setsebool/Makefile now unconditionally links against libsepol.
As such, it is now a new dependency.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Changes:
- Remove 0001-fix-musl-build.patch
Fixed with commit d88597798fdb1a2b344ca47e48f2f80ad433fd95 differently.
"""
libselinux: drop usage of _D_ALLOC_NAMLEN
_D_ALLOC_NAMLEN is not very portable. Currently, the code
mallocs based on _D_ALLOC_NAMLEN() and then strcpy's dirent
d_name into the buffer. Instead, just use strdup.
Change-Id: I5c8ca47da2c593ea2726caba5781f5e9d9d910ae
Signed-off-by: William Roberts <william.c.roberts@intel.com>
"""
- Remove 0003-libselinux-set-CFLAGS-for-pip-installation.patch
Fixed with commit 89dd980c1e9a800f104c1db2b4c9e77be532ca35.
"""
Add CPPFLAGS to Makefiles
This patch adds CPPFLAGS to all of the Makefiles as suggested.
Signed-off-by: Cameron Williams <ckwilliams.work@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
"""
- Rename 0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch to
0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
- Remove "package/libselinux/0001-fix-musl-build.patch Upstream" from
.checkpackageignore
- Rename "0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch" to
"0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch" in the
.checkpackageignore
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since bump to version 2.0.0 in commit
0f5bb364c6 sdbus-cpp package requires
designated initializers support (C++20 feature), and fails to compile
with gcc < 8:
/home/buildroot/autobuild/run/instance-2/output-1/build/host-sdbus-cpp-2.0.0/src/Proxy.cpp: In member function 'virtual sdbus::Slot sdbus::internal::Proxy::callMethodAsync(const sdbus::MethodCall&, sdbus::async_reply_handler, uint64_t, sdbus::return_slot_t)':
/home/buildroot/autobuild/run/instance-2/output-1/build/host-sdbus-cpp-2.0.0/src/Proxy.cpp:146:90: sorry, unimplemented: non-trivial designated initializers not supported
, .floating = true });
Fixes: 0f5bb364c6
- http://autobuild.buildroot.net/results/1764ce0d48b390e430d2d8f54388013d3700e9d7
Signed-off-by: Sergey Bobrenok <bobrofon@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Set GROUP_T when installing configuration files as root to avoid the
following build failure raised since commit
b6816034eb:
/usr/bin/install: missing destination file operand after '/home/buildroot/instance-0/output-1/target/etc'
Fixes: b6816034eb
- http://autobuild.buildroot.org/results/eb4ccf248c9c5048e9b71058bb0311b1e0763883
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Some kernel users find it useful to store submodules in the kernel
source tree for cross source trees definitions. Add option to download
these submodules.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Our git download backend switches the remote of our local clone, and
fetches all refs and tags from that remote.
When the local clone has a tag fetched from another remote, and the new
remote also has a tag by the same name, and that tag points to another
commit, then git refuses to fetch the new tag and exits in error, as it
considers that the new tag would clobber the existing one. This is safe
and sane behaviour when run interactively with a human that can take a
decision.
However, in our case, we don't care about any tags that were present
before, as only the last one makes sense in our case: the one from the
remote the user has requested for the current build.
Tell git to forcefully pull tags, even if they would clobber existing
ones.
Note that, although this changes the git backend, it does not change the
content of generated archives, so we do not need to bump the suffix
version.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Since tar *will* generate different archives, virtually all hashes will
change, so drop the blurb that states they usually would not.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Arnout: say explicitly that the has will change]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
We can't stay in the past forever and ever...
Since tar 1.35, the way some fields (devmajor and devminor) are stored
has changed. These fields exist for each file in the tarball, but only
used for device nodes. In previous versions of GNU tar, they were set to
zero; since 1.35, they are set to empty.
Although this doesn't change anything about the content of the tarball,
and it will be extracted in exactly the same way regardless of the tar
version used for extracting, it does change the hash of the tarball.
Therefore, we have to
- make sure that the correct version of tar is used;
- update the format version so that the filename is different from
before.
Increment all BR_FMT_VERSION by one.
Require tar >= 1.35 instead of < 1.35.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Arnout: also increment BR_FMT_VERSION and extend the commit message]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Fix CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds
read that results in use of uninitialized memory for a conditional
jump. Exploitation to change the flow of control has not been
demonstrated. The issue occurs in from_header in list.c via a V7
archive in which mtime has approximately 11 whitespace characters.
With the bump to 1.35, the build will fail on systems that are not
Y2038, such as some uClibc configurations.
In order to preserve the previous behavior, pass --disable-year2038.
See the gnulib documentation for details [1]. Contrary to what the
option name might suggest, it doesn't really disable Y2038 support,
but only the check that the system is Y2038 compliant. So even with
--disable-year2038, if the system is Y2038 compliant (uses a 64-bit
arch, uses the musl C library, or uses the glibc C library with
BR2_TIME_BITS_64=y), tar will be Y2038 compliant.
Update hash of COPYING (http replaced by https)
[0] https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
[1] https://www.gnu.org/software/gnulib/manual/html_node/Avoiding-the-year-2038-problem.html
For the version bump:
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d4d483451f)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
For the Y2038 fix:
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7f1088f9ca)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Replace the names of the tarballs in the hash files to -git3.
Linux and U-Boot sources do contain symlinks, so the hashes change.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Arnout: also update acmesystems/acqua-a5]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Replace all git and svn packages archive names in hash files:
$ sed -r -i -e 's/-br2/-git3/; s/-br3/-svn4/' $(
git grep -l -E -- '-br2|-br3' '*.hash'
)
$ sed -r -i -e 's/(\.tar\.gz)$/-go1\1/' $(
git grep -l -E '\$\(eval \$\((host-)?golang-package\)\)' '*.mk' \
|sed -r -e 's/\.mk$/.hash/' \
|sort -u
)
$ sed -r -i -e 's/(\.tar\.gz)$/-cargo1\1/' $(
git grep -l -E '\$\(eval \$\((host-)?cargo-package\)\)' '*.mk' \
|sed -r -e 's/\.mk$/.hash/' \
|sort -u
)
Then a bit of make source (based on: git diff --name-only), a lot of
sweat, and carefully checking the new archives to verify that only
modes have changed...
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Replace the names of the tarballs in the hash files to -git3.
We don't have any symlinks in the tests, so the hashes themselves don't
change.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Currently, when we generate archives, we rely on a few assumptions and
mechanisms to ensure reproducilibity. So far, we mostly accounted for
the content (i.e. content, filenames, and path) of the files we
archived, and this is OK (git and svn should provide reproducilbe
content by design, and cargo and go vendoring are also supposed to be
generating reproducible content.
However, tarballs do not only contain the content of the files; they
also have a few metadata about those files. Beyond filenames and paths,
which are already reproducible, there is the timestamp, the user and
group name and ID. Those are also accounted for and made reproducible.
The final touch (so far!) is that files have access rights (aka mode),
and those too are stored in tarballs. So far we accounted for those by
ensuring that Buildroot would always run under a known umask, thus
generating files with reproducible modes.
That falls short in one case that we did not envision, though: a shared
download directory, where extended attributes are set to provide a
default ACL that is permissive, to allow two or more users (with
different uid and gid) to all read and write to such a directory. This
is trivially achieved with something like:
$ mkdir -p "${BR2_DL_DIR}"
$ setfacl -m 'default:user::rwx' "${BR2_DL_DIR}"
$ setfacl -m 'default:group::rwx' "${BR2_DL_DIR}"
$ setfacl -m 'default:other::rwx' "${BR2_DL_DIR}"
This has the effect that:
- files below BR2_DL_DIR are all set with user, group, and world read
and write access,
- files executable by the owner will also be group and world
executable,
- directories are user, group, and world readable, writable, and
searchable.
This means that all the archives we generate from files in BR2_DL_DIR
will have modes that are different from those generated on other systems,
where only the traditional umask is used.
There are various solutions to solve that issue:
- detect the situation and abort: that's not nice, because users have
a legitimiate reason to want to share that directory,
- find a solution for each affected download mechanism: git, svn, hg,
cvs, bzr... and for each of the affected vendoring mechanism: go and
cargo [0]; this is not nice, because it means a lot of repetition,
with the risk that they diverge over time (e.g. one is fixed for a
newer issue, while the others are left out due to an oversight...)
- find a single, common solution that works in all cases, whatever the
download mechanism and/or vendoring: this is the best, because we
can extend and fix it once and everything else benefits from it.
We obviously go for the third option.
The common solution is rather simple. When creating the tarball in
support/download/helpers, give an option to tar to set the group and
other permissions to those of the user, but without write permission.
This implies that we must bump the version-suffix for the download
backends [1] and for the vendoring post-processes. It also implies that
the hash may change, under the following circumstances:
- Symlinks normally have permissions 0777 (because symlink permissions
are in fact meaningless). They will now have permission 0755 in the
tarball.
- If the original tarball (for vendored go and cargo packages) contained
files that are readable or executable by owner but not by group or
other, they will now be readable resp. executable by group and other
too. Note that for writeable it is not the case, because those were
already handled by our 0022 umask (which makes them not writeable by
group and other).
Because the hash may change, we need to update the BR_FMT_VERSION for
everything that creates tarballs. Go and cargo didn't have one up to
now, the the previous commit added the possibility to give one. The ones
for git and svn have to be updated. Since it is now possible to have a
suffix for both the VCS and the post-processing, change the suffix to
something more descriptive than "-brX", i.e. -git3 for git, -go1 for
golang, etc.
The hash updates and filename changes will be handled in a follow-up
commit.
[0] Note however that the vendoring is currently not done in a
sub-directory of BR2_DL_DIR, but the cargo and go caches are located
there. Files that get copied from there to the vendoring area would be
tainted as well, and thus we want to address that situation as well.
[1] we currently do not have a CVS version suffix, because we do not
guarantee the reproducilibity of CVS archives (we can't); for hg, we are
currently using hg's own archive tool, and presumably that does not have
the mode issue because it is not using the checked-out files. Still,
doing the mode fix in a single location will help extend those two
backends in the future (if that ever happens...).
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
When we change the way we vendor packages, either because our download
backend or helpers evolve, or when the vendoring tools themselves change,
we must avoid generating new archives with the same name, or there would
be confusion when using older archives with newer Buildroot versions, or
the other way around (and that would mess with local caches, like the
one we share on s.b.o).
This is going to be the case for example, when we enforce a better and
more reproducible set of modes on archived files in the following
commits.
Introduce a version suffix for post-processed downloads, that we can
bump when needed.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Add the changes about export-subst in the git backend, to the migrating
section of the manual.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: slightly extend the message, add sed command to update hash
files]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
The version suffix for the git-generated archives has changed, so update
the filenames accordingly in the hash files. The content of the archives
has not changed, though.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Those packages use the export-subst git attribute, so the content of
the generated archives change.
Update the hashes accordingly.
For pcm-tools, we no longer need the post-extract hook, as the git
attribute is properly handled in the git download backend.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Files in a git repository can be given attributes, like the usual eol
that can convert to-from crlf, cr, lf; those are applied when comitting
or checking-out a file.
There are also two attributes that are meant to be used when generating
an archive (with git archive): export-subst, and export-ignore, that
respectively substitutes format placeholders in a file, and excludes a
file from the archive.
Some package (e.g. pcm-tools, luajit) use the export-subst attribute
to generate versioning information. luajit, specifically, uses the UNIX
timestamp of the commit as the patch-level for its semantic versioning.
We don't use git-archive, because we need to get submodules and LFS
blob, which git-archive does not handle. So, our git backend tries to
impersonate git-archive as much as possible, but the support for git
attributes was lost when we converted it from using git-archive to
manually creating the tarball in 3abd5ba424 (support/download/git: do
not use git archive, handle it manually) in preparation for f109e7eeb5
(support/download/git: add support for submodules) (arguably, a long
time ago...)
Extend the git backend to handle the export-subst attribute. There is
no git tool (that we could find) that does that automatically, except
git-archive, which we can't use; "git check-attr" however can report
whether a file has a specific attribute (and git check-attr can work
with \0-delimited fields and records).
So, we iterate over all the files in the repository, and filter those
that have the export-subst attribute set. Then for each file, we use a
bit of awk to do the replacement:
- for each line (managed natively by awk), we iterate over each
format placeholder,
- for each placeholer, we query "git log" with the requested format,
- we emit the replacement.
When doing the replacement, we decided to force abbreviating short
hashes to 40 chars, which is the length of a full sha1, rather than
actually abbreviating them:
- letting git decide of the length is not reproducible over time:
- as new commits are added, the short length will increase to avoid
collisions,
- newer git versions may decide on a different heuristic to shorten
hashes,
- users may have local settings with an arbitrary length (in their
~/.gitconfig for example);
- deciding on our side of an "small" arbitrary value would not be
viable long term either, as it might be too large to be minimum, or
too short to avoid collisions.
The only reproducible solution is to use unabbreviated hashes.
Handling git-attributes also implies that the format of the generated
archives has changed, since we now expand placeholders, so we bump our
git format version.
Hash files for all git-downloaded packages will be updated in followup
commits.
Of all our git-downloaded packages, 5 are affected, and their hashes
will be updated in a followup commit too:
- pcm-tools, which was known, and the one that triggered this commit;
since we now expand placeholders, we can drop the post-extract hook;
switching to a full hash in replacements also changes the hash of
the generated archive;
- qt5knx, qt5location, qt5mqtt, and qt5opcua: the file .tag at the
repository root, contains only the full hash placeholder; that file
is not used at all during the build (AFAICS);
Finally, a sixth package, luajit, uses export-subst; it currently relies
on the github-generated archive (because it happens to currently use a
format that is reproducible); it will also be converted in a follow-up
patch.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Woody Douglass <wdouglass@carnegierobotics.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Francois Perrad <fperrad@gmail.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Since version 2.1, LuaJIT follows a rolling-release scheme, which means
that any commit is as good as any other; LuaJIT uses the comitter's UNIX
timestamp as its semver patch level. It uses the git-attribute
export-subst for the .relver file that contains the %ct placeholder for
git-archive to expand it.
In c9dcd9e459 (package/luajit: bump to version 41fb94defa8f...), we
switched to such an upstream version. There was some confusion around
the handling of the git-attribute and where/when it is generated, and
the first revision of the patch used the git download method, so had to
use post-extract hooks to do the replacement, but the second iteration
kept retrieving the archive generated by github, which has the
replacement already done, but the post-extract hooks were not dropped
although now useless...
With the current code, it is easy to bump the LuaJit version and forget
to update the timestamp stored in the .relver file, which would override
the value that was generated on the github side.
Since the post-extract hook is useless, drop it.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Francois Perrad <fperrad@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Commit 631647f4a7 (package/flutter-packages/flutter-markdown-example:
new package) introduced a set of flutter packages, all sharing the same
upstream location and sources, and thus introduced a set of shared
variables (not unlike the qt5, qt6, and a few other similar packages).
Especially, it introduced the corresponding _SOURCE variable, that is
referenced by each sub-package of flutter-packages. Defining this
variable is required, because flutter-packages itself is not a package
in Buildroot parlance: it does not call any of the *-package macro. As
such, the default _SOURCE variable is not automatically generated.
The value for the variable was suffixed with the -br1 version-suffix as
used for the archives generated by the git backend.
However, this archive is not generated with our git download backend,
but is generated remotely by github, as the _SITE is computed with our
github helper macro.
So, the -br1 suffix is both superfluous and confusing.
Drop the suffix to avoid any confusion in the future, and add a little
blurb explaining the situation close to where the variable is set, and
add a check-package disable line.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <adam.duskett@amarulasolutions.com>
[Arnout: use check-package disable comment instead of ignoring the file]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
The upstream host, arago-project.org, has vanished, bringing down the
git repository with it.
Switch to another, github-hosted repository, that has the commit we're
interested in.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
The current version of docker-compose is un-vendorable, because the
dependencies it referenmces (directly or indirectly) are not available:
go: github.com/docker/compose/v2/cmd/compose imports
github.com/moby/buildkit/util/progress/progressui:
github.com/crazy-max/buildkit@v0.7.1-0.20240130133234-d9aa289bd124:
invalid version: unknown revision d9aa289bd124
And indeed, that commit does not exist in that repository. The v0.7.1
tag does exist, but there is not commit that matches the short hash
d9aa289bd124, or even the whole version string. Sigh...
There is no way anyone can vendor the version we currently package, and
all they and us can hope for is that we never lose s.b.o ever.
Bump the version. That one can be vendored. Well, at least it can
_still_ be vendored _now_...
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
SymPy is a Python library for symbolic mathematics. It aims
to become a full-featured computer algebra system (CAS)
while keeping the code as simple as possible in order to be
comprehensible and easily extensible. SymPy is written
entirely in Python.
https://www.sympy.org/
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mpmath is a free (BSD licensed) Python library for real and
complex floating-point arithmetic with arbitrary precision.
https://mpmath.org/
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
While bumping kodi, we figured out that the kodi-texturepacker and
kodi-jsonschemabuilder were both re-downloading the main Kodi tarball,
even though they contain:
KODI_JSONSCHEMABUILDER_DL_SUBDIR = kodi
KODI_TEXTUREPACKER_DL_SUBDIR = kodi
Both are host packages, and turns out that changing those variables to
HOST_ ones made the download sharing work.
Commit efa7712b09 ("package/pkg-generic:
host variant inherits target download settings") introduced
inheritance of host variables from target variables from a number of
variables, including DL_SUBDIR. But it missed the fact that earlier in
pkg-generic.mk, the following line was defined:
$(2)_DL_SUBDIR ?= $$($(2)_RAWNAME)
So, when this later code kicked in:
ifndef $(2)_DL_SUBDIR
ifdef $(3)_DL_SUBDIR
$(2)_DL_SUBDIR = $$($(3)_DL_SUBDIR)
endif
endif
In fact it never did anything because $(2)_DL_SUBDIR would never be
undefined. This commit fixes this issue by properly adjusting the
logic to inherit the value of the target variable when it exists, or
defaulting to $$($(2)_RAWNAME) otherwise.
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The Config.in comment was mentioning both "NPTL" and "threads" as
dependencies, while mentioning only the former is sufficient.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
A python wrapper for the hidapi library.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
