From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id AKOUCbGNW19dPwAA0tVLHw (envelope-from ) for ; Fri, 11 Sep 2020 14:46:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id kP/4A7GNW1+ALQAA1q6Kng (envelope-from ) for ; Fri, 11 Sep 2020 14:46:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 948949400EF for ; Fri, 11 Sep 2020 14:46:08 +0000 (UTC) Received: from localhost ([::1]:39762 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kGkJT-0003Lz-HY for larch@yhetil.org; Fri, 11 Sep 2020 10:46:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59516) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kGkJP-0003KI-5h for guix-patches@gnu.org; Fri, 11 Sep 2020 10:46:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33526) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kGkJO-0006uU-T6 for guix-patches@gnu.org; Fri, 11 Sep 2020 10:46:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kGkJO-0005Bw-QS for guix-patches@gnu.org; Fri, 11 Sep 2020 10:46:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#43160] [PATCH v3 1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 11 Sep 2020 14:46:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43160 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 43160@debbugs.gnu.org Cc: mhw@netris.org, Maxim Cournoyer , leo@famulari.name Received: via spool by 43160-submit@debbugs.gnu.org id=B43160.159983550516524 (code B ref 43160); Fri, 11 Sep 2020 14:46:02 +0000 Received: (at 43160) by debbugs.gnu.org; 11 Sep 2020 14:45:05 +0000 Received: from localhost ([127.0.0.1]:45065 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kGkIS-0004Ha-TZ for submit@debbugs.gnu.org; Fri, 11 Sep 2020 10:45:05 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:34148) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kGkIQ-0004DX-Hr for 43160@debbugs.gnu.org; Fri, 11 Sep 2020 10:45:03 -0400 Received: by mail-qt1-f193.google.com with SMTP id 19so8034346qtp.1 for <43160@debbugs.gnu.org>; Fri, 11 Sep 2020 07:45:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dFv9R7onslpYjBcNQ9QcOhmV3nFV6t75I4aV4zliwvE=; b=H7S6ApZe09nNDpNc1mqtWwW2osEp3zESRgxqWX8ywVloQmI9jHplIoJOlbGvUheFac 5EHJG0tHTdNugbkmgn6bNOYleZnA/q3ZoB8N6/7tagjo+CSd3FlW0ECC9b22M9i7YHGU urrW0WY7EGQzmA4fQR9P6nImuLcfkObATt/X3o4SrfK2itYKIjmyWnUUqZlqlvCyAg99 W3wHzPh1m8VE/pIbuUIKPW+aw5Z+vw693CAUPtVn2fmiQWn9SWH57PyYDtLZXlzxpThE iW6v9FIjE646u0EIae6BH5rMKbM4PAM9/a0yHRhFdYymeSvSCrkMrmK5BtCBaOSkBmji fAfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dFv9R7onslpYjBcNQ9QcOhmV3nFV6t75I4aV4zliwvE=; b=SlP1IlhStg+QzB8DZIZ3Yv/VU6hIWfZArz/9XG36V5rMpdO3+uITp2IV3dJB1s7kAn eAXxBWAqPpQT6stHFAvX4iw4dSigipXJD6UPKfO7vXiOkGw3HpuhgCpygdD1AaHX1kgq XP/78/dG5BFeOZZyIhHXU6K3joBhncXbkbRyhaYAc6ZjGDF3sa3v3zBvoAPBs2c6OWB9 NCRSBsA5n04NySHz0cbtezcAKY6Q4nGfTL6VnbXH6HBmKEvahuHh42vGFZubELYO9/gU dQdvZgNBT+7GUE9jVaKB1lNTNigy4MsUpdh6nWz+4thZCFOcjYGgL8lALC98XQdXyd76 BH6Q== X-Gm-Message-State: AOAM532jh5nSNh/Bd5i7BDTJFpYRj7xOj/rbtfY4F07L8Qh25/etVoDX FD63JMQCEEkdLAiVaF6x0rkKbRw8ZP8= X-Google-Smtp-Source: ABdhPJyo5hYdrX8wHN1fq9D3RINI2AImK9WlS1zzEKmuGuzzRy9i5i/vD6KdUjRGN+4Dqfzuhjp0bA== X-Received: by 2002:aed:2964:: with SMTP id s91mr2167161qtd.247.1599835496301; Fri, 11 Sep 2020 07:44:56 -0700 (PDT) Received: from localhost.localdomain (dsl-10-146-200.b2b2c.ca. [72.10.146.200]) by smtp.gmail.com with ESMTPSA id v15sm2897277qkg.108.2020.09.11.07.44.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Sep 2020 07:44:55 -0700 (PDT) From: Maxim Cournoyer Date: Fri, 11 Sep 2020 10:44:58 -0400 Message-Id: <20200911144459.27220-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <87a6y1cg3i.fsf@netris.org> References: <87a6y1cg3i.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=yes Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=H7S6ApZe; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 1.59 X-TUID: Rk/1sGDMcrMw * gnu/packages/linux.scm (make-linux-libre-source): Rename the UPSTREAM-SOURCE parameter to LINUX-UPSTREAM-SOURCE. Add a new LINUX-LIBRE-UPSTREAM-SOURCE parameter. Update doc. Adjust variable names. Capitalize "Linux" in the user messages. Remove empty directories from the generated sources, then invoke diff between these sources and those of the corresponding Linux-libre release, unless LINUX-LIBRE-UPSTREAM-SOURCE is #f. (%upstream-linux-source): Convert the hash as base32 inside the definition, to simplify its use. (%upstream-linux-libre-source): New procedure. (linux-libre-5.8-pristine-source): Add a LIBRE-HASH binding and use it with %UPSTREAM-LINUX-LIBRE-SOURCE to provide the Linux-libre release origin to the make-linux-libre-source procedure call. (linux-libre-5.4-pristine-source): Likewise. (linux-libre-4.19-pristine-source): Likewise. (linux-libre-4.14-pristine-source): Likewise. (linux-libre-4.9-pristine-source): Likewise. (linux-libre-4.4-pristine-source): Likewise. --- gnu/packages/linux.scm | 79 ++++++++++++++++++++++++++++++++---------- 1 file changed, 61 insertions(+), 18 deletions(-) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 72fb3ca49d..1df66330cb 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -221,10 +221,18 @@ from forcing GEXP-PROMISE." #:guile-for-build guile))) (define (make-linux-libre-source version - upstream-source + linux-upstream-source + linux-libre-upstream-source deblob-scripts) "Return a 'computed' origin that generates a Linux-libre tarball from the -corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." +corresponding LINUX-UPSTREAM-SOURCE (an origin), using the given +DEBLOB-SCRIPTS. The generated Linux-libre source is compared against the +corresponding LINUX-LIBRE-UPSTREAM-SOURCE upstream release (an origin), to +ensure correctness. This comparison is skipped when +LINUX-LIBRE-UPSTREAM-SOURCE is set to #f. This can be used in exceptional +cases where for security reasons an update must be pushed before the +Linux-libre project could publish a cleaned up tree. Manual screening of the +new Linux changes for nonfree code is required when skipping the comparison." (match deblob-scripts ((deblob-version (? origin? deblob) (? origin? deblob-check)) (unless (string=? deblob-version (version-major+minor version)) @@ -281,14 +289,14 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (("/bin/sed") (which "sed")) (("/usr/bin/python") (which "python")))) - (if (file-is-directory? #+upstream-source) + (if (file-is-directory? #+linux-upstream-source) (begin - (format #t "Copying upstream linux source...~%") - (invoke "cp" "--archive" #+upstream-source dir) + (format #t "Copying upstream Linux source...~%") + (invoke "cp" "--archive" #+linux-upstream-source dir) (invoke "chmod" "--recursive" "u+w" dir)) (begin - (format #t "Unpacking upstream linux tarball...~%") - (invoke "tar" "xf" #$upstream-source) + (format #t "Unpacking upstream Linux tarball...~%") + (invoke "tar" "xf" #$linux-upstream-source) (match (scandir "." (lambda (name) (and (not (member name '("." ".."))) @@ -315,7 +323,22 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (format #t "~%Scanning the generated tarball for blobs...~%") (invoke "/tmp/bin/deblob-check" "--use-awk" "--list-blobs" - #$output)))))))))) + #$output) + + (if #+linux-libre-upstream-source + (begin + + ;; Git doesn't track empty directories, so remove them + ;; from our local tree for the sake of comparison. + (invoke "find" dir "-type" "d" "-empty" "-delete") + (invoke "diff" "-ur" + dir + #+linux-libre-upstream-source)) + (begin + (format #t "~%Skipping comparison with the upstream \ +Linux-libre release... Ensure new sources have been manually verified \ +against nonfree software.~%") + #t))))))))))) ;;; @@ -344,8 +367,16 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (uri (string-append "mirror://kernel.org" "/linux/kernel/v" (version-major version) ".x/" "linux-" version ".tar.xz")) - (sha256 hash))) + (sha256 (base32 hash)))) +(define (%upstream-linux-libre-source version hash) + (origin + (method git-fetch) + (uri (git-reference + (url "git://linux-libre.fsfla.org/releases.git") + (commit (string-append "sources/v" version "-gnu")))) + (file-name (git-file-name "linux-libre-source" version)) + (sha256 (base32 hash)))) ;; The current "stable" kernel. That is, the most recently released major ;; version. @@ -357,9 +388,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (base32 "0j6jba5fcddqlb42f95gjl78jisfla4nswqila074gglcrbnl9q7"))) (define-public linux-libre-5.8-pristine-source (let ((version linux-libre-5.8-version) - (hash (base32 "0xm901zvvrwsb9k88la6pb65nybi43bygiyz1z68njwsx6ripxik"))) + (hash "0xm901zvvrwsb9k88la6pb65nybi43bygiyz1z68njwsx6ripxik") + (libre-hash "0zjw82xrmlgmjb5w0ar4mhjsn9pf8halwzq6dvv71hmrmskjxbyn")) (make-linux-libre-source version (%upstream-linux-source version hash) + (%upstream-linux-libre-source version libre-hash) deblob-scripts-5.8))) ;; The "longterm" kernels — the older releases with long-term upstream support. @@ -373,10 +406,12 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (base32 "1b3q88i2qfdxyvpi9f7jds0qlb8hfpw87mgia096ax6822c2cmyb"))) (define-public linux-libre-5.4-pristine-source (let ((version linux-libre-5.4-version) - (hash (base32 "1vymhl6p7i06gfgpw9iv75bvga5sj5kgv46i1ykqiwv6hj9w5lxr"))) - (make-linux-libre-source version - (%upstream-linux-source version hash) - deblob-scripts-5.4))) + (hash "1vymhl6p7i06gfgpw9iv75bvga5sj5kgv46i1ykqiwv6hj9w5lxr") + (libre-hash "150cz1h9cn8klh8dhnbhb9zmxc6pf6x9rj5fa2wv9k7r42lk9kis")) + (make-linux-libre-source version + (%upstream-linux-source version hash) + (%upstream-linux-libre-source version libre-hash) + deblob-scripts-5.4))) (define-public linux-libre-4.19-version "4.19.144") (define deblob-scripts-4.19 @@ -386,9 +421,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (base32 "1jiaw0as1ippkrjdpd52657w5mz9qczg3y2hlra7m9k0xawwiqlf"))) (define-public linux-libre-4.19-pristine-source (let ((version linux-libre-4.19-version) - (hash (base32 "0jnj65bdy5y9lcj5zhrn4iaszpww8z41ac66j00l75sd931l1g9k"))) + (hash "0jnj65bdy5y9lcj5zhrn4iaszpww8z41ac66j00l75sd931l1g9k") + (libre-hash "04lijps8qjk3kwsgvkw9plhmy5rxgrp6ld82d96jgjm27s5xd308")) (make-linux-libre-source version (%upstream-linux-source version hash) + (%upstream-linux-libre-source version libre-hash) deblob-scripts-4.19))) (define-public linux-libre-4.14-version "4.14.197") @@ -399,9 +436,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (base32 "1qij18inijj6c3ma8hv98yjagnzxdxyn134da9fd23ky8q6hbvky"))) (define-public linux-libre-4.14-pristine-source (let ((version linux-libre-4.14-version) - (hash (base32 "029h46yki2hxdbn7afmnf3yar1pnwrpszx76irsa5mf8gnrasyp0"))) + (hash "029h46yki2hxdbn7afmnf3yar1pnwrpszx76irsa5mf8gnrasyp0") + (libre-hash "1hbp1shhhifk3xy8026c466vpfpgll11xx1kawq97llx1pars4hn")) (make-linux-libre-source version (%upstream-linux-source version hash) + (%upstream-linux-libre-source version libre-hash) deblob-scripts-4.14))) (define-public linux-libre-4.9-version "4.9.235") @@ -412,9 +451,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (base32 "0fxajshb75siq39lj5h8xvhdj8lcmddkslwlyj65rhlwk6g2r4b2"))) (define-public linux-libre-4.9-pristine-source (let ((version linux-libre-4.9-version) - (hash (base32 "1hqcb3zw4546h6x5xy2mywdznha8813lx15mxbgfbvwm4qhsc9g6"))) + (hash "1hqcb3zw4546h6x5xy2mywdznha8813lx15mxbgfbvwm4qhsc9g6") + (libre-hash "0sz73pxdz4kl4fyfvbkm7xzdhzx8x2xajr93mhapc65hssyz3059")) (make-linux-libre-source version (%upstream-linux-source version hash) + (%upstream-linux-libre-source version libre-hash) deblob-scripts-4.9))) (define-public linux-libre-4.4-version "4.4.235") @@ -425,9 +466,11 @@ corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS." (base32 "0hhin1jpfkd6nwrb6xqxjzl3hdxy4pn8a15hy2d3d83yw6pflbsf"))) (define-public linux-libre-4.4-pristine-source (let ((version linux-libre-4.4-version) - (hash (base32 "0w5pkv936zb0shjgnpv17gcp5n8f91djznzq54p6j1bl5q2qdyqd"))) + (hash "0w5pkv936zb0shjgnpv17gcp5n8f91djznzq54p6j1bl5q2qdyqd") + (libre-hash "1pydy3cr4malqlr69ksw22nphpydfmpbrfh190ahgym741zdfncg")) (make-linux-libre-source version (%upstream-linux-source version hash) + (%upstream-linux-libre-source version libre-hash) deblob-scripts-4.4))) (define %boot-logo-patch -- 2.28.0