From e406d826d85bc2bf6e229512fae246f3f9ef4b94 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 10:33:07 +0100 Subject: [PATCH 01/16] profiles: Drop accept keywords for app-arch/cpio The updated package is stable for amd64 and arm64. --- .../profiles/coreos/base/package.accept_keywords | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index d117ea26eb..88a3454884 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -2,9 +2,6 @@ # Copyright (c) 2013 The CoreOS Authors. All rights reserved. # Distributed under the terms of the GNU General Public License v2 -# To address CVE-2021-38185 -=app-arch/cpio-2.13-r3 ~amd64 ~arm64 - =app-arch/zstd-1.4.9 ~amd64 ~arm64 =coreos-devel/fero-client-0.1.1 ** From 60136e23fb94e9a9fc03331f36d028b95afb6cb7 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 11:30:47 +0100 Subject: [PATCH 02/16] profiles: Drop accept keywords for app-editors/vim{,-core} The updated packages are stable for amd64 and arm64. --- .../profiles/coreos/base/package.accept_keywords | 4 ---- 1 file changed, 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 88a3454884..4480fe54cb 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -15,10 +15,6 @@ # To address CVE-2022-32221, CVE-2022-35260, CVE-2022-42915 and CVE-2022-42916. =net-misc/curl-7.86.0-r3 ~arm64 -# Required for some CVEs -=app-editors/vim-9.0.0828-r1 ~amd64 ~arm64 -=app-editors/vim-core-9.0.0828-r1 ~amd64 ~arm64 - # Required for addressing CVE-2022-29154 =net-misc/rsync-3.2.6 ~amd64 ~arm64 From 008ba273cb6c0c3eaabfd17a86703cf50b437dde Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 11:31:41 +0100 Subject: [PATCH 03/16] profiles: Bump accept keywords for app-crypt/adcli This got released 3 months ago, so we could start using it. --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 4480fe54cb..e807ac0e98 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -31,4 +31,4 @@ # Overwrite portage-stable mask - use latest liburing -r2 for ARM64 and AMD64 =sys-libs/liburing-2.1-r2 ~amd64 ~arm64 -=app-crypt/adcli-0.9.1-r2 ~amd64 ~arm64 +=app-crypt/adcli-0.9.2 ~amd64 ~arm64 From 470ade39c24ced08bd94ba3d31da4920f394aec5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 11:34:22 +0100 Subject: [PATCH 04/16] profiles: Drop accept keywords for app-portage/portage-utils The package became stable for amd64 too. --- .../profiles/coreos/amd64/sdk/package.accept_keywords | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.accept_keywords diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.accept_keywords deleted file mode 100644 index 24763fc5fd..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/sdk/package.accept_keywords +++ /dev/null @@ -1,5 +0,0 @@ -# Copyright (c) 2022 Flatcar Authors -# Distributed under the terms of the GNU General Public License v2 - -# It's stable for arm64, so make it available on amd64 SDK too. -=app-portage/portage-utils-0.94.3 ~amd64 From 1bd177b5165056761f003aa82bed8256f66f2060 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 12:03:19 +0100 Subject: [PATCH 05/16] profiles: Enable unicode for dev-libs/libpcre2 --- .../coreos-overlay/profiles/coreos/base/package.use | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use index c80b3d055a..96834a54f5 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use @@ -147,8 +147,9 @@ net-fs/nfs-utils kerberos nfsv41 nfsv4 junction ldap libmount nfsdcld uuid net-libs/libtirpc kerberos # Disable enabled-by-default support for 16-bit characters, we didn't -# need it before, so we don't need it now. -dev-libs/libpcre2 -pcre16 +# need it before, so we don't need it now. Enable unicode support, as +# glib requires it now. +dev-libs/libpcre2 -pcre16 unicode # Disable extra stuff for tcpdump, there was no explanation why it was # enabled by upstream. Samba was enabled to make some tests pass. But From 60d186c4bc43d28206b693ec69302a57ac40fba9 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 12:11:49 +0100 Subject: [PATCH 06/16] profiles: Add accept keywords for GLib packages They are stable for amd64, but not for arm64. Add to avoid version discrepancies. --- .../profiles/coreos/base/package.accept_keywords | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index e807ac0e98..a5de3795cc 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -32,3 +32,7 @@ =sys-libs/liburing-2.1-r2 ~amd64 ~arm64 =app-crypt/adcli-0.9.2 ~amd64 ~arm64 + +# These are stable for amd64, so pull them in for arm64 too. +=dev-libs/glib-2.74.4 ~arm64 +=dev-util/gdbus-codegen-2.74.4 ~arm64 From 3be777a9c5d52137878f847e64e7aff7cd619f19 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 14:41:07 +0100 Subject: [PATCH 07/16] profiles: Drop accept keywords for net-misc/curl The package became stable for arm64. --- .../profiles/coreos/base/package.accept_keywords | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index a5de3795cc..4c675aa5a6 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -12,9 +12,6 @@ =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64 -# To address CVE-2022-32221, CVE-2022-35260, CVE-2022-42915 and CVE-2022-42916. -=net-misc/curl-7.86.0-r3 ~arm64 - # Required for addressing CVE-2022-29154 =net-misc/rsync-3.2.6 ~amd64 ~arm64 From aa53bc204438c7e3ec36a03ba6d42b7c9f2f73a5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 2 Jan 2023 14:47:33 +0100 Subject: [PATCH 08/16] profiles: Bump net-misc/rsync version in accept keywords The version we used so far was dropped, so pull something that's newer. --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 4c675aa5a6..dcf3a48f8e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -13,7 +13,7 @@ =dev-libs/libgcrypt-1.9.4 ~amd64 ~arm64 # Required for addressing CVE-2022-29154 -=net-misc/rsync-3.2.6 ~amd64 ~arm64 +=net-misc/rsync-3.2.7-r1 ~amd64 ~arm64 =sys-fs/cryptsetup-2.4.1-r1 ~amd64 ~arm64 From a43f393643259c87f7f4883300d43c4cde4b9004 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 3 Jan 2023 09:01:07 +0100 Subject: [PATCH 09/16] profiles: Add bison to bootstrap use flags This is to fix the following error during stage2 SDK build: [[ (3/3) Emerging packages ]] !!! The ebuild selected to satisfy "app-alternatives/yacc" has unmet requirements. - app-alternatives/yacc-1-r2::portage-stable USE="-bison -byacc -reference" The following REQUIRED_USE flag constraints are unsatisfied: exactly-one-of ( bison byacc reference ) (dependency required by "sys-devel/binutils-2.39-r4::portage-stable" [ebuild]) (dependency required by "sys-devel/gcc-11.3.1_p20221209::portage-stable" [ebuild]) (dependency required by "sys-libs/glibc-2.36-r5::coreos" [ebuild]) (dependency required by "sys-libs/glibc:2.2" [argument]) --- .../coreos-overlay/profiles/coreos/base/make.defaults | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults index bf61ba59f4..995c5b3a69 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults @@ -46,6 +46,11 @@ BOOTSTRAP_USE="${BOOTSTRAP_USE} curl_ssl_openssl ssl" # Add `xml` USE flag to avoid build failures from sys-apps/portage 3.0.28 BOOTSTRAP_USE="${BOOTSTRAP_USE} xml" +# Add `bison` USE flag, so we pick a proper yacc alternative from +# app-alternatives/yacc (normally bison is enabled by default, but +# it's disabled during building stage2 for some reason). +BOOTSTRAP_USE="${BOOTSTRAP_USE} bison" + # Set SELinux policy POLICY_TYPES="targeted mcs mls" From 7ed1bf4c14269cb9ff8c93700b9e06ed3b1634ec Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 3 Jan 2023 13:29:58 +0100 Subject: [PATCH 10/16] coreos-base/coreos: Pull in app-arch/ncompress app-arch/gzip does not install uncompress any more, so pulling in app-arch/ncompress instead to fill in the gap. --- .../{coreos-0.0.1-r304.ebuild => coreos-0.0.1-r305.ebuild} | 0 .../coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild | 1 + 2 files changed, 1 insertion(+) rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/{coreos-0.0.1-r304.ebuild => coreos-0.0.1-r305.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r304.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r305.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r304.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r305.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index de884561b6..87212ef039 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -97,6 +97,7 @@ RDEPEND="${RDEPEND} app-arch/torcx app-arch/unzip app-arch/zip + app-arch/ncompress app-crypt/adcli app-crypt/gnupg app-crypt/go-tspi From fa616acb1817f3d9fbb216b6d637b7586c2e9780 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 3 Jan 2023 13:50:39 +0100 Subject: [PATCH 11/16] app-shells/bash: Sync with Gentoo It's from Gentoo commit 1323a3d70d1ead5379b997bd2ef048c898dd6712. --- .../coreos-overlay/app-shells/bash/Manifest | 26 ++++ ...h-5.1_p8.ebuild => bash-5.1_p16-r2.ebuild} | 131 ++++++++++++------ .../app-shells/bash/files/bashrc | 2 - .../app-shells/bash/files/dot-bashrc | 9 -- .../app-shells/bash/metadata.xml | 45 +++--- 5 files changed, 144 insertions(+), 69 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-shells/bash/{bash-5.1_p8.ebuild => bash-5.1_p16-r2.ebuild} (62%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/Manifest b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/Manifest index 0013eb5942..30ee235cba 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/Manifest @@ -1,9 +1,35 @@ DIST bash-5.1.tar.gz 10458638 BLAKE2B 42059556694b604911b5b7936f94d42d8923f2931f3ebacefd95454274c7baadb1ec97629a524c1542e2e282dae66f1389334f8edc572ca8ee841cc3ac449ba7 SHA512 c44a0ce381469219548a3a27589af3fea4f22eda1ca4e9434b59fc16da81b471c29ce18e31590e0860a6a251a664b68c2b45e3a17d22cfc02799ffd9a208390c +DIST bash-5.1.tar.gz.sig 95 BLAKE2B ac9209d6a4ab4436c511a7a195594e9036d7d1aef7887972f61a0e97378a9685b882621d7f95f5326b155dc155c41635417ce2ca41ac6d0dda78bd293ea4249f SHA512 3966404c0f683c7ef214fcf283b551e5441af3897009f778308c2e34067d98d57c95561453416a54ca5b1daf9a1288dbf950fe3f13353703cead12f5eec5fad8 +DIST bash-5.1_p16-patches.tar.xz 388 BLAKE2B 1575d54d311872c7ca71e13711fa0f7e3534fca16fd9d1ca045b6c696c9ca56f6a0ed5023a05d847ab5ddbefc22b8ef2c2a681f09571520f0294d83b495f0015 SHA512 c85e5b83f6ee1a7345647fa937d9718cab13be1a65886755d26a78d21fea4246650c7441a34fd729212e220366985b410562002d74c02c18de7ef0469b409ac7 DIST bash51-001 2894 BLAKE2B 7918eb48d4afe91a167eed666f0d15ca220e002d824cfc5ebb753430144a8bf884e8895e6d050158153e08c115fb0b90659608ed98b18aec737e75b5e61098f3 SHA512 1cd86805a2639614372aec29a710bc456e330abcbbaa0867820c94f714a1fa5fb5c1b18aa2c10263ae0bce9dad7579c7af2f732282315c1c34bfd6a90777bfd2 +DIST bash51-001.sig 95 BLAKE2B 1f4cb69130029cd8ac46961898bdc15b2a6fc36ea84cccae08aa1ac374a4f4eb3a314a9c6a4a40975c42d76027e27dbf3e71e3253f50bb1561c086b66123d29a SHA512 a72af2444c327180fe91d5780b89aab69d2bd67e7437503e1565ec6618fecb4954dcaa4998186f8d10e4a02ba36a1eb50733d3fedaba60865fee75d38d20f065 DIST bash51-002 1575 BLAKE2B 70336d2ef04c63fa29a625a2719c0b36f7e34818cadbb4b09e1434d72d6695dd882c758a00f2ea48f38d3918abc15f494780825b7d2f7cfc6c747a3be89ac497 SHA512 923e7822a9629645347d3aea0058fb5e2d52223507159a62369309f264612df44a84931c19e0ccb3852e98ce672dfbd454477090b4041b5a0de477c94eb61088 +DIST bash51-002.sig 95 BLAKE2B b5280e5bb04517302cb05d076f01a083b0c367ac32e7fa262972c24aafb01751aa2fb7444b98ffc8d90b48922f6d2821e2d84c941505c0ef45ebc8c66cac97c1 SHA512 c981e9e42f33548a3ae2605be690b012e934cbfae55519b555593c30f0f4dd0fcf078af3b550e5c988e8872b9f4f5b72588da2f1f5a552646a444c2a21262836 DIST bash51-003 1800 BLAKE2B 6dd284666273016d3b9007537502d75ad7c4e1347c3a13dcdab2325e4f191a149180ee86f9904fc96291ed8217e1d26dcd2b8b20c283ea616f322dbd293d1998 SHA512 01e952dcfdae58624723d64912ea3444eed2fdcd266ba1a929b95ec3abd70f914bf400607c3f7bb7a94ac2925f794f91f37c1929d5bb987de2ba7f60a19cb8bd +DIST bash51-003.sig 95 BLAKE2B 8f5e7dbf9bf61c1c0778d6347dd5b5f7c90cd02c67ad4b91645bad8afa43469b46dbf786ae31df2224bb6d19b258f3d32e56eb35dee22ae1390eb7ad6e880b08 SHA512 e09e2959cf763509cec4b7ff7fcbf32704913ea37506c6c93fa265ccdf090812db68351d44df073014d329d8bb7030e27ee089ec845631103a43d744d84770fa DIST bash51-004 3745 BLAKE2B dbbe2713c1cc4aa6de99366c1d91e136d1a7a86ac11108e8dd1aea3823ba0f9e005f48f1507acd1f86ce2f3c2f4ac60ae04ff066e5587229e7f19aefbe4d6e39 SHA512 10ff24cd91a2cd88818bfa7218050843af6b409e43fcca89f5ec70d8266020c6c2a55132426271f165cd0f154f49eb0f8ec2761b80fc066c921b83120bb543ce +DIST bash51-004.sig 95 BLAKE2B 7bb42a219397a1c9d5976908e62dce092f074cbe9a26e9ce4c18b998b00a3f8d69bc5b5d146cb970d3a72bbd4b25878e9b79516ef5538c4d164725de19ee3355 SHA512 445c33cf59a21f5c5f2cbf44f3f1f1756db1850281b4fad7c506665e9e26f840c9fb5647c44a74fde8be2ec832651fd10df624b1649ea3af2858ce3e0e3197a2 DIST bash51-005 2577 BLAKE2B 573dafdff4a0d11cf6c458d6a3c9087b728542000fce5e16266636444278b7a9b4c75b05e6de31648e2b1ad5ffc2b55336d9fec088ea2c4c6c854eb7e16527aa SHA512 fa83d894fe874a05b9a7d47b8bca8e5b7f4067221d82e8b1af616d17725592c3737c621f2a8ad3c917b29846012c37c85acd34dcbb43eb6b05065ccce89b260c +DIST bash51-005.sig 95 BLAKE2B 7a645c5fe6d903f0843b3878fe53ee74c575595814e051ce562132b57db75c684d19943138e5a4d4df58b5695de2c06326329a2429ec5075cf79f3b42b5228b2 SHA512 8fae2c63808d0730304da59bd6a50849837f98da32a814e3bfa14a9a5b34bacc0ecf9faeea355b729d88c0ebf11836e36516e1c93c1a19e73eb331fd9f6d8129 DIST bash51-006 1412 BLAKE2B 3b32c69cef9438f66afaad0279627567d6aac32fabbec5af899552427489f2a87b148a3886bc30139647ec4204241c2e77cad83cdae1251176b7ec54699e1445 SHA512 b9b6e3d71f7b7718e2e8598ec8e337dcc675571fb233c29e5230ebf14eab2249204531f2fe8c4d1459c5fed10acb679048588d1e457e98dbc00ffc4d2cd227e3 +DIST bash51-006.sig 95 BLAKE2B 4727ec0cefbb2ef159b22fe9c9ca9800dae7d1b23fcfcac76e78f0f8f28c6ff81ee6425809bb547c54e16de0c55ff3cb46812b0d2c129fc269c704408967083a SHA512 6801224df73194a581d83a0d137b4b9c7e19609528602e6f13b4dc59810b20b0666317c229df470784e082cf205f1c94ffeb9f6ab7465d05959a03bf4b8159c2 DIST bash51-007 2621 BLAKE2B f2802bc7267efe69abecb5c4d0cf5879bb57219e9e972d4c74f86ca88f99ba4dd3d9314beaca9c426351ffe429ddb4a03615776f569bad9962df7c5094d52a28 SHA512 e4ebdc47e780ddc2588ecdfcfe00cb618039c7044e250ab2b836b0735c461ebacd15beaf2145e277c70b7f51cded55bd8dde7757df810f33f8dae306ee5ba571 +DIST bash51-007.sig 95 BLAKE2B 42e58e5479a12014e62061abca3cc2abfbcb03767c46f3034b60141e954cd95f3f80e640f44847149dc7691e99536ae79bd9c9209960480b43c20969649f56a1 SHA512 b38c4450bed3740368ddcb24d14a28afaa9832771a81c8fa0c3fffde4e6e1bfe7425799c854e8ceea31906a86ba24f3815c20e80b07e90629208976e7c939c6f DIST bash51-008 1821 BLAKE2B 9820066c99c8ed5f6322fceb2346f8900ac77b6c50c75de39c9ff7472c33f78b054f8bd0493ce7a4b8e17c70456d867aa6791e892246bce64624549a95c3211d SHA512 97f9558a08a66cc9da62c285bf9118b39328e25ed3b9277728e0539b1ac0adef176a090e39cd96dc03d6fd900d8155bd58040cb3390a09f637bab1de8af3faf6 +DIST bash51-008.sig 95 BLAKE2B 6616c8a60b2b2ea87f2ea609709812d194904b18409fbf5ef8e922e9ce57fad8c72cfb4d190fc2cfa21ade985bdf4539a7f8a688e2f3520d34e61ad7c0ee3bb8 SHA512 38e2e83ec4d9b9aa56d67d5816ed2151fb20789fb0b950ad372ebe5a3fea62c193702b2b5be2979063c923f664bd1437058820a3fac68d46c7598aad48ffc8f4 +DIST bash51-009 1627 BLAKE2B 95e47909080c9c8d11f08db6a9fa764b1422f11a55183ee773837c79898db318d997ca6634cc7134245c88231b30245bd5dbd0e5be93528d89544afc1170da1f SHA512 2d3c65162ec4e5c3dfeb439891950ef2c43973a84122fcdf6b56c388466c7e671dbc9b236d2253f01411b668c365855263995dbacb8e6f9e9dbcb7e6c2cc518c +DIST bash51-009.sig 95 BLAKE2B 9b4a41db7280feacb834917bffdd9ef165c60a3cfe0ed758adbf8e2e51a4c5e847251663cc3ac0da7000d172232f84475c3aa79225677d9d9efd7454ce3d7019 SHA512 d8eef6aecc6d86262c779d5c725bf6eaa44ea635ab7ae4e46c32d7ff0ada1ee0ba963ed788f2b7f059b7eef1cec845049a315221a7101978d88f92c23a7af369 +DIST bash51-010 1700 BLAKE2B d391ac7fa3124f001bb06f3020a531b786ce601e8756ac853872420b82a002cfe744f6ba3c0db869b24eb456bbf571fc5ef869a6e4dd4e1c2ffdc3055c67692b SHA512 aac4a0b72b559566334f1029c52754f4c98185af99e09436e401d83ab81bab7882d0d8050674b30f171733f3628157777a264566e927e93db2ea5a18d26630f1 +DIST bash51-010.sig 95 BLAKE2B 6858d5c968090f2ef0127a0a4ec811bcb1a05970247d35248d17efe1de224e7f53cd09577ee2a1e70af7a2cdad0a356e2ed755fc3aa08cc15cc7adcae5bb2f01 SHA512 8d0dd246ceb10167ec4517ca730f8ced6556dc3411ebd1130b3b4914f81b7088355387b29214d5cd23deef9b072862981e2380f64675424063ddfaf6e637100f +DIST bash51-011 2229 BLAKE2B d439ffeef6b42c90d3817d8800a9e842327facb87ad0921313ba8071ae6720a10a79f259b1c8373afba4c1d28b9c2257aa325a160dd9ce9df6c34d31cc33c1b4 SHA512 bb9e47a570bb9758c365831f9650b9379b60862b8cef572edc3cd833df96ebb8b9612de474bdc2a03ff4efc2275f871d55962295385e38f3658874488e974b81 +DIST bash51-011.sig 95 BLAKE2B 01919fc0fedb735f2680ecd7a149d2cc2d88b6463ef3aa4614c9356ffb838aa8c4933c463a16d68d9c168aae5010f13328446c99a1361da2d1c65e50c443d9e0 SHA512 a317cd7449ce3a451295053089fc4a100f7102ae3322c43f7d65570311ceb60d25a7f12b2c0fc679743493de9a3762aaad7fbea6b5b69900dae2025b0d3e7235 +DIST bash51-012 6372 BLAKE2B e2a650ef81333eb4d257b97e63ed215e777f6960f31248930e8f34acdd5f1e8f9b79e636ecad3e14a4fa6b5d3227865e0757ff2b5d8f982eb589cdca753df393 SHA512 59819914b6821d9f4af0aade7b9b7ea92368c2b8eb8407cea11dfeee7208905dd06bdef7a049d7b1c4fac41c44d9a130b95a061957a9649050b37471b3044cf1 +DIST bash51-012.sig 95 BLAKE2B ae1a45dbca035b5692c17384ff56c7def8c07bf464761537aa2a6ee6b5fd87b4fbb6928a9895e2d55f565d62f9a4461e66ad29805e3531ba5f2f0f60d904256d SHA512 7602d2f705638964ee61197edaa1c2ead29bc7932e2fb36c51e971fdc4d9143ec3705da595daef22851cc9d9673aebff7f9a3a448a7f1fc8ccf87c0acd32fa5c +DIST bash51-013 1277 BLAKE2B 78bb6df0f4fbd412fcdd84858a02a055978747c60be3251dd5ec79be9ae0babb94f23fc83debb470b0741b16c2fbbeb066a24c00ef133b13622bd102971fbef8 SHA512 67535155f49a7f54f151e62aba9274f82d01f33a1a1a7e5efd1aa0d63ba2d078765f0b5e22cb24db7132eff2d8c5852a3688298baa5217b8b6e159aae065d748 +DIST bash51-013.sig 95 BLAKE2B 349e1a2dc1341711bb9c1d688b667849bd17340f2ae1cee0a17e7045c39cdeb52600c053f051e76c9cc87985692a550808bd7ddb476376a1795d2339886a6572 SHA512 9cc69bb93e8ce3254df51320a6d60a225d52d77e5618475ea644de5e8e1e39dfe556a2584b2d9eff8f317bc2c2d57063e7c08c9830b982d64569c1f9a775be4f +DIST bash51-014 1456 BLAKE2B e5ddf01208fa06b7bfb3731b496c72d0d1716841f7a601176128180debd8a7eeab5d7d66338d6be03fd6030c431a330b0c4c5d9920d2ac27d757ea4fe94397bd SHA512 f658ab7ef01ba1d26f735e24b23bf35687e15b0d5d20f90da233d000745a55bdba142c11e9fba52e3b84470ec625fab60cc74cd6be533d990496a3795c658e88 +DIST bash51-014.sig 95 BLAKE2B 6478cd78c4c95710b2ef82da748b407f55a237325c378888f9d4e6ffc8e50a63cc6245d738a47f46690d932d8121c5dd0d4bbe6776a3a901990e1c0d247dab49 SHA512 4c9b2defe7bea90533a9cf2c4b2f581338255fd036e3ca31992feea7799eaf544e2914e731e735af35c7883a687a49f45c8238d752ffc7256f5b0d0a3642b63b +DIST bash51-015 1409 BLAKE2B c9f4d7bb13727cbea142200ff61f09d5b06a117d863afd8a451a078c040fbaf48291263264ad6e5d9bd1d309d8e23543cd2e847d593714969ea99f7054064fd9 SHA512 fd4bc85f942a3a16c545f7e951a24f620ff2d884640dea6e05f305aaf88ed41862bfb05eea2258881608de696f9dc7a0fe3bebb51a011f50b720ea7a66699184 +DIST bash51-015.sig 95 BLAKE2B 236e63344a1d4f82acee460b84c7a0153ab27a5f8a1429eadb2db29c2506293828330a7da337a89d4e33cc1578ad47a427c574f669f6a4c560ffb7db719205bb SHA512 6dd83302c2dffa701ccb5ecb6d655714479609f2297bd53c5d02a9d8169fe52cea09149d122b679405da0ecbaeb4252b8834dd5397e89aaad1b87528d18ea7fb +DIST bash51-016 2122 BLAKE2B c44d269366cf13d896602bc14ebefd8f5826cb10820e9bace83b643f5af0264cff0240da81cabcbb36af55a009795420cc622100969656bcb3c977ee9359d810 SHA512 020b3f3db77ca603a27a3423323538db5c9844be17ee428cf7cda80bebdcc715d30eab6c95773541cb8d14f3ad9e6142bf0adcda0e745ee638242508cc0ab05f +DIST bash51-016.sig 95 BLAKE2B 6da76c4dc413b0a4560ae6b7ec550090c819b7a3e05dc2e000ee709b8430ae6373003f7c99dc94a13cfcce33e393199bd9b8f670a120375c929bf40b9e5a2a15 SHA512 d008d91db6b6bccea9431f962665fc4976cbeed87b24ea133044e9a15b0aba14f1d6361e524f00096377aa11a9b1daeea2bbeb65e82396cb12bc57cb560940f0 diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p16-r2.ebuild similarity index 62% rename from sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p16-r2.ebuild index 818073754c..795a74626b 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p16-r2.ebuild @@ -1,53 +1,79 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -inherit flag-o-matic toolchain-funcs prefix +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/chetramey.asc +inherit flag-o-matic toolchain-funcs prefix verify-sig + +# Uncomment if we have a patchset +GENTOO_PATCH_DEV="sam" +GENTOO_PATCH_VER="${PV}" # Official patchlevel -# See ftp://ftp.cwru.edu/pub/bash/bash-5.0-patches/ +# See ftp://ftp.cwru.edu/pub/bash/bash-5.1-patches/ PLEVEL="${PV##*_p}" MY_PV="${PV/_p*}" MY_PV="${MY_PV/_/-}" MY_P="${PN}-${MY_PV}" +MY_PATCHES=() + is_release() { case ${PV} in - *_alpha*|*_beta*|*_rc*) return 1 ;; - *) return 0 ;; + *_alpha*|*_beta*|*_rc*) + return 1 + ;; + *) + return 0 + ;; esac } + [[ ${PV} != *_p* ]] && PLEVEL=0 -patches() { - local opt=${1} plevel=${2:-${PLEVEL}} pn=${3:-${PN}} pv=${4:-${MY_PV}} - [[ ${plevel} -eq 0 ]] && return 1 - eval set -- {1..${plevel}} - set -- $(printf "${pn}${pv/\.}-%03d " "$@") - if [[ ${opt} == -s ]] ; then - echo "${@/#/${DISTDIR}/}" - else - local u - for u in ftp://ftp.cwru.edu/pub/bash mirror://gnu/${pn} ; do - printf "${u}/${pn}-${pv}-patches/%s " "$@" - done - fi -} # The version of readline this bash normally ships with. READLINE_VER="8.1" DESCRIPTION="The standard GNU Bourne again shell" -HOMEPAGE="http://tiswww.case.edu/php/chet/bash/bashtop.html" +HOMEPAGE="https://tiswww.case.edu/php/chet/bash/bashtop.html" + if is_release ; then - SRC_URI="mirror://gnu/bash/${MY_P}.tar.gz $(patches)" + SRC_URI="mirror://gnu/bash/${MY_P}.tar.gz" + SRC_URI+=" verify-sig? ( mirror://gnu/bash/${MY_P}.tar.gz.sig )" + + if [[ ${PLEVEL} -gt 0 ]] ; then + # bash-5.1 -> bash51 + my_p=${PN}$(ver_rs 1-2 '' $(ver_cut 1-2)) + + patch_url= + my_patch_index= + + for ((my_patch_index=1; my_patch_index <= ${PLEVEL} ; my_patch_index++)) ; do + for url in mirror://gnu/${pn} ftp://ftp.cwru.edu/pub/bash ; do + patch_url=$(printf "${url}/${PN}-$(ver_cut 1-2)-patches/${my_p}-%03d" ${my_patch_index}) + SRC_URI+=" ${patch_url}" + SRC_URI+=" verify-sig? ( ${patch_url}.sig )" + + done + + MY_PATCHES+=( "${DISTDIR}"/$(printf ${my_p}-%03d ${my_patch_index}) ) + done + + unset my_pn patch_url my_patch_index + fi else SRC_URI="ftp://ftp.cwru.edu/pub/bash/${MY_P}.tar.gz" + SRC_URI+=" verify-sig? ( ftp://ftp.cwru.edu/pub/bash/${MY_P}.tar.gz.sig )" +fi + +if [[ -n ${GENTOO_PATCH_VER} ]] ; then + SRC_URI+=" https://dev.gentoo.org/~${GENTOO_PATCH_DEV}/distfiles/${CATEGORY}/${PN}/${PN}-${GENTOO_PATCH_VER}-patches.tar.xz" fi LICENSE="GPL-3" SLOT="0" [[ "${PV}" == *_rc* ]] || \ -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" IUSE="afs bashlogger examples mem-scramble +net nls plugins +readline" DEPEND=" @@ -58,14 +84,15 @@ DEPEND=" RDEPEND=" ${DEPEND} " -# We only need yacc when the .y files get patched (bash42-005) -#BDEPEND="app-alternatives/yacc" +# We only need yacc when the .y files get patched (bash42-005, bash51-011) +BDEPEND="app-alternatives/yacc + verify-sig? ( sec-keys/openpgp-keys-chetramey )" S="${WORKDIR}/${MY_P}" PATCHES=( # Patches from Chet sent to bashbug ml - "${FILESDIR}"/${PN}-5.0-syslog-history-extern.patch + "${WORKDIR}"/${PN}-${GENTOO_PATCH_VER}-patches/${PN}-5.0-syslog-history-extern.patch ) pkg_setup() { @@ -83,12 +110,29 @@ pkg_setup() { } src_unpack() { - unpack ${MY_P}.tar.gz + if [[ ${PV} == 9999 ]] ; then + git-r3_src_unpack + else + if use verify-sig ; then + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.sig} + + local patch + for patch in "${MY_PATCHES[@]}" ; do + verify-sig_verify_detached ${patch}{,.sig} + done + fi + + unpack ${MY_P}.tar.gz + + if [[ -n ${GENTOO_PATCH_VER} ]] ; then + unpack ${PN}-${GENTOO_PATCH_VER}-patches.tar.xz + fi + fi } src_prepare() { # Include official patches - [[ ${PLEVEL} -gt 0 ]] && eapply -p0 $(patches -s) + [[ ${PLEVEL} -gt 0 ]] && eapply -p0 "${MY_PATCHES[@]}" # Clean out local libs so we know we use system ones w/releases. if is_release ; then @@ -130,10 +174,10 @@ src_configure() { # For descriptions of these, see config-top.h # bashrc/#26952 bash_logout/#90488 ssh/#24762 mktemp/#574426 append-cppflags \ - -DDEFAULT_PATH_VALUE=\'\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\' \ - -DSTANDARD_UTILS_PATH=\'\"/bin:/usr/bin:/sbin:/usr/sbin\"\' \ - -DSYS_BASHRC=\'\"/etc/bash/bashrc\"\' \ - -DSYS_BASH_LOGOUT=\'\"/etc/bash/bash_logout\"\' \ + -DDEFAULT_PATH_VALUE=\'\"${EPREFIX}/usr/local/sbin:${EPREFIX}/usr/local/bin:${EPREFIX}/usr/sbin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/bin\"\' \ + -DSTANDARD_UTILS_PATH=\'\"${EPREFIX}/bin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/usr/sbin\"\' \ + -DSYS_BASHRC=\'\"${EPREFIX}/etc/bash/bashrc\"\' \ + -DSYS_BASH_LOGOUT=\'\"${EPREFIX}/etc/bash/bash_logout\"\' \ -DNON_INTERACTIVE_LOGIN_SHELLS \ -DSSH_SOURCE_BASHRC \ $(use bashlogger && echo -DSYSLOG_HISTORY) @@ -159,7 +203,7 @@ src_configure() { fi if use plugins ; then - append-ldflags -Wl,-rpath,/usr/$(get_libdir)/bash + append-ldflags -Wl,-rpath,"${EPREFIX}"/usr/$(get_libdir)/bash else # Disable the plugins logic by hand since bash doesn't # provide a way of doing it. @@ -194,16 +238,15 @@ src_install() { mv "${ED}"/usr/bin/bash "${ED}"/bin/ || die dosym bash /bin/rbash - insinto /usr/share/bash - for f in bash{_logout,rc} ; do - doins "${FILESDIR}"/${f} - dosym ../../usr/share/bash/${f} /etc/bash/${f} - done + insinto /etc/bash + doins "${FILESDIR}"/bash_logout + doins "$(prefixify_ro "${FILESDIR}"/bashrc)" - insinto /usr/share/skel + keepdir /etc/bash/bashrc.d + + insinto /etc/skel for f in bash{_logout,_profile,rc} ; do newins "${FILESDIR}"/dot-${f} .${f} - dosym ../../usr/share/skel/.${f} /etc/skel/.${f} done local sed_args=( @@ -221,8 +264,8 @@ src_install() { sed -i \ "${sed_args[@]}" \ - "${ED}"/usr/share/skel/.bashrc \ - "${ED}"/usr/share/bash/bashrc || die + "${ED}"/etc/skel/.bashrc \ + "${ED}"/etc/bash/bashrc || die if use plugins ; then exeinto /usr/$(get_libdir)/bash @@ -246,7 +289,11 @@ src_install() { done fi - doman doc/*.1 + # Install bash_builtins.1 and rbash.1 + emake -C doc DESTDIR="${D}" install_builtins + sed 's:bash\.1:man1/&:' doc/rbash.1 > "${T}"/rbash.1 || die + doman "${T}"/rbash.1 + newdoc CWRU/changelog ChangeLog dosym bash.info /usr/share/info/bashref.info } diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bashrc b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bashrc index bce7204e3c..b7202a361d 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bashrc +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/bashrc @@ -94,8 +94,6 @@ if ${use_color} ; then #BSD#@export CLICOLOR=1 #GNU#@alias ls='ls --color=auto' alias grep='grep --colour=auto' - alias egrep='grep -E --colour=auto' - alias fgrep='grep -F --colour=auto' else # show root@ when we don't have colors PS1+='\u@\h \w \$ ' diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc index f020892b5c..34dbd8c892 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc @@ -16,12 +16,3 @@ fi # Put your fun stuff here. - -alias_bcc_tool() { - local tool="${1}" - alias iovisor-${tool}="docker run --rm -it -v /lib/modules:/lib/modules -v /sys/kernel/debug:/sys/kernel/debug -v /sys/fs/cgroup:/sys/fs/cgroup -v /sys/fs/bpf:/sys/fs/bpf --privileged --net host --pid host quay.io/iovisor/bcc /usr/share/bcc/tools/${tool}" -} - -bcc_debug_toolset=( tcpretrans tcpconnect tcpaccept biolatency ) - -for t in "${bcc_debug_toolset[@]}"; do alias_bcc_tool "${t}"; done diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/metadata.xml index 9b5e498670..9459ebc90e 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/metadata.xml @@ -1,19 +1,32 @@ - + - - base-system@gentoo.org - Gentoo Base System - - - Log ALL commands typed into bash; should ONLY be - used in restricted environments such as honeypots - Build with custom malloc/free overwriting allocated/freed memory - Enable /dev/tcp/host/port redirection - Add support for loading builtins at runtime via - 'enable' - - - cpe:/a:gnu:bash - + + base-system@gentoo.org + Gentoo Base System + + + + Log ALL commands typed into bash; should ONLY be + used in restricted environments such as honeypots + + + Build with custom malloc/free overwriting allocated/freed memory + + + Enable /dev/tcp/host/port redirection + + + Add support for loading builtins at runtime via 'enable' + + + Optimize the build using Profile Guided Optimization (PGO) + + + + mailto:bug-bash@gnu.org + https://tiswww.case.edu/php/chet/bash/NEWS + cpe:/a:gnu:bash + bash + From 55a14648c5a4c3557f2462f2a6e1ab03bb6caa2b Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Wed, 29 Sep 2021 12:26:48 +0530 Subject: [PATCH 12/16] app-shells/bash: Apply Flatcar modifications Signed-off-by: Sayan Chowdhury --- .../app-shells/bash/bash-5.1_p16-r2.ebuild | 25 ++++++++++--------- .../app-shells/bash/files/dot-bashrc | 9 +++++++ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p16-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p16-r2.ebuild index 795a74626b..9a73109ff8 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p16-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/bash-5.1_p16-r2.ebuild @@ -174,10 +174,10 @@ src_configure() { # For descriptions of these, see config-top.h # bashrc/#26952 bash_logout/#90488 ssh/#24762 mktemp/#574426 append-cppflags \ - -DDEFAULT_PATH_VALUE=\'\"${EPREFIX}/usr/local/sbin:${EPREFIX}/usr/local/bin:${EPREFIX}/usr/sbin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/bin\"\' \ - -DSTANDARD_UTILS_PATH=\'\"${EPREFIX}/bin:${EPREFIX}/usr/bin:${EPREFIX}/sbin:${EPREFIX}/usr/sbin\"\' \ - -DSYS_BASHRC=\'\"${EPREFIX}/etc/bash/bashrc\"\' \ - -DSYS_BASH_LOGOUT=\'\"${EPREFIX}/etc/bash/bash_logout\"\' \ + -DDEFAULT_PATH_VALUE=\'\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\' \ + -DSTANDARD_UTILS_PATH=\'\"/bin:/usr/bin:/sbin:/usr/sbin\"\' \ + -DSYS_BASHRC=\'\"/etc/bash/bashrc\"\' \ + -DSYS_BASH_LOGOUT=\'\"/etc/bash/bash_logout\"\' \ -DNON_INTERACTIVE_LOGIN_SHELLS \ -DSSH_SOURCE_BASHRC \ $(use bashlogger && echo -DSYSLOG_HISTORY) @@ -238,15 +238,16 @@ src_install() { mv "${ED}"/usr/bin/bash "${ED}"/bin/ || die dosym bash /bin/rbash - insinto /etc/bash - doins "${FILESDIR}"/bash_logout - doins "$(prefixify_ro "${FILESDIR}"/bashrc)" + insinto /usr/share/bash + for f in bash{_logout,rc} ; do + doins "${FILESDIR}"/${f} + dosym ../../usr/share/bash/${f} /etc/bash/${f} + done - keepdir /etc/bash/bashrc.d - - insinto /etc/skel + insinto /usr/share/skel for f in bash{_logout,_profile,rc} ; do newins "${FILESDIR}"/dot-${f} .${f} + dosym ../../usr/share/skel/.${f} /etc/skel/.${f} done local sed_args=( @@ -264,8 +265,8 @@ src_install() { sed -i \ "${sed_args[@]}" \ - "${ED}"/etc/skel/.bashrc \ - "${ED}"/etc/bash/bashrc || die + "${ED}"/usr/share/skel/.bashrc \ + "${ED}"/usr/share/bash/bashrc || die if use plugins ; then exeinto /usr/$(get_libdir)/bash diff --git a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc index 34dbd8c892..f020892b5c 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc +++ b/sdk_container/src/third_party/coreos-overlay/app-shells/bash/files/dot-bashrc @@ -16,3 +16,12 @@ fi # Put your fun stuff here. + +alias_bcc_tool() { + local tool="${1}" + alias iovisor-${tool}="docker run --rm -it -v /lib/modules:/lib/modules -v /sys/kernel/debug:/sys/kernel/debug -v /sys/fs/cgroup:/sys/fs/cgroup -v /sys/fs/bpf:/sys/fs/bpf --privileged --net host --pid host quay.io/iovisor/bcc /usr/share/bcc/tools/${tool}" +} + +bcc_debug_toolset=( tcpretrans tcpconnect tcpaccept biolatency ) + +for t in "${bcc_debug_toolset[@]}"; do alias_bcc_tool "${t}"; done From 9da62c4776a10664c09b8e297bfab946c5fbfb71 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 9 Jan 2023 14:15:55 +0100 Subject: [PATCH 13/16] profiles: Drop accept keywords for perl-core/File-Path It's an obsolete entry - we don't have such a package. --- .../coreos-overlay/profiles/coreos/arm64/package.accept_keywords | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords index f146fd516a..b94165b00f 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords @@ -23,7 +23,6 @@ =net-libs/libnetfilter_cthelper-1.0.0-r1 ~arm64 =net-libs/libnetfilter_cttimeout-1.0.0-r1 ~arm64 -=perl-core/File-Path-2.130.0 ~arm64 =sec-policy/selinux-base-2.20200818-r2 ~arm64 =sec-policy/selinux-base-policy-2.20200818-r2 ~arm64 =sec-policy/selinux-unconfined-2.20200818-r2 ~arm64 From e48a011b84d1e83594a24810690f4c3d6f0d4e4a Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 10 Jan 2023 09:16:08 +0100 Subject: [PATCH 14/16] profiles: Disable split-usr for generic images completely We do specify -split-usr in make.defaults for the USE variable but it's not enough - the base profile in portage-stable forces this flag and this overrides our defaults. As a workaround, we were using package.use.force to force-disable split-usr for selected packages. Now, with addition of more split-usr-using packages in app-alternatives the list in package.use.force would grow. Instead of listing all the packages having split-usr in their IUSE, use the use.force and use.mask file to unforce and mask split-usr for all packages in generic images. As a bonus, this also allows us to drop a customization we did in sys-apps/policycoreutils package. --- .../profiles/coreos/targets/generic/package.use.force | 4 ---- .../coreos-overlay/profiles/coreos/targets/generic/use.force | 4 ++++ .../coreos-overlay/profiles/coreos/targets/generic/use.mask | 4 ++++ 3 files changed, 8 insertions(+), 4 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.force create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.force create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.mask diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.force deleted file mode 100644 index 7b3b0d7387..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use.force +++ /dev/null @@ -1,4 +0,0 @@ -# We don't have a separate /{bin,lib} and /usr/{bin,lib} -sys-apps/coreutils -split-usr -sys-apps/systemd -split-usr -sys-apps/shadow -split-usr diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.force b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.force new file mode 100644 index 0000000000..f29fb18c73 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.force @@ -0,0 +1,4 @@ +# We don't have a separate /{bin,lib} and /usr/{bin,lib}. But the base +# profile in portage-stable forces split-usr, so here we unforce it +# and in use.mask we mask it. +-split-usr diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.mask new file mode 100644 index 0000000000..9a467dab41 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/use.mask @@ -0,0 +1,4 @@ +# We don't have a separate /{bin,lib} and /usr/{bin,lib}. But the base +# profile in portage-stable forces split-usr, so in use.force we +# unforce it and here we mask it. +split-usr From 5ae5149cbeeec6fce459b2951648fd8800ab9d56 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 10 Jan 2023 09:23:05 +0100 Subject: [PATCH 15/16] sys-apps/policycoreutils: Drop unnecessary modification The split-usr flag is disabled for all packages in generic images, so commenting out the symlink creation for split-usr images is not needed any more. --- .../sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild index ca31fa2cea..36158efe11 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild @@ -192,8 +192,7 @@ src_install() { rm -fR "${D}/etc/rc.d" || die # compatibility symlinks - # flatcar changes: - # use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles + use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles bashcomp_alias setsebool getsebool From 6cd03f5370e097f1e70229637c7614aea16162c0 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 16 Jan 2023 10:54:06 +0100 Subject: [PATCH 16/16] coreos: Add user-patch for app-arch/ncompress This should fix having a dangling symlink at /usr/bin/uncompress. --- .../ncompress/0001-Fix-link-creation.patch | 41 +++++++++++++++++++ .../user-patches/app-arch/ncompress/README.md | 3 ++ 2 files changed, 44 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch new file mode 100644 index 0000000000..b8e031ed44 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/0001-Fix-link-creation.patch @@ -0,0 +1,41 @@ +From 67176ea3ab5eccd004ca9cacef103d1f0636828a Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Mon, 16 Jan 2023 10:26:24 +0100 +Subject: [PATCH] "Fix" link creation + +It's not a proper fix as it stands, because it would try to create a +hardlink at $(DESTDIR)$(BINDIR)/uncompress using compress from a +current working directory (so this may work only by chance if compress +actually exists there), but app-arch/ncompress is also patching +Makefile.def to use symbolic links. So those two hacks together should +do the trick by creating a symbolic link at +$(DESTDIR)$(BINDIR)/uncompress pointing to compress in the same +directory, instead of creating a dangling symlink. +--- + Makefile.def | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile.def b/Makefile.def +index 94c9719..0fafc7a 100644 +--- a/Makefile.def ++++ b/Makefile.def +@@ -44,14 +44,14 @@ install_core: compress + mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR) + cp compress $(DESTDIR)$(BINDIR)/compress + rm -f $(DESTDIR)$(BINDIR)/uncompress +- ln $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/uncompress ++ ln compress $(DESTDIR)$(BINDIR)/uncompress + cp compress.1 uncompress.1 $(DESTDIR)$(MANDIR)/. + chmod 0644 $(DESTDIR)$(MANDIR)/compress.1 $(DESTDIR)$(MANDIR)/uncompress.1 + + install_extra: install_core + mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR) + rm -f $(DESTDIR)$(BINDIR)/zcat +- ln -f $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/zcat ++ ln -f compress $(DESTDIR)$(BINDIR)/zcat + cp zcmp zdiff zmore $(DESTDIR)$(BINDIR)/. + chmod 0755 $(DESTDIR)$(BINDIR)/compress $(DESTDIR)$(BINDIR)/zcmp $(DESTDIR)$(BINDIR)/zdiff $(DESTDIR)$(BINDIR)/zmore + cp zcmp.1 zmore.1 $(DESTDIR)$(MANDIR)/. +-- +2.25.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md new file mode 100644 index 0000000000..e8c9c61244 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/app-arch/ncompress/README.md @@ -0,0 +1,3 @@ +Drop `0001-Fix-link-creation.patch` when we have ncompress 5.0-r1 or greater. + +See https://github.com/gentoo/gentoo/pull/29131.