] -mkdir /var/tmp/build +mkdir -p /var/tmp/build tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz cd /var/tmp/build/[% project %]-[% c('version') %]
===================================== projects/rust/build ===================================== @@ -50,7 +50,7 @@ EOF [% END %]
cd $rootdir -mkdir /var/tmp/build +mkdir -p /var/tmp/build tar -C /var/tmp/build -xf [% c('input_files_by_name/rust') %] cd /var/tmp/build/rustc-[% c('version') %]-src
===================================== projects/sqlcipher/build ===================================== @@ -3,7 +3,7 @@ [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %] distdir=/var/tmp/dist/sqlcipher builddir=/var/tmp/build/[% project %] -mkdir /var/tmp/build +mkdir -p /var/tmp/build tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]
[% IF ! c("var/sqlcipher-linux-x86_64") -%]
===================================== projects/stemns/build ===================================== @@ -1,8 +1,8 @@ #!/bin/sh [% c("var/set_default_env") -%] distdir=/var/tmp/dist/StemNS -mkdir /var/tmp/build -mkdir /var/tmp/dist +mkdir -p /var/tmp/build +mkdir -p /var/tmp/dist
# Extract StemNS tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
===================================== rbm.conf ===================================== @@ -491,7 +491,7 @@ targets: # Temporarily disabled until we have a fix for tor-browser-build#40845 #namecoin: '[% c("var/nightly") && c("var/tor-browser") %]' container: - suite: jessie + suite: stretch arch: amd64 pre_pkginst: dpkg --add-architecture i386 deps: @@ -503,13 +503,18 @@ targets: - build-essential - python - bison - - hardening-wrapper - automake - libtool - zip - unzip - xz-utils - patch + - less + set_hardened_build_flags: | + export DEB_BUILD_HARDENING=1 + export DEB_BUILD_OPTIONS='hardening=+bindnow,+relro,+pie,+fortify,+stackprotector,+stackprotectorstrong,+format' + mkdir -p /var/tmp/build + eval $(cd /var/tmp/build; dpkg-buildflags --export=sh) linux-asan: var: asan: 1
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/c6...
tor-commits@lists.torproject.org