From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 43160@debbugs.gnu.org
Cc: mhw@netris.org, Maxim Cournoyer <maxim.cournoyer@gmail.com>,
leo@famulari.name
Subject: [bug#43160] [PATCH v3 1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases.
Date: Fri, 11 Sep 2020 10:44:58 -0400 [thread overview]
Message-ID: <20200911144459.27220-1-maxim.cournoyer@gmail.com> (raw)
In-Reply-To: <87a6y1cg3i.fsf@netris.org>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=yes, Size: 10474 bytes --]
* gnu/packages/linux.scm (make-linux-libre-source): Rename the UPSTREAM-SOURCE
parameter to LINUX-UPSTREAM-SOURCE. Add a new LINUX-LIBRE-UPSTREAM-SOURCE
parameter. Update doc. Adjust variable names. Capitalize "Linux" in the
user messages. Remove empty directories from the generated sources, then
invoke diff between these sources and those of the corresponding Linux-libre
release, unless LINUX-LIBRE-UPSTREAM-SOURCE is #f.
(%upstream-linux-source): Convert the hash as base32 inside the definition, to
simplify its use.
(%upstream-linux-libre-source): New procedure.
(linux-libre-5.8-pristine-source): Add a LIBRE-HASH binding and use it with
%UPSTREAM-LINUX-LIBRE-SOURCE to provide the Linux-libre release origin to the
make-linux-libre-source procedure call.
(linux-libre-5.4-pristine-source): Likewise.
(linux-libre-4.19-pristine-source): Likewise.
(linux-libre-4.14-pristine-source): Likewise.
(linux-libre-4.9-pristine-source): Likewise.
(linux-libre-4.4-pristine-source): Likewise.
---
gnu/packages/linux.scm | 79 ++++++++++++++++++++++++++++++++----------
1 file changed, 61 insertions(+), 18 deletions(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 72fb3ca49d..1df66330cb 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -221,10 +221,18 @@ from forcing GEXP-PROMISE."
#:guile-for-build guile)))
(define (make-linux-libre-source version
- upstream-source
+ linux-upstream-source
+ linux-libre-upstream-source
deblob-scripts)
"Return a 'computed' origin that generates a Linux-libre tarball from the
-corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
+corresponding LINUX-UPSTREAM-SOURCE (an origin), using the given
+DEBLOB-SCRIPTS. The generated Linux-libre source is compared against the
+corresponding LINUX-LIBRE-UPSTREAM-SOURCE upstream release (an origin), to
+ensure correctness. This comparison is skipped when
+LINUX-LIBRE-UPSTREAM-SOURCE is set to #f. This can be used in exceptional
+cases where for security reasons an update must be pushed before the
+Linux-libre project could publish a cleaned up tree. Manual screening of the
+new Linux changes for nonfree code is required when skipping the comparison."
(match deblob-scripts
((deblob-version (? origin? deblob) (? origin? deblob-check))
(unless (string=? deblob-version (version-major+minor version))
@@ -281,14 +289,14 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(("/bin/sed") (which "sed"))
(("/usr/bin/python") (which "python"))))
- (if (file-is-directory? #+upstream-source)
+ (if (file-is-directory? #+linux-upstream-source)
(begin
- (format #t "Copying upstream linux source...~%")
- (invoke "cp" "--archive" #+upstream-source dir)
+ (format #t "Copying upstream Linux source...~%")
+ (invoke "cp" "--archive" #+linux-upstream-source dir)
(invoke "chmod" "--recursive" "u+w" dir))
(begin
- (format #t "Unpacking upstream linux tarball...~%")
- (invoke "tar" "xf" #$upstream-source)
+ (format #t "Unpacking upstream Linux tarball...~%")
+ (invoke "tar" "xf" #$linux-upstream-source)
(match (scandir "."
(lambda (name)
(and (not (member name '("." "..")))
@@ -315,7 +323,22 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(format #t "~%Scanning the generated tarball for blobs...~%")
(invoke "/tmp/bin/deblob-check" "--use-awk" "--list-blobs"
- #$output))))))))))
+ #$output)
+
+ (if #+linux-libre-upstream-source
+ (begin
+
+ ;; Git doesn't track empty directories, so remove them
+ ;; from our local tree for the sake of comparison.
+ (invoke "find" dir "-type" "d" "-empty" "-delete")
+ (invoke "diff" "-ur"
+ dir
+ #+linux-libre-upstream-source))
+ (begin
+ (format #t "~%Skipping comparison with the upstream \
+Linux-libre release... Ensure new sources have been manually verified \
+against nonfree software.~%")
+ #t)))))))))))
\f
;;;
@@ -344,8 +367,16 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(uri (string-append "mirror://kernel.org"
"/linux/kernel/v" (version-major version) ".x/"
"linux-" version ".tar.xz"))
- (sha256 hash)))
+ (sha256 (base32 hash))))
+(define (%upstream-linux-libre-source version hash)
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "git://linux-libre.fsfla.org/releases.git")
+ (commit (string-append "sources/v" version "-gnu"))))
+ (file-name (git-file-name "linux-libre-source" version))
+ (sha256 (base32 hash))))
;; The current "stable" kernel. That is, the most recently released major
;; version.
@@ -357,9 +388,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(base32 "0j6jba5fcddqlb42f95gjl78jisfla4nswqila074gglcrbnl9q7")))
(define-public linux-libre-5.8-pristine-source
(let ((version linux-libre-5.8-version)
- (hash (base32 "0xm901zvvrwsb9k88la6pb65nybi43bygiyz1z68njwsx6ripxik")))
+ (hash "0xm901zvvrwsb9k88la6pb65nybi43bygiyz1z68njwsx6ripxik")
+ (libre-hash "0zjw82xrmlgmjb5w0ar4mhjsn9pf8halwzq6dvv71hmrmskjxbyn"))
(make-linux-libre-source version
(%upstream-linux-source version hash)
+ (%upstream-linux-libre-source version libre-hash)
deblob-scripts-5.8)))
;; The "longterm" kernels — the older releases with long-term upstream support.
@@ -373,10 +406,12 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(base32 "1b3q88i2qfdxyvpi9f7jds0qlb8hfpw87mgia096ax6822c2cmyb")))
(define-public linux-libre-5.4-pristine-source
(let ((version linux-libre-5.4-version)
- (hash (base32 "1vymhl6p7i06gfgpw9iv75bvga5sj5kgv46i1ykqiwv6hj9w5lxr")))
- (make-linux-libre-source version
- (%upstream-linux-source version hash)
- deblob-scripts-5.4)))
+ (hash "1vymhl6p7i06gfgpw9iv75bvga5sj5kgv46i1ykqiwv6hj9w5lxr")
+ (libre-hash "150cz1h9cn8klh8dhnbhb9zmxc6pf6x9rj5fa2wv9k7r42lk9kis"))
+ (make-linux-libre-source version
+ (%upstream-linux-source version hash)
+ (%upstream-linux-libre-source version libre-hash)
+ deblob-scripts-5.4)))
(define-public linux-libre-4.19-version "4.19.144")
(define deblob-scripts-4.19
@@ -386,9 +421,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(base32 "1jiaw0as1ippkrjdpd52657w5mz9qczg3y2hlra7m9k0xawwiqlf")))
(define-public linux-libre-4.19-pristine-source
(let ((version linux-libre-4.19-version)
- (hash (base32 "0jnj65bdy5y9lcj5zhrn4iaszpww8z41ac66j00l75sd931l1g9k")))
+ (hash "0jnj65bdy5y9lcj5zhrn4iaszpww8z41ac66j00l75sd931l1g9k")
+ (libre-hash "04lijps8qjk3kwsgvkw9plhmy5rxgrp6ld82d96jgjm27s5xd308"))
(make-linux-libre-source version
(%upstream-linux-source version hash)
+ (%upstream-linux-libre-source version libre-hash)
deblob-scripts-4.19)))
(define-public linux-libre-4.14-version "4.14.197")
@@ -399,9 +436,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(base32 "1qij18inijj6c3ma8hv98yjagnzxdxyn134da9fd23ky8q6hbvky")))
(define-public linux-libre-4.14-pristine-source
(let ((version linux-libre-4.14-version)
- (hash (base32 "029h46yki2hxdbn7afmnf3yar1pnwrpszx76irsa5mf8gnrasyp0")))
+ (hash "029h46yki2hxdbn7afmnf3yar1pnwrpszx76irsa5mf8gnrasyp0")
+ (libre-hash "1hbp1shhhifk3xy8026c466vpfpgll11xx1kawq97llx1pars4hn"))
(make-linux-libre-source version
(%upstream-linux-source version hash)
+ (%upstream-linux-libre-source version libre-hash)
deblob-scripts-4.14)))
(define-public linux-libre-4.9-version "4.9.235")
@@ -412,9 +451,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(base32 "0fxajshb75siq39lj5h8xvhdj8lcmddkslwlyj65rhlwk6g2r4b2")))
(define-public linux-libre-4.9-pristine-source
(let ((version linux-libre-4.9-version)
- (hash (base32 "1hqcb3zw4546h6x5xy2mywdznha8813lx15mxbgfbvwm4qhsc9g6")))
+ (hash "1hqcb3zw4546h6x5xy2mywdznha8813lx15mxbgfbvwm4qhsc9g6")
+ (libre-hash "0sz73pxdz4kl4fyfvbkm7xzdhzx8x2xajr93mhapc65hssyz3059"))
(make-linux-libre-source version
(%upstream-linux-source version hash)
+ (%upstream-linux-libre-source version libre-hash)
deblob-scripts-4.9)))
(define-public linux-libre-4.4-version "4.4.235")
@@ -425,9 +466,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
(base32 "0hhin1jpfkd6nwrb6xqxjzl3hdxy4pn8a15hy2d3d83yw6pflbsf")))
(define-public linux-libre-4.4-pristine-source
(let ((version linux-libre-4.4-version)
- (hash (base32 "0w5pkv936zb0shjgnpv17gcp5n8f91djznzq54p6j1bl5q2qdyqd")))
+ (hash "0w5pkv936zb0shjgnpv17gcp5n8f91djznzq54p6j1bl5q2qdyqd")
+ (libre-hash "1pydy3cr4malqlr69ksw22nphpydfmpbrfh190ahgym741zdfncg"))
(make-linux-libre-source version
(%upstream-linux-source version hash)
+ (%upstream-linux-libre-source version libre-hash)
deblob-scripts-4.4)))
(define %boot-logo-patch
--
2.28.0
next prev parent reply other threads:[~2020-09-11 14:46 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-02 18:29 [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used Leo Famulari
2020-09-02 18:30 ` [bug#43173] [PATCH 1/2] gnu: Do not truncate the version of the linux-libre deblobbing script file names Leo Famulari
2020-09-02 18:30 ` [bug#43173] [PATCH 2/2] gnu: linux-libre: Enforce the use of the correct deblobbing scripts Leo Famulari
2020-09-02 21:07 ` [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used Mark H Weaver
2020-09-02 22:15 ` Leo Famulari
2020-09-02 23:53 ` Mark H Weaver
[not found] ` <87h7sedz0w.fsf_-_@gmail.com>
2020-09-04 15:21 ` [bug#43160] Validate the result of our linux-libre sources clean up Mark H Weaver
2020-09-07 19:25 ` Maxim Cournoyer
2020-09-07 23:38 ` Mark H Weaver
2020-09-01 20:38 ` [bug#43160] [PATCH] gnu: linux-libre: Use Python 3 in make-linux-libre-source Maxim Cournoyer
2020-09-01 20:41 ` [bug#43160] [PATCH 1/2] gnu: make-linux-libre-source: Set output port buffering to line mode Maxim Cournoyer
2020-09-01 20:41 ` [bug#43160] [PATCH 2/2] gnu: linux-libre: Validate that the cleaned up tarball is free of blobs Maxim Cournoyer
2020-09-02 12:56 ` [bug#43160] [PATCH v2 1/4] gnu: linux-libre: Use Python 3 in make-linux-libre-source Maxim Cournoyer
2020-09-02 12:56 ` [bug#43160] [PATCH v2 2/4] gnu: make-linux-libre-source: Set output port buffering to line mode Maxim Cournoyer
2020-09-02 12:56 ` [bug#43160] [PATCH v2 3/4] gnu: linux-libre: Validate that the cleaned up tarball is free of blobs Maxim Cournoyer
2020-09-02 12:56 ` [bug#43160] [PATCH v2 4/4] gnu: linux-libre: Compare generated sources against Linux-libre releases Maxim Cournoyer
2020-09-03 5:50 ` [bug#43160] [PATCH v2 1/4] gnu: linux-libre: Use Python 3 in make-linux-libre-source Mathieu Othacehe
2020-09-03 13:08 ` Maxim Cournoyer
2020-09-04 6:15 ` Mathieu Othacehe
2020-09-04 14:45 ` Mike Rosset
2020-09-05 1:51 ` Maxim Cournoyer
2020-09-11 1:53 ` [bug#43160] Validate the result of our linux-libre sources clean up Maxim Cournoyer
2020-09-11 14:44 ` Maxim Cournoyer [this message]
2020-09-11 14:44 ` [bug#43160] [PATCH v3 2/2] linux-libre: Enable multi-core xz compression during tarball generation Maxim Cournoyer
2020-09-12 17:07 ` [bug#43160] [PATCH v3 1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases Mark H Weaver
2020-09-13 23:50 ` Maxim Cournoyer
2020-09-15 10:33 ` Mark H Weaver
2021-04-22 6:35 ` Mark H Weaver
2023-07-27 16:18 ` bug#43160: linux-libre: compare guix-generated sources against upstream releases Maxim Cournoyer
2020-09-05 19:04 ` [bug#43173] Ensure that the correct linux-libre deblobbing scripts are used Leo Famulari
2020-09-05 23:07 ` Mark H Weaver
2020-09-06 20:01 ` bug#43173: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200911144459.27220-1-maxim.cournoyer@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=43160@debbugs.gnu.org \
--cc=leo@famulari.name \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).