Merge pull request #1732 from flatcar/krnowak/crypt

Migrate from glibc libcrypt to sys-libs/libxcrypt

.github/workflows/portage-stable-packages-list

@@ -572,6 +572,7 @@ sys-libs/libselinux
 sys-libs/libsepol
 sys-libs/libunwind
 sys-libs/liburing
+sys-libs/libxcrypt
 sys-libs/ncurses
 sys-libs/readline
 sys-libs/talloc

bootstrap_sdk

@@ -144,9 +144,10 @@ cp "${BUILD_LIBRARY_DIR}/toolchain_util.sh" "${ROOT_OVERLAY}/tmp"
 #  outdated "seed tarball" libraries which have been updated to newer versions in stage 1.
 
 stage_repo() {
-    local repo="$1"
-    local path="$2"
-    local dest="$3"
+    local repo=${1}
+    local path=${2}
+    local dest=${3}
+    local update_seed_file=${4}
     local gitname="$repo"
 
     if [ "$gitname" = "gentoo" ] ; then
@@ -173,7 +174,7 @@ stage_repo() {
             name=${hook##*/}
             name=${name%"-${gitname}.sh"}
             info "Invoking stage1 ${gitname} hook ${name} on ${dest}/${repo}"
-            "${hook}" "${dest}/${repo}" "${!repo_var}"
+            "${hook}" "${dest}/${repo}" "${!repo_var}" "${update_seed_file}"
         done
     )
 }
@@ -189,10 +190,14 @@ build_stage1() {
     rm -rf "$stage1_repos"
     mkdir "$stage1_repos"
 
+    # If the file exists and is not empty, seed will be updated.
+    # Stage1 hooks may decide that the seed SDK needs updating.
+    local update_seed_file="${TEMPDIR}/update_seed"
+
     # prepare ebuild repos for stage 1, either from the local SDK (default)
     #  or from custom paths specified via command line flags
-    stage_repo "gentoo" "${FLAGS_stage1_portage_path}" "$stage1_repos"
-    stage_repo "coreos-overlay" "${FLAGS_stage1_overlay_path}" "$stage1_repos"
+    stage_repo "gentoo" "${FLAGS_stage1_portage_path}" "$stage1_repos" "${update_seed_file}"
+    stage_repo "coreos-overlay" "${FLAGS_stage1_overlay_path}" "$stage1_repos" "${update_seed_file}"
 
     # Create a snapshot of "known-good" portage-stable repo copy for use in stage 1
     #  This requires us to create a custom catalyst config to point it to the
@@ -210,11 +215,12 @@ build_stage1() {
         "$TEMPDIR/stage1.spec"
 
     # If we are to use a custom path for either ebuild repo we want to update the stage1 seed SDK
-    if [ -n "${FLAGS_stage1_portage_path}" -o -n "${FLAGS_stage1_overlay_path}" ] ; then
+    if [[ -n ${FLAGS_stage1_portage_path} ]] || [[ -n ${FLAGS_stage1_overlay_path} ]] || [[ -s ${update_seed_file} ]]; then
         sed -i 's/^update_seed: no/update_seed: yes/' "$TEMPDIR/stage1.spec"
         echo "update_seed_command: --update --deep --newuse --complete-graph --rebuild-if-new-ver --rebuild-exclude cross-*-cros-linux-gnu/* sys-devel/gcc " \
             >>"$TEMPDIR/stage1.spec"
     fi
+    rm -f "${update_seed_file}"
 
     # Finally, build stage 1
     build_stage stage1 "$SEED" "$TEMPDIR/catalyst-stage1.conf"

changelog/changes/2024-03-08-libcrypt-migration.md

@@ -0,0 +1 @@
+- libcrypt is now provided by the libxcrypt library instead of glibc. Glibc libcrypt was deprecated long time ago.

sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/0000-glibc-crypt-portage-stable.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -x
+set -euo pipefail
+
+stage1_repo=${1}
+new_repo=${2}
+update_seed_file=${3}
+
+cat=sys-libs
+pkg=libxcrypt
+
+if [[ -d "${stage1_repo}/${cat}/${pkg}" ]]; then
+    # libxcrypt is already a part of portage-stable, nothing to do
+    exit 0
+fi
+
+mkdir -p "${stage1_repo}/${cat}"
+cp -a "${new_repo}/${cat}/${pkg}" "${stage1_repo}/${cat}/${pkg}"
+echo x >"${update_seed_file}"

sdk_container/src/third_party/coreos-overlay/coreos/stage1_hooks/0002-glibc-crypt-coreos-overlay.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+set -x
+set -euo pipefail
+
+stage1_repo=${1}
+new_repo=${2}
+update_seed_file=${3}
+
+base_profile_dir='profiles/coreos/base'
+
+declare -A fixups_old=(
+    ['package.mask']='>=virtual/libcrypt-2'
+    ['package.unmask']='=virtual/libcrypt-1-r1'
+    ['package.use.force']='sys-libs/glibc crypt'
+    ['package.use.mask']='sys-libs/glibc -crypt'
+)
+
+declare -A fixups_new=(
+    ['package.mask']='>=virtual/libcrypt-2'
+    ['package.unmask']='<virtual/libcrypt-2'
+    ['package.use.force']='sys-libs/glibc crypt'
+    ['package.use.mask']='sys-libs/glibc -crypt'
+)
+
+for var_name in fixups_old fixups_new; do
+    declare -n fixups="${var_name}"
+
+    skip=''
+    for f in "${!fixups[@]}"; do
+        l=${fixups["${f}"]}
+        ff="${stage1_repo}/${base_profile_dir}/${f}"
+        if ! grep --quiet --fixed-strings --line-regexp --regexp="${l}" -- "${ff}"; then
+            # fixup not applicable, try next one
+            skip=x
+            break
+        fi
+    done
+
+    if [[ -n ${skip} ]]; then
+        unset -n fixups
+        continue
+    fi
+
+    for f in "${!fixups[@]}"; do
+        l=${fixups["${f}"]}
+        ff="${stage1_repo}/${base_profile_dir}/${f}"
+        ffb="${ff}.bak"
+        mv "${ff}" "${ffb}"
+        grep --invert-match --fixed-strings --line-regexp --regexp="${l}" -- "${ffb}" >"${ff}"
+    done
+    echo x >"${update_seed_file}"
+    exit 0
+done

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask

@@ -11,12 +11,6 @@
 # certificate store provided in NSS rather than the Gentoo/Debian package.
 >=app-misc/ca-certificates-20000000
 
-# Overwrite portage-stable mask. We are delaying the transition to
-# libxcrypt, because we need to figure out how to solve the dep loop
-# that results from the migration (python -> virtual/libcrypt ->
-# libxcrypt -> glibc -> python).
->=virtual/libcrypt-2
-
 # Python 3.12 is in portage-stable (currently testing), so avoid picking it
 # up. Update this to mask later versions when we switch to 3.11.
 >=dev-lang/python-3.12

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.unmask

@@ -1,9 +1,3 @@
-# Overwrite portage-stable mask. We are delaying the transition to
-# libxcrypt, because we need to figure out how to solve the dep loop
-# that results from the migration (python -> virtual/libcrypt ->
-# libxcrypt -> glibc -> python).
-<virtual/libcrypt-2
-
 # Overwrite portage-stable mask. We haven't seen LLVM related problems
 # with rust so far, so keep using 1.70.0.
 ~dev-lang/rust-1.78.0

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force

@@ -14,10 +14,6 @@ app-alternatives/sh bash
 app-alternatives/tar gnu
 app-alternatives/yacc bison
 
-# Force libcrypt so it's included in stage-1 of the SDK build.
-# +crypt was introduced in glibc-2.30 and above.
-sys-libs/glibc crypt
-
 # Do not force this flag, we don't need XATTR_PAX
 sys-apps/portage -xattr
 

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.mask

@@ -17,13 +17,6 @@ sys-libs/ncurses cxx
 # which is defined in portage-stable.
 app-editors/nano unicode
 
-# Overwrite portage-stable mask. We are delaying the transition to
-# libxcrypt, because we need to figure out how to solve the dep loop
-# that results from the migration (python -> virtual/libcrypt ->
-# libxcrypt -> glibc -> python), and also we need to update gcc to
-# version 10 or later.
-sys-libs/glibc -crypt
-
 # We don't use pip.
 dev-lang/python ensurepip
 

sdk_container/src/third_party/portage-stable/sys-libs/libxcrypt/Manifest

@@ -0,0 +1 @@
+DIST libxcrypt-4.4.36-autotools.tar.xz 624660 BLAKE2B 8dc3d0f354baf8c64dc011e95e7df10d48b0dfe428503936ffd55edf2745de04003c7efe231ed5d9a14cea7f682ba377b7e00f0463b4060c50c9c29f555b790f SHA512 fb8391ecb89622eb0d74d13c5fc1369718e83c47671449044ca0c2f78a236d7b06177a60bf8cda47694caa840c68eaaf0b23690e8975fa5d64b734c8eb246d10

sdk_container/src/third_party/portage-stable/sys-libs/libxcrypt/files/libxcrypt-4.4.19-multibuild.patch

@@ -0,0 +1,14 @@
+diff --git a/Makefile.am b/Makefile.am
+index d0cca1d..4a5d4a1 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -86,9 +86,7 @@ noinst_HEADERS = \
+ 	test/des-cases.h \
+ 	test/ka-table.inc
+ 
+-if ENABLE_XCRYPT_COMPAT_FILES
+ nodist_include_HEADERS += xcrypt.h
+-endif
+ 
+ noinst_PROGRAMS = \
+ 	lib/gen-des-tables

sdk_container/src/third_party/portage-stable/sys-libs/libxcrypt/libxcrypt-4.4.36-r2.ebuild

@@ -0,0 +1,335 @@
+# Copyright 2004-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..11} )
+# NEED_BOOTSTRAP is for developers to quickly generate a tarball
+# for publishing to the tree.
+NEED_BOOTSTRAP="no"
+inherit multibuild multilib python-any-r1 flag-o-matic toolchain-funcs multilib-minimal
+
+DESCRIPTION="Extended crypt library for descrypt, md5crypt, bcrypt, and others"
+HOMEPAGE="https://github.com/besser82/libxcrypt"
+if [[ ${NEED_BOOTSTRAP} == "yes" ]] ; then
+	inherit autotools
+	SRC_URI="https://github.com/besser82/libxcrypt/releases/download/v${PV}/${P}.tar.xz"
+else
+	SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-autotools.tar.xz"
+fi
+
+LICENSE="LGPL-2.1+ public-domain BSD BSD-2"
+SLOT="0/1"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="+compat split-usr static-libs +system test headers-only"
+REQUIRED_USE="split-usr? ( system )"
+RESTRICT="!test? ( test )"
+
+export CTARGET=${CTARGET:-${CHOST}}
+if [[ ${CTARGET} == ${CHOST} ]] ; then
+	if [[ ${CATEGORY/cross-} != ${CATEGORY} ]] ; then
+		export CTARGET=${CATEGORY/cross-}
+	fi
+fi
+
+is_cross() {
+	local enabled_abis=( $(multilib_get_enabled_abis) )
+	[[ "${#enabled_abis[@]}" -le 1 ]] && [[ ${CHOST} != ${CTARGET} ]]
+}
+
+DEPEND="
+	system? (
+		elibc_glibc? (
+			${CATEGORY}/glibc[-crypt(-)]
+			!${CATEGORY}/glibc[crypt(-)]
+		)
+		elibc_musl? (
+			${CATEGORY}/musl[-crypt(+)]
+			!${CATEGORY}/musl[crypt(+)]
+		)
+	)
+"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	dev-lang/perl
+	test? ( $(python_gen_any_dep 'dev-python/passlib[${PYTHON_USEDEP}]') )
+"
+
+python_check_deps() {
+	python_has_version "dev-python/passlib[${PYTHON_USEDEP}]"
+}
+
+pkg_pretend() {
+	if has "distcc" ${FEATURES} ; then
+		ewarn "Please verify all distcc nodes are using the same versions of GCC (>= 10) and Binutils!"
+		ewarn "Older/mismatched versions of GCC may lead to a misbehaving library: bug #823179."
+
+		if [[ ${BUILD_TYPE} != "binary" ]] && tc-is-gcc && [[ $(gcc-major-version) -lt 10 ]] ; then
+			die "libxcrypt is known to fail to build or be broken at runtime with < GCC 10 (bug #823179)!"
+		fi
+	fi
+}
+
+pkg_setup() {
+	MULTIBUILD_VARIANTS=(
+		$(usev compat 'xcrypt_compat')
+		xcrypt_nocompat
+	)
+
+	use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# WARNING: Please read on bumping or applying patches!
+	#
+	# There are two circular dependencies to be aware of:
+	# 1)
+	#	if we're bootstrapping configure and makefiles:
+	#		libxcrypt -> automake -> perl -> libxcrypt
+	#
+	#   mitigation:
+	#		toolchain@ manually runs `make dist` after running autoconf + `./configure`
+	#		and the ebuild uses that.
+	#		(Don't include the pre-generated Perl artefacts.)
+	#
+	#	solution for future:
+	#		Upstream are working on producing `make dist` tarballs.
+	#		https://github.com/besser82/libxcrypt/issues/134#issuecomment-871833573
+	#
+	# 2)
+	#	configure *unconditionally* needs Perl at build time to generate
+	#	a list of enabled algorithms based on the set passed to `configure`:
+	#		libxcrypt -> perl -> libxcrypt
+	#
+	#	mitigation:
+	#		None at the moment.
+	#
+	#	solution for future:
+	#		Not possible right now. Upstream intend on depending on Perl for further
+	#		configuration options.
+	#		https://github.com/besser82/libxcrypt/issues/134#issuecomment-871833573
+	#
+	# Therefore, on changes (inc. bumps):
+	#	* You must check whether upstream have started providing tarballs with bootstrapped
+	#	  auto{conf,make};
+	#
+	#	* diff the build system changes!
+	#
+	if [[ ${NEED_BOOTSTRAP} == "yes" ]] ; then
+		# Facilitate our split variant build for compat + non-compat
+		eapply "${FILESDIR}"/${PN}-4.4.19-multibuild.patch
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	# Avoid possible "illegal instruction" errors with gold
+	# bug #821496
+	tc-ld-disable-gold
+
+	# Doesn't work with LTO: bug #852917.
+	# https://github.com/besser82/libxcrypt/issues/24
+	filter-lto
+
+	append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
+
+	multibuild_foreach_variant multilib-minimal_src_configure
+}
+
+get_xcprefix() {
+	if is_cross; then
+		echo "${EPREFIX}/usr/${CTARGET}"
+	else
+		echo "${EPREFIX}"
+	fi
+}
+
+get_xclibdir() {
+	printf -- "%s/%s/%s/%s\n" \
+		"$(get_xcprefix)" \
+		"$(usev !split-usr '/usr')" \
+		"$(get_libdir)" \
+		"$(usev !system 'xcrypt')"
+}
+
+get_xcincludedir() {
+	printf -- "%s/usr/include/%s\n" \
+		"$(get_xcprefix)" \
+		"$(usev !system 'xcrypt')"
+}
+
+get_xcmandir() {
+	printf -- "%s/usr/share/man\n" \
+		"$(get_xcprefix)"
+}
+
+get_xcpkgconfigdir() {
+	printf -- "%s/usr/%s/pkgconfig\n" \
+		"$(get_xcprefix)" \
+		"$(get_libdir)"
+}
+
+multilib_src_configure() {
+	local -a myconf=(
+		--host=${CTARGET}
+		--disable-werror
+		--libdir=$(get_xclibdir)
+		--with-pkgconfigdir=$(get_xcpkgconfigdir)
+		--includedir=$(get_xcincludedir)
+		--mandir="$(get_xcmandir)"
+	)
+
+	tc-export PKG_CONFIG
+
+	if is_cross; then
+		if tc-is-clang; then
+			export CC="${CTARGET}-clang"
+		else
+			export CC="${CTARGET}-gcc"
+		fi
+	fi
+
+	case "${MULTIBUILD_ID}" in
+		xcrypt_compat-*)
+			myconf+=(
+				--disable-static
+				--disable-xcrypt-compat-files
+				--enable-obsolete-api=yes
+			)
+			;;
+		xcrypt_nocompat-*)
+			myconf+=(
+				--enable-obsolete-api=no
+				$(use_enable static-libs static)
+			)
+		;;
+		*) die "Unexpected MULTIBUILD_ID: ${MULTIBUILD_ID}";;
+	esac
+
+	if use headers-only; then
+		# Nothing is compiled here which would affect the headers for the target.
+		# So forcing CC is sane.
+		headers_only_flags="CC=$(tc-getBUILD_CC)"
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}" "${headers_only_flags}"
+}
+
+src_compile() {
+	use headers-only && return
+
+	multibuild_foreach_variant multilib-minimal_src_compile
+}
+
+multilib_src_test() {
+	emake check
+}
+
+src_test() {
+	multibuild_foreach_variant multilib-minimal_src_test
+}
+
+src_install() {
+	multibuild_foreach_variant multilib-minimal_src_install
+
+	use headers-only || \
+	(
+		shopt -s failglob || die "failglob failed"
+
+		# Make sure our man pages do not collide with glibc or man-pages.
+		for manpage in "${D}$(get_xcmandir)"/man3/crypt{,_r}.?*; do
+			mv -n "${manpage}" "$(dirname "${manpage}")/xcrypt_$(basename "${manpage}")" \
+				|| die "mv failed"
+		done
+	) || die "failglob error"
+
+	# Remove useless stuff from installation
+	find "${ED}"/usr/share/doc/${PF} -type l -delete || die
+	find "${ED}" -name '*.la' -delete || die
+
+	# workaround broken upstream cross-* --docdir by installing files in proper locations
+	if is_cross; then
+		insinto "$(get_xcprefix)"/usr/share
+		doins -r "${ED}"/usr/share/doc
+		rm -r "${ED}"/usr/share/doc || die
+	fi
+}
+
+multilib_src_install() {
+	if use headers-only; then
+		emake DESTDIR="${D}" install-nodist_includeHEADERS
+		return
+	fi
+
+	emake DESTDIR="${D}" install
+
+	# Don't install the libcrypt.so symlink for the "compat" version
+	case "${MULTIBUILD_ID}" in
+		xcrypt_compat-*)
+			rm "${D}"$(get_xclibdir)/libcrypt$(get_libname) \
+				|| die "failed to remove extra compat libraries"
+		;;
+		xcrypt_nocompat-*)
+			if use split-usr; then
+				(
+					if use static-libs; then
+						# .a files are installed to /$(get_libdir) by default
+						# Move static libraries to /usr prefix or portage will abort
+						shopt -s nullglob || die "failglob failed"
+						static_libs=( "${D}"/$(get_xclibdir)/*.a )
+
+						if [[ -n ${static_libs[*]} ]]; then
+							dodir "/usr/$(get_xclibdir)"
+							mv "${static_libs[@]}" "${ED}/usr/$(get_xclibdir)" \
+								|| die "Moving static libs failed"
+						fi
+					fi
+
+					if use system; then
+						# Move versionless .so symlinks from /$(get_libdir) to /usr/$(get_libdir)
+						# to allow linker to correctly find shared libraries.
+						shopt -s failglob || die "failglob failed"
+
+						for lib_file in "${D}"$(get_xclibdir)/*$(get_libname); do
+							lib_file_basename="$(basename "${lib_file}")"
+							lib_file_target="$(basename "$(readlink -f "${lib_file}")")"
+
+							# We already know we're in split-usr (checked above)
+							# See bug #843209 (also worth keeping in mind bug #802222 too)
+							local libdir_no_prefix=$(get_xclibdir)
+							libdir_no_prefix=${libdir_no_prefix#${EPREFIX}}
+							libdir_no_prefix=${libdir_no_prefix%/usr}
+							dosym -r "/$(get_libdir)/${lib_file_target}" "/usr/${libdir_no_prefix}/${lib_file_basename}"
+						done
+
+						rm "${D}"$(get_xclibdir)/*$(get_libname) || die "Removing symlinks in incorrect location failed"
+					fi
+				)
+			fi
+		;;
+		*) die "Unexpected MULTIBUILD_ID: ${MULTIBUILD_ID}";;
+	esac
+}
+
+pkg_preinst() {
+	# Verify we're not in a bad case like bug #843209 with broken symlinks.
+	# This can be dropped when, if ever, the split-usr && system && compat case
+	# is cleaned up in *_src_install.
+	local broken_symlinks=()
+	mapfile -d '' broken_symlinks < <(
+		find "${ED}" -xtype l -print0
+	)
+
+	if [[ ${#broken_symlinks[@]} -gt 0 ]]; then
+		eerror "Broken symlinks found before merging!"
+		local symlink target resolved
+		for symlink in "${broken_symlinks[@]}" ; do
+			target="$(readlink "${symlink}")"
+			resolved="$(readlink -f "${symlink}")"
+			eerror "  '${symlink}' -> '${target}' (${resolved})"
+		done
+		die "Broken symlinks found! Aborting to avoid damaging system. Please report a bug."
+	fi
+}

sdk_container/src/third_party/portage-stable/sys-libs/libxcrypt/libxcrypt-4.4.36-r3.ebuild

@@ -0,0 +1,254 @@
+# Copyright 2004-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+# NEED_BOOTSTRAP is for developers to quickly generate a tarball
+# for publishing to the tree.
+NEED_BOOTSTRAP="no"
+inherit crossdev multibuild multilib python-any-r1 flag-o-matic toolchain-funcs multilib-minimal
+
+DESCRIPTION="Extended crypt library for descrypt, md5crypt, bcrypt, and others"
+HOMEPAGE="https://github.com/besser82/libxcrypt"
+if [[ ${NEED_BOOTSTRAP} == "yes" ]] ; then
+	inherit autotools
+	SRC_URI="https://github.com/besser82/libxcrypt/releases/download/v${PV}/${P}.tar.xz"
+else
+	SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-autotools.tar.xz"
+fi
+
+LICENSE="LGPL-2.1+ public-domain BSD BSD-2"
+SLOT="0/1"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="+compat static-libs +system test headers-only"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	system? (
+		elibc_glibc? (
+			${CATEGORY}/glibc[-crypt(-)]
+			!${CATEGORY}/glibc[crypt(-)]
+		)
+		elibc_musl? (
+			${CATEGORY}/musl[-crypt(+)]
+			!${CATEGORY}/musl[crypt(+)]
+		)
+	)
+"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	dev-lang/perl
+	test? ( $(python_gen_any_dep 'dev-python/passlib[${PYTHON_USEDEP}]') )
+"
+
+python_check_deps() {
+	python_has_version "dev-python/passlib[${PYTHON_USEDEP}]"
+}
+
+pkg_pretend() {
+	if has "distcc" ${FEATURES} ; then
+		ewarn "Please verify all distcc nodes are using the same versions of GCC (>= 10) and Binutils!"
+		ewarn "Older/mismatched versions of GCC may lead to a misbehaving library: bug #823179."
+
+		if [[ ${BUILD_TYPE} != "binary" ]] && tc-is-gcc && [[ $(gcc-major-version) -lt 10 ]] ; then
+			die "libxcrypt is known to fail to build or be broken at runtime with < GCC 10 (bug #823179)!"
+		fi
+	fi
+}
+
+pkg_setup() {
+	:
+}
+
+src_prepare() {
+	default
+
+	# WARNING: Please read on bumping or applying patches!
+	#
+	# There are two circular dependencies to be aware of:
+	# 1)
+	#	if we're bootstrapping configure and makefiles:
+	#		libxcrypt -> automake -> perl -> libxcrypt
+	#
+	#   mitigation:
+	#		toolchain@ manually runs `make dist` after running autoconf + `./configure`
+	#		and the ebuild uses that.
+	#		(Don't include the pre-generated Perl artefacts.)
+	#
+	#	solution for future:
+	#		Upstream are working on producing `make dist` tarballs.
+	#		https://github.com/besser82/libxcrypt/issues/134#issuecomment-871833573
+	#
+	# 2)
+	#	configure *unconditionally* needs Perl at build time to generate
+	#	a list of enabled algorithms based on the set passed to `configure`:
+	#		libxcrypt -> perl -> libxcrypt
+	#
+	#	mitigation:
+	#		None at the moment.
+	#
+	#	solution for future:
+	#		Not possible right now. Upstream intend on depending on Perl for further
+	#		configuration options.
+	#		https://github.com/besser82/libxcrypt/issues/134#issuecomment-871833573
+	#
+	# Therefore, on changes (inc. bumps):
+	#	* You must check whether upstream have started providing tarballs with bootstrapped
+	#	  auto{conf,make};
+	#
+	#	* diff the build system changes!
+	#
+	if [[ ${NEED_BOOTSTRAP} == "yes" ]] ; then
+		# Facilitate our split variant build for compat + non-compat
+		eapply "${FILESDIR}"/${PN}-4.4.19-multibuild.patch
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	MULTIBUILD_VARIANTS=(
+		$(usev compat 'xcrypt_compat')
+		xcrypt_nocompat
+	)
+
+	MYPREFIX=${EPREFIX}
+	MYSYSROOT=${ESYSROOT}
+
+	if target_is_not_host; then
+		local CHOST=${CTARGET}
+
+		MYPREFIX=
+		MYSYSROOT=${ESYSROOT}/usr/${CTARGET}
+
+		# Ensure we get compatible libdir
+		unset DEFAULT_ABI MULTILIB_ABIS
+		multilib_env
+		ABI=${DEFAULT_ABI}
+
+		tc-getCC >/dev/null
+		if [[ ${CC} != ${CHOST}-* ]]; then
+			unset CC
+			tc-getCC >/dev/null
+		fi
+
+		strip-unsupported-flags
+	fi
+
+	if use headers-only; then
+		# Nothing is compiled here which would affect the headers for the target.
+		# So forcing CC is sane.
+		local -x CC="$(tc-getBUILD_CC)"
+	fi
+
+	# Avoid possible "illegal instruction" errors with gold
+	# bug #821496
+	tc-ld-disable-gold
+
+	# Doesn't work with LTO: bug #852917.
+	# https://github.com/besser82/libxcrypt/issues/24
+	filter-lto
+
+	append-ldflags $(test-flags-CCLD -Wl,--undefined-version)
+
+	if use test; then
+		python_setup
+	fi
+
+	multibuild_foreach_variant multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	local myconf=(
+		--disable-werror
+		--prefix="${MYPREFIX}/usr"
+		--libdir="${MYPREFIX}/usr/$(get_libdir)$(usev !system /xcrypt)"
+		--includedir="${MYPREFIX}/usr/include$(usev !system /xcrypt)"
+		--with-pkgconfigdir="${MYPREFIX}/usr/$(get_libdir)/pkgconfig"
+		--with-sysroot="${MYSYSROOT}"
+	)
+
+	tc-export PKG_CONFIG
+
+	case "${MULTIBUILD_ID}" in
+		xcrypt_compat-*)
+			myconf+=(
+				--disable-static
+				--disable-xcrypt-compat-files
+				--enable-obsolete-api=yes
+			)
+			;;
+		xcrypt_nocompat-*)
+			myconf+=(
+				--enable-obsolete-api=no
+				$(use_enable static-libs static)
+			)
+			;;
+		*) die "Unexpected MULTIBUILD_ID: ${MULTIBUILD_ID}";;
+	esac
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+}
+
+src_compile() {
+	use headers-only && return
+
+	multibuild_foreach_variant multilib-minimal_src_compile
+}
+
+multilib_src_test() {
+	emake check
+}
+
+src_test() {
+	multibuild_foreach_variant multilib-minimal_src_test
+}
+
+src_install() {
+	local DESTDIR=${D}
+	if target_is_not_host; then
+		DESTDIR=${ED}/usr/${CTARGET}
+	fi
+
+	multibuild_foreach_variant multilib-minimal_src_install
+
+	find "${ED}" -name '*.la' -delete || die
+
+	if target_is_not_host; then
+		insinto /usr/${CTARGET}/usr/share
+		doins -r "${ED}/usr/share/doc"
+		rm -r "${ED}/usr/share/doc" || die
+		rmdir "${ED}/usr/share" || die
+	fi
+}
+
+multilib_src_install() {
+	if use headers-only; then
+		emake DESTDIR="${DESTDIR}" install-nodist_includeHEADERS
+	else
+		emake DESTDIR="${DESTDIR}" install
+		# Conflicts with sys-apps/man-pages
+		rm "${DESTDIR}${MYPREFIX}"/usr/share/man/man3/crypt{,_r}.3 || die
+	fi
+}
+
+pkg_preinst() {
+	# Verify we're not in a bad case like bug #843209 with broken symlinks.
+	# This can be dropped when, if ever, the split-usr && system && compat case
+	# is cleaned up in *_src_install.
+	local broken_symlinks=()
+	mapfile -d '' broken_symlinks < <(
+		find "${ED}" -xtype l -print0
+	)
+
+	if [[ ${#broken_symlinks[@]} -gt 0 ]]; then
+		eerror "Broken symlinks found before merging!"
+		local symlink target resolved
+		for symlink in "${broken_symlinks[@]}" ; do
+			target="$(readlink "${symlink}")"
+			resolved="$(readlink -f "${symlink}")"
+			eerror "  '${symlink}' -> '${target}' (${resolved})"
+		done
+		die "Broken symlinks found! Aborting to avoid damaging system. Please report a bug."
+	fi
+}

sdk_container/src/third_party/portage-stable/sys-libs/libxcrypt/libxcrypt-4.4.36.ebuild

@@ -0,0 +1,340 @@
+# Copyright 2004-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..11} )
+# NEED_BOOTSTRAP is for developers to quickly generate a tarball
+# for publishing to the tree.
+NEED_BOOTSTRAP="no"
+inherit multibuild multilib python-any-r1 flag-o-matic toolchain-funcs multilib-minimal
+
+DESCRIPTION="Extended crypt library for descrypt, md5crypt, bcrypt, and others"
+HOMEPAGE="https://github.com/besser82/libxcrypt"
+if [[ ${NEED_BOOTSTRAP} == "yes" ]] ; then
+	inherit autotools
+	SRC_URI="https://github.com/besser82/libxcrypt/releases/download/v${PV}/${P}.tar.xz"
+else
+	SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-autotools.tar.xz"
+fi
+
+LICENSE="LGPL-2.1+ public-domain BSD BSD-2"
+SLOT="0/1"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="+compat split-usr static-libs +system test headers-only"
+REQUIRED_USE="split-usr? ( system )"
+RESTRICT="!test? ( test )"
+
+export CTARGET=${CTARGET:-${CHOST}}
+if [[ ${CTARGET} == ${CHOST} ]] ; then
+	if [[ ${CATEGORY/cross-} != ${CATEGORY} ]] ; then
+		export CTARGET=${CATEGORY/cross-}
+	fi
+fi
+
+is_cross() {
+	local enabled_abis=( $(multilib_get_enabled_abis) )
+	[[ "${#enabled_abis[@]}" -le 1 ]] && [[ ${CHOST} != ${CTARGET} ]]
+}
+
+DEPEND="
+	system? (
+		elibc_glibc? (
+			${CATEGORY}/glibc[-crypt(+)]
+			!${CATEGORY}/glibc[crypt(+)]
+		)
+		elibc_musl? (
+			${CATEGORY}/musl[-crypt(+)]
+			!${CATEGORY}/musl[crypt(+)]
+		)
+	)
+"
+RDEPEND="${DEPEND}"
+BDEPEND="
+	dev-lang/perl
+	test? ( $(python_gen_any_dep 'dev-python/passlib[${PYTHON_USEDEP}]') )
+"
+
+python_check_deps() {
+	python_has_version "dev-python/passlib[${PYTHON_USEDEP}]"
+}
+
+pkg_pretend() {
+	if has "distcc" ${FEATURES} ; then
+		ewarn "Please verify all distcc nodes are using the same versions of GCC (>= 10) and Binutils!"
+		ewarn "Older/mismatched versions of GCC may lead to a misbehaving library: bug #823179."
+
+		if [[ ${BUILD_TYPE} != "binary" ]] && tc-is-gcc && [[ $(gcc-major-version) -lt 10 ]] ; then
+			die "libxcrypt is known to fail to build or be broken at runtime with < GCC 10 (bug #823179)!"
+		fi
+	fi
+}
+
+pkg_setup() {
+	MULTIBUILD_VARIANTS=(
+		$(usev compat 'xcrypt_compat')
+		xcrypt_nocompat
+	)
+
+	use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# WARNING: Please read on bumping or applying patches!
+	#
+	# There are two circular dependencies to be aware of:
+	# 1)
+	#	if we're bootstrapping configure and makefiles:
+	#		libxcrypt -> automake -> perl -> libxcrypt
+	#
+	#   mitigation:
+	#		toolchain@ manually runs `make dist` after running autoconf + `./configure`
+	#		and the ebuild uses that.
+	#		(Don't include the pre-generated Perl artefacts.)
+	#
+	#	solution for future:
+	#		Upstream are working on producing `make dist` tarballs.
+	#		https://github.com/besser82/libxcrypt/issues/134#issuecomment-871833573
+	#
+	# 2)
+	#	configure *unconditionally* needs Perl at build time to generate
+	#	a list of enabled algorithms based on the set passed to `configure`:
+	#		libxcrypt -> perl -> libxcrypt
+	#
+	#	mitigation:
+	#		None at the moment.
+	#
+	#	solution for future:
+	#		Not possible right now. Upstream intend on depending on Perl for further
+	#		configuration options.
+	#		https://github.com/besser82/libxcrypt/issues/134#issuecomment-871833573
+	#
+	# Therefore, on changes (inc. bumps):
+	#	* You must check whether upstream have started providing tarballs with bootstrapped
+	#	  auto{conf,make};
+	#
+	#	* diff the build system changes!
+	#
+	if [[ ${NEED_BOOTSTRAP} == "yes" ]] ; then
+		# Facilitate our split variant build for compat + non-compat
+		eapply "${FILESDIR}"/${PN}-4.4.19-multibuild.patch
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	# Avoid possible "illegal instruction" errors with gold
+	# bug #821496
+	tc-ld-disable-gold
+
+	# Doesn't work with LTO: bug #852917.
+	# https://github.com/besser82/libxcrypt/issues/24
+	filter-lto
+
+	# ideally we want !tc-ld-is-bfd for best future-proofing, but it needs
+	# https://github.com/gentoo/gentoo/pull/28355
+	# mold needs this too but right now tc-ld-is-mold is also not available
+	if tc-ld-is-lld; then
+		append-ldflags -Wl,--undefined-version
+	fi
+
+	multibuild_foreach_variant multilib-minimal_src_configure
+}
+
+get_xcprefix() {
+	if is_cross; then
+		echo "${EPREFIX}/usr/${CTARGET}"
+	else
+		echo "${EPREFIX}"
+	fi
+}
+
+get_xclibdir() {
+	printf -- "%s/%s/%s/%s\n" \
+		"$(get_xcprefix)" \
+		"$(usev !split-usr '/usr')" \
+		"$(get_libdir)" \
+		"$(usev !system 'xcrypt')"
+}
+
+get_xcincludedir() {
+	printf -- "%s/usr/include/%s\n" \
+		"$(get_xcprefix)" \
+		"$(usev !system 'xcrypt')"
+}
+
+get_xcmandir() {
+	printf -- "%s/usr/share/man\n" \
+		"$(get_xcprefix)"
+}
+
+get_xcpkgconfigdir() {
+	printf -- "%s/usr/%s/pkgconfig\n" \
+		"$(get_xcprefix)" \
+		"$(get_libdir)"
+}
+
+multilib_src_configure() {
+	local -a myconf=(
+		--host=${CTARGET}
+		--disable-werror
+		--libdir=$(get_xclibdir)
+		--with-pkgconfigdir=$(get_xcpkgconfigdir)
+		--includedir=$(get_xcincludedir)
+		--mandir="$(get_xcmandir)"
+	)
+
+	tc-export PKG_CONFIG
+
+	if is_cross; then
+		if tc-is-clang; then
+			export CC="${CTARGET}-clang"
+		else
+			export CC="${CTARGET}-gcc"
+		fi
+	fi
+
+	case "${MULTIBUILD_ID}" in
+		xcrypt_compat-*)
+			myconf+=(
+				--disable-static
+				--disable-xcrypt-compat-files
+				--enable-obsolete-api=yes
+			)
+			;;
+		xcrypt_nocompat-*)
+			myconf+=(
+				--enable-obsolete-api=no
+				$(use_enable static-libs static)
+			)
+		;;
+		*) die "Unexpected MULTIBUILD_ID: ${MULTIBUILD_ID}";;
+	esac
+
+	if use headers-only; then
+		# Nothing is compiled here which would affect the headers for the target.
+		# So forcing CC is sane.
+		headers_only_flags="CC=$(tc-getBUILD_CC)"
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}" "${headers_only_flags}"
+}
+
+src_compile() {
+	use headers-only && return
+
+	multibuild_foreach_variant multilib-minimal_src_compile
+}
+
+multilib_src_test() {
+	emake check
+}
+
+src_test() {
+	multibuild_foreach_variant multilib-minimal_src_test
+}
+
+src_install() {
+	multibuild_foreach_variant multilib-minimal_src_install
+
+	use headers-only || \
+	(
+		shopt -s failglob || die "failglob failed"
+
+		# Make sure our man pages do not collide with glibc or man-pages.
+		for manpage in "${D}$(get_xcmandir)"/man3/crypt{,_r}.?*; do
+			mv -n "${manpage}" "$(dirname "${manpage}")/xcrypt_$(basename "${manpage}")" \
+				|| die "mv failed"
+		done
+	) || die "failglob error"
+
+	# Remove useless stuff from installation
+	find "${ED}"/usr/share/doc/${PF} -type l -delete || die
+	find "${ED}" -name '*.la' -delete || die
+
+	# workaround broken upstream cross-* --docdir by installing files in proper locations
+	if is_cross; then
+		insinto "$(get_xcprefix)"/usr/share
+		doins -r "${ED}"/usr/share/doc
+		rm -r "${ED}"/usr/share/doc || die
+	fi
+}
+
+multilib_src_install() {
+	if use headers-only; then
+		emake DESTDIR="${D}" install-nodist_includeHEADERS
+		return
+	fi
+
+	emake DESTDIR="${D}" install
+
+	# Don't install the libcrypt.so symlink for the "compat" version
+	case "${MULTIBUILD_ID}" in
+		xcrypt_compat-*)
+			rm "${D}"$(get_xclibdir)/libcrypt$(get_libname) \
+				|| die "failed to remove extra compat libraries"
+		;;
+		xcrypt_nocompat-*)
+			if use split-usr; then
+				(
+					if use static-libs; then
+						# .a files are installed to /$(get_libdir) by default
+						# Move static libraries to /usr prefix or portage will abort
+						shopt -s nullglob || die "failglob failed"
+						static_libs=( "${D}"/$(get_xclibdir)/*.a )
+
+						if [[ -n ${static_libs[*]} ]]; then
+							dodir "/usr/$(get_xclibdir)"
+							mv "${static_libs[@]}" "${ED}/usr/$(get_xclibdir)" \
+								|| die "Moving static libs failed"
+						fi
+					fi
+
+					if use system; then
+						# Move versionless .so symlinks from /$(get_libdir) to /usr/$(get_libdir)
+						# to allow linker to correctly find shared libraries.
+						shopt -s failglob || die "failglob failed"
+
+						for lib_file in "${D}"$(get_xclibdir)/*$(get_libname); do
+							lib_file_basename="$(basename "${lib_file}")"
+							lib_file_target="$(basename "$(readlink -f "${lib_file}")")"
+
+							# We already know we're in split-usr (checked above)
+							# See bug #843209 (also worth keeping in mind bug #802222 too)
+							local libdir_no_prefix=$(get_xclibdir)
+							libdir_no_prefix=${libdir_no_prefix#${EPREFIX}}
+							libdir_no_prefix=${libdir_no_prefix%/usr}
+							dosym -r "/$(get_libdir)/${lib_file_target}" "/usr/${libdir_no_prefix}/${lib_file_basename}"
+						done
+
+						rm "${D}"$(get_xclibdir)/*$(get_libname) || die "Removing symlinks in incorrect location failed"
+					fi
+				)
+			fi
+		;;
+		*) die "Unexpected MULTIBUILD_ID: ${MULTIBUILD_ID}";;
+	esac
+}
+
+pkg_preinst() {
+	# Verify we're not in a bad case like bug #843209 with broken symlinks.
+	# This can be dropped when, if ever, the split-usr && system && compat case
+	# is cleaned up in *_src_install.
+	local broken_symlinks=()
+	mapfile -d '' broken_symlinks < <(
+		find "${ED}" -xtype l -print0
+	)
+
+	if [[ ${#broken_symlinks[@]} -gt 0 ]]; then
+		eerror "Broken symlinks found before merging!"
+		local symlink target resolved
+		for symlink in "${broken_symlinks[@]}" ; do
+			target="$(readlink "${symlink}")"
+			resolved="$(readlink -f "${symlink}")"
+			eerror "  '${symlink}' -> '${target}' (${resolved})"
+		done
+		die "Broken symlinks found! Aborting to avoid damaging system. Please report a bug."
+	fi
+}

sdk_container/src/third_party/portage-stable/sys-libs/libxcrypt/metadata.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>toolchain@gentoo.org</email>
+		<name>Gentoo Toolchain Project</name>
+	</maintainer>
+	<longdescription>
+		Crypt library for DES, MD5, and blowfish. Libxcrypt is a replacement for
+		libcrypt, which comes with the GNU C Library. It supports DES crypt,
+		MD5, and passwords with blowfish encryption.
+	</longdescription>
+	<use>
+		<flag name="compat">Build with compatibility interfaces for other crypt implementations</flag>
+		<flag name="system">Install as system libcrypt.so rather than to an alternate directory (will collide with <pkg>sys-libs/glibc</pkg>'s version)</flag>
+		<flag name="headers-only">Build and install only the headers.</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">besser82/libxcrypt</remote-id>
+	</upstream>
+</pkgmetadata>