[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/tor-browser-build][main] Bug 40102: Use Debian Stretch for Linux builds

Title: GitLab

boklm pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

  • c606a927
    by Nicolas Vigier at 2023-06-27T16:53:41+02:00 
    Bug 40102: Use Debian Stretch for Linux builds

18 changed files:

Changes:

  • projects/binutils/build
    ... ... @@ -2,17 +2,7 @@
    2 2 
     [% c("var/set_default_env") -%]
    3 3 
     mkdir /var/tmp/dist
    4 4 
     distdir=/var/tmp/dist/binutils
    5 
    -[% IF c("var/linux") %]
    6 
    -  # Config options for hardening-wrapper
    7 
    -  export DEB_BUILD_HARDENING=1
    8 
    -  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    9 
    -  export DEB_BUILD_HARDENING_FORTIFY=1
    10 
    -  export DEB_BUILD_HARDENING_FORMAT=1
    11 
    -  export DEB_BUILD_HARDENING_PIE=1
    12 
    -
    13 
    -  tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/bison') %]
    14 
    -  export PATH=/var/tmp/dist/bison/bin:$PATH
    15 
    -[% END %]
    5 
    +[% IF c("var/linux"); GET c("var/set_hardened_build_flags"); END %]
    16 6
    17 7 
     tar xf [% project %]-[% c("version") %].tar.xz
    18 8 
     cd [% project %]-[% c("version") %]
    ... ... @@ -23,20 +13,6 @@ cd [% project %]-[% c("version") %]
    23 13 
     make -j[% c("num_procs") %] MAKEINFO=true
    24 14 
     make install MAKEINFO=true
    25 15
    26 
    -# gold is disabled for linux-cross, because of
    27 
    -# https://sourceware.org/bugzilla/show_bug.cgi?id=14995
    28 
    -# Once we upgrade to glibc 2.26, we might be able to enable gold for
    29 
    -# linux-cross.
    30 
    -[% IF c("var/linux") && ! c("var/linux-cross") %]
    31 
    -  # Make sure gold is used with the hardening wrapper for full RELRO, see #13031.
    32 
    -  cd $distdir/bin
    33 
    -  rm ld
    34 
    -  cp /usr/bin/hardened-ld ./
    35 
    -  mv ld.gold ld.gold.real
    36 
    -  ln -sf hardened-ld ld.gold
    37 
    -  ln -sf ld.gold ld
    38 
    -[% END %]
    39 
    -
    40 16 
     cd /var/tmp/dist
    41 17 
     [% c('tar', {
    42 18 
             tar_src => [ project ],

  • projects/binutils/config
    ... ... @@ -22,7 +22,3 @@ input_files:
    22 22 
         file_gpg_id: 1
    23 23 
         gpg_keyring: binutils.gpg
    24 24 
       - project: container-image
    25 
    -  - project: bison
    26 
    -    name: bison
    27 
    -    # We try to use system's bison, but Jessie's is too old
    28 
    -    enable: '[% c("var/linux") %]'

  • projects/bison/build deleted
    1 
    -#!/bin/bash
    2 
    -[% c("var/set_default_env") -%]
    3 
    -distdir=/var/tmp/dist/bison
    4 
    -tar xf [% project %]-[% c("version") %].tar.xz
    5 
    -cd [% project %]-[% c("version") %]
    6 
    -./configure --prefix=$distdir
    7 
    -make -j[% c("num_procs") %]
    8 
    -make install
    9 
    -cd /var/tmp/dist
    10 
    -[% c('tar', {
    11 
    -        tar_src => [ project ],
    12 
    -        tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
    13 
    -        }) %]

  • projects/bison/config deleted
    1 
    -# vim: filetype=yaml sw=2
    2 
    -version: 3.8.2
    3 
    -filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
    4 
    -container:
    5 
    -  use_container: 1
    6 
    -
    7 
    -input_files:
    8 
    -  - URL: https://ftp.gnu.org/gnu/bison/bison-[% c("version") %].tar.xz
    9 
    -    sha256: 9bba0214ccf7f1079c5d59210045227bcf619519840ebfa80cd3849cff5a5bf2
    10 
    -  - project: container-image

  • projects/cmake/build
    ... ... @@ -5,7 +5,7 @@ distdir=/var/tmp/dist/[% project %]
    5 5 
       [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'),
    6 6 
                                   hardened_gcc => 0 }) %]
    7 7 
     [% END -%]
    8 
    -mkdir /var/tmp/build
    8 
    +mkdir -p /var/tmp/build
    9 9 
     tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
    10 10 
     cd /var/tmp/build/[% project %]-[% c('version') %]
    11 11 
     ./bootstrap --prefix=$distdir

  • projects/container-image/config
    ... ... @@ -11,8 +11,8 @@ var:
    11 11
    12 12 
     lsb_release:
    13 13 
       id: Debian
    14 
    -  codename: jessie
    15 
    -  release: 8.11
    14 
    +  codename: stretch
    15 
    +  release: 9.13
    16 16
    17 17 
     targets:
    18 18 
       no_containers:
    ... ... @@ -33,18 +33,13 @@ pre: |
    33 33 
       # version of required packages.
    34 34 
       apt-get update -y -q
    35 35 
       [% IF pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) -%]
    36 
    -  [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
    37 
    -  [% IF c("var/linux-cross") -%]
    38 
    -    dpkg --add-architecture [% c("var/arch_debian") %]
    39 
    -  [% END -%]
    40 
    -  [% IF c("var/container/suite") == "jessie" -%]
    41 
    -    # We need to use faketime to run `apt-get update` on jessie, because of
    42 
    -    # expired key. See tor-browser-build#40693
    43 
    -    dpkg -i ./libfaketime_0.9.6-3_amd64.deb ./faketime_0.9.6-3_amd64.deb
    44 
    -  [% END -%]
    45 
    -  # Update the package cache again because `pre_pkginst` may change the
    46 
    -  # package manager configuration.
    47 
    -  [% IF c("var/container/suite") == "jessie" %]faketime '2018-12-24 08:15:42' [% END %]apt-get update -y -q
    36 
    +    [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
    37 
    +    [% IF c("var/linux-cross") -%]
    38 
    +      dpkg --add-architecture [% c("var/arch_debian") %]
    39 
    +    [% END -%]
    40 
    +    # Update the package cache again because `pre_pkginst` may change the
    41 
    +    # package manager configuration.
    42 
    +    apt-get update -y -q
    48 43 
       [% END -%]
    49 44 
       apt-get upgrade -y -q
    50 45 
       [%
    ... ... @@ -87,9 +82,3 @@ input_files:
    87 82 
       - project: mmdebstrap-image
    88 83 
         target:
    89 84 
           - '[% c("var/container/suite") %]-[% c("var/container/arch") %]'
    90 
    -  - URL: http://archive.debian.org/debian/pool/main/f/faketime/faketime_0.9.6-3_amd64.deb
    91 
    -    sha256sum: 19b2a01a2fae7e6d5a8b741fc0bc626451cb4c2cc884ee79f1136dd3c2c26213
    92 
    -    enable: '[% c("var/container/suite") == "jessie" %]'
    93 
    -  - URL: http://archive.debian.org/debian/pool/main/f/faketime/libfaketime_0.9.6-3_amd64.deb
    94 
    -    sha256sum: 82747d5815b226cfed7f6f9a751bf8c20d457f3ba786add6017d6904dea4fdb4
    95 
    -    enable: '[% c("var/container/suite") == "jessie" %]'

  • projects/firefox/build
    1 1 
     #!/bin/bash
    2 2 
     [% c("var/set_default_env") -%]
    3 
    -[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
    3 
    +[% pc(c('var/compiler'), 'var/setup', {
    4 
    +        compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')),
    5 
    +        hardened_gcc => 0, # don't set hardened_gcc since firefox is setting the hardened flags
    6 
    +      }) %]
    4 7 
     distdir=/var/tmp/dist/[% project %]
    5 8 
     mkdir -p /var/tmp/build
    6 9 
     mkdir -p [% dest_dir _ '/' _ c('filename') %]

  • projects/firefox/config
    ... ... @@ -96,7 +96,6 @@ targets:
    96 96 
             - libgtk-3-dev
    97 97 
             - libdbus-glib-1-dev
    98 98 
             - libxt-dev
    99 
    -        - hardening-wrapper
    100 99 
             # To pass configure since ESR 31
    101 100 
             - libpulse-dev
    102 101 
             # To pass configure since ESR 52
    ... ... @@ -116,7 +115,6 @@ targets:
    116 115 
             - libgtk-3-dev:i386
    117 116 
             - libdbus-glib-1-dev:i386
    118 117 
             - libxt-dev:i386
    119 
    -        - hardening-wrapper
    120 118 
             # To pass configure since ESR 31
    121 119 
             - libpulse-dev:i386
    122 120 
             # To pass configure since ESR 52

  • projects/firefox/mozconfig
    ... ... @@ -10,6 +10,9 @@
    10 10 
       HOST_CXX=$CXX
    11 11
    12 12 
       export BINDGEN_CFLAGS='--gcc-toolchain=/var/tmp/dist/gcc'
    13 
    +
    14 
    +  # set LDFLAGS for Full RELRO
    15 
    +  export LDFLAGS="-Wl,-z,relro -Wl,-z,now"
    13 16 
     [% END -%]
    14 17
    15 18 
     [% IF c("var/windows") -%]

  • projects/gcc/build
    1 1 
     #!/bin/sh
    2 2 
     [% c("var/set_default_env") -%]
    3 
    -[% IF c("var/linux") -%]
    4 
    -  # Config options for hardening-wrapper
    3 
    +mkdir -p /var/tmp/build
    4 
    +[% IF c("var/linux") && ! c("var/linux-cross") -%]
    5 
    +  # Config options for hardening
    5 6 
       export DEB_BUILD_HARDENING=1
    6 
    -  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    7 
    -  export DEB_BUILD_HARDENING_FORTIFY=1
    8 7 
       # Since r223796 landed on GCC master enforcing PIE breaks GCC compilation.
    9 8 
       # The compiler gets built with `-fno-PIE` and linked with `-no-pie` as not
    10 9 
       # doing so would make precompiled headers (PCH) fail.
    11 10 
       # It is okay for us to omit this right now as it does not change any hardening
    12 11 
       # flags in the resulting bundles.
    13 
    -  export DEB_BUILD_HARDENING_PIE=0
    12 
    +  #
    14 13 
       # We need to disable `-Werror=format-security` as GCC does not build with it
    15 14 
       # anymore. It seems it got audited for those problems already:
    16 15 
       # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817.
    17 
    -  export DEB_BUILD_HARDENING_FORMAT=0
    16 
    +  export DEB_BUILD_OPTIONS=hardening=+bindnow,+relro,-pie,+fortify,+stackprotector,+stackprotectorstrong,-format
    17 
    +  eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
    18 
    +  export OPT_LDFLAGS="$LDFLAGS"
    18 19 
     [% END -%]
    19 20 
     distdir=/var/tmp/dist/[% c("var/distdir") %]
    20 
    -mkdir /var/tmp/build
    21 21
    22 22 
     [% IF c("var/linux-cross") -%]
    23 23

  • projects/gcc/config
    ... ... @@ -18,26 +18,7 @@ var:
    18 18 
         [% IF ! c("var/linux-cross") -%]
    19 19 
           export LD_LIBRARY_PATH=/var/tmp/dist/[% c("var/distdir") %]/lib64:/var/tmp/dist/[% c("var/distdir") %]/lib32
    20 20 
         [% END -%]
    21 
    -
    22 
    -    [% IF c("hardened_gcc") -%]
    23 
    -      # Config options for hardening-wrapper
    24 
    -      export DEB_BUILD_HARDENING=1
    25 
    -      export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    26 
    -      export DEB_BUILD_HARDENING_FORTIFY=1
    27 
    -      export DEB_BUILD_HARDENING_FORMAT=1
    28 
    -      export DEB_BUILD_HARDENING_PIE=1
    29 
    -
    30 
    -      # Make sure we use the hardening wrapper
    31 
    -      pushd /var/tmp/dist/[% c("var/distdir") %]/bin
    32 
    -      cp /usr/bin/hardened-cc ./
    33 
    -      mv [% c("var/target_prefix") %]gcc [% c("var/target_prefix") %]gcc.real
    34 
    -      mv [% c("var/target_prefix") %]c++ [% c("var/target_prefix") %]c++.real
    35 
    -      mv [% c("var/target_prefix") %]g++ [% c("var/target_prefix") %]g++.real
    36 
    -      ln -sf hardened-cc [% c("var/target_prefix") %]gcc
    37 
    -      ln -sf hardened-cc [% c("var/target_prefix") %]c++
    38 
    -      ln -sf hardened-cc [% c("var/target_prefix") %]g++
    39 
    -      popd
    40 
    -    [% END -%]
    21 
    +    [% IF c("hardened_gcc"); GET c("var/set_hardened_build_flags"); END %]
    41 22
    42 23 
     targets:
    43 24 
       windows:
    ... ... @@ -51,7 +32,6 @@ targets:
    51 32 
         var:
    52 33 
           configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
    53 34 
           arch_deps:
    54 
    -        - hardening-wrapper
    55 35 
             - libc6-dev-i386
    56 36 
       linux-cross:
    57 37 
         var:
    ... ... @@ -64,7 +44,6 @@ targets:
    64 44 
           glibc_version: 2.26
    65 45 
           linux_version: 4.10.1
    66 46 
           arch_deps:
    67 
    -        - hardening-wrapper
    68 47 
             - libc6-dev-i386
    69 48 
             - gawk
    70 49 
       linux-arm:

  • projects/mmdebstrap-image/apt-key-allow-expired-key.patch deleted
    1 
    ---- o/apt-key	2022-11-30 14:57:12.742026261 +0000
    2 
    -+++ n/apt-key	2022-12-01 08:38:08.170140893 +0000
    3 
    -@@ -815,11 +815,18 @@
    4 
    - 	    create_gpg_home
    5 
    - 	fi
    6 
    - 	setup_merged_keyring
    7 
    -+	tmpfile=$(mktemp)
    8 
    -+	set +e
    9 
    - 	if [ -n "$FORCED_KEYRING" ]; then
    10 
    --	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
    11 
    -+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@")
    12 
    - 	else
    13 
    --	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
    14 
    -+	    (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@")
    15 
    - 	fi
    16 
    -+	err=$?
    17 
    -+	set -e
    18 
    -+	cat "$tmpfile" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' >&${GPGSTATUSFD}
    19 
    -+	rm -f "$tmpfile"
    20 
    -+	exit $err
    21 
    - 	;;
    22 
    -     help)
    23 
    -         usage

  • projects/mmdebstrap-image/config
    ... ... @@ -6,7 +6,7 @@ container:
    6 6 
       use_container: 1
    7 7
    8 8 
     var:
    9 
    -  ubuntu_version: 22.04.1
    9 
    +  ubuntu_version: 22.04.2
    10 10
    11 11 
     pre: |
    12 12 
       #!/bin/sh
    ... ... @@ -16,14 +16,6 @@ pre: |
    16 16 
       apt-get update -y -q
    17 17 
       apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg
    18 18
    19 
    -  [% IF c("var/container/suite") == "jessie" -%]
    20 
    -    apt-get install -y -q patch
    21 
    -    cd /usr/bin
    22 
    -    # The gpg key for jessie is expired. We patch apt-key to accept expired keys.
    23 
    -    patch -p1 < $rootdir/apt-key-allow-expired-key.patch
    24 
    -    cd $rootdir
    25 
    -  [% END -%]
    26 
    -
    27 19 
       export SOURCE_DATE_EPOCH='[% c("timestamp") %]'
    28 20 
       tar -xf [% c('input_files_by_name/mmdebstrap') %]
    29 21 
       ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %]
    ... ... @@ -39,16 +31,16 @@ pre: |
    39 31 
       mv output.tar.gz [% dest_dir %]/[% c("filename") %]
    40 32
    41 33 
     targets:
    42 
    -  jessie-amd64:
    34 
    +  stretch-amd64:
    43 35 
         var:
    44 
    -      minimal_apt_version: 1.0.9.8.6
    45 
    -
    36 
    +      minimal_apt_version: 1.4.11
    46 37 
           container:
    47 
    -        suite: jessie
    38 
    +        suite: stretch
    48 39 
             arch: amd64
    49 40 
             debian_mirror: >
    50 
    -          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian/ jessie main"
    51 
    -          "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian-security/ jessie/updates main"
    41 
    +          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian/ stretch main"
    42 
    +          "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian-security/ stretch/updates main"
    43 
    +
    52 44
    53 45 
       bullseye-amd64:
    54 46 
         var:
    ... ... @@ -62,6 +54,4 @@ input_files:
    62 54 
         name: mmdebstrap
    63 55 
       - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
    64 56 
         filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
    65 
    -    sha256sum: e1f9200c99da008a473c9ae7b51e13f5ea05dc4c2e12beb43f0f9cbbbf6216f4
    66 
    -  - filename: apt-key-allow-expired-key.patch
    67 
    -    enable: '[% c("var/container/suite") == "jessie" %]'
    57 
    +    sha256sum: 373f064df30519adc3344a08d774f437caabd1479d846fa2ca6fed727ea7a53d

  • projects/ninja/build
    ... ... @@ -8,7 +8,7 @@ distdir=/var/tmp/dist/[% project %]
    8 8 
     [% IF c("var/linux") -%]
    9 9 
       [% pc('python', 'var/setup', { python_tarfile => c('input_files_by_name/python') }) %]
    10 10 
     [% END -%]
    11 
    -mkdir /var/tmp/build
    11 
    +mkdir -p /var/tmp/build
    12 12 
     tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
    13 13 
     cd /var/tmp/build/[% project %]-[% c('version') %]
    14 14

  • projects/rust/build
    ... ... @@ -50,7 +50,7 @@ EOF
    50 50 
     [% END %]
    51 51
    52 52 
     cd $rootdir
    53 
    -mkdir /var/tmp/build
    53 
    +mkdir -p /var/tmp/build
    54 54 
     tar -C /var/tmp/build -xf  [% c('input_files_by_name/rust') %]
    55 55 
     cd /var/tmp/build/rustc-[% c('version') %]-src
    56 56

  • projects/sqlcipher/build
    ... ... @@ -3,7 +3,7 @@
    3 3 
     [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
    4 4 
     distdir=/var/tmp/dist/sqlcipher
    5 5 
     builddir=/var/tmp/build/[% project %]
    6 
    -mkdir /var/tmp/build
    6 
    +mkdir -p /var/tmp/build
    7 7 
     tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]
    8 8
    9 9 
     [% IF ! c("var/sqlcipher-linux-x86_64") -%]

  • projects/stemns/build
    1 1 
     #!/bin/sh
    2 2 
     [% c("var/set_default_env") -%]
    3 3 
     distdir=/var/tmp/dist/StemNS
    4 
    -mkdir /var/tmp/build
    5 
    -mkdir /var/tmp/dist
    4 
    +mkdir -p /var/tmp/build
    5 
    +mkdir -p /var/tmp/dist
    6 6
    7 7 
     # Extract StemNS
    8 8 
     tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz

  • rbm.conf
    ... ... @@ -491,7 +491,7 @@ targets:
    491 491 
           # Temporarily disabled until we have a fix for tor-browser-build#40845
    492 492 
           #namecoin: '[% c("var/nightly") && c("var/tor-browser") %]'
    493 493 
           container:
    494 
    -        suite: jessie
    494 
    +        suite: stretch
    495 495 
             arch: amd64
    496 496 
           pre_pkginst: dpkg --add-architecture i386
    497 497 
           deps:
    ... ... @@ -503,13 +503,18 @@ targets:
    503 503 
             - build-essential
    504 504 
             - python
    505 505 
             - bison
    506 
    -        - hardening-wrapper
    507 506 
             - automake
    508 507 
             - libtool
    509 508 
             - zip
    510 509 
             - unzip
    511 510 
             - xz-utils
    512 511 
             - patch
    512 
    +        - less
    513 
    +      set_hardened_build_flags: |
    514 
    +        export DEB_BUILD_HARDENING=1
    515 
    +        export DEB_BUILD_OPTIONS='hardening=+bindnow,+relro,+pie,+fortify,+stackprotector,+stackprotectorstrong,+format'
    516 
    +        mkdir -p /var/tmp/build
    517 
    +        eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
    513 518 
       linux-asan:
    514 519 
         var:
    515 520 
           asan: 1


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications · Help 

    _______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits