From 8bae3b5667fb91b9da9021c1003db93a9532b6ff Mon Sep 17 00:00:00 2001 From: Paul Drews Date: Wed, 10 Oct 2012 11:18:13 -0700 Subject: [PATCH] Break the circular dependencies with curl, openssl, git Building the chroot environment from sources using "--bootstrap" currently runs into a circular dependency: curl->openssl->git->curl The openssl->git dependency comes indirectly from the fact that the current version of openssl uses the "cros-workon" ebuild package to assist in applying packages. The ebuild system automatically and silently resolves this circular dependency by reverting the openssl library to an earlier version that does not use cros-workon based patching. Unfortunately this older version of openssl has a bug that causes it not to work when doing builds in a firewalled environment: When curl (using this older version of openssl library) attempts to fetch an "https" url, it authenticates the target server against a bundle of certificate-authority certificates it maintains. Finding the certificate fails (although the validation succeeds if curl is told explicitly what certificate to use). With the certificate not-found, server authentication fails, the curl download fails, and the build ultimately fails. This patch breaks the circular dependency, allowing a more-current version of openssl to be used in curl, making the above build scenario work in a firewalled environment. The circularity is broken by first building git without curl support (and webdav that depends on curl). Then early toolchain components up through and including curl are built. This build of curl then uses a more up-to-date version of openssl with the desired bug-fix. Once curl is built, then git is re-built and re-installed with the now-installed version of curl (re-)enabled. BUG=None TEST=create chroot with --bootstrap ; build_packages (behind firewall) Change-Id: Iaa560fdb6623fcb73cde066a3b2bc2a342169c62 Reviewed-on: https://gerrit.chromium.org/gerrit/34292 Reviewed-by: Mike Frysinger Commit-Ready: paul drews Tested-by: paul drews --- sdk_lib/make_chroot.sh | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/sdk_lib/make_chroot.sh b/sdk_lib/make_chroot.sh index ae33fbf8d3..44933092ca 100755 --- a/sdk_lib/make_chroot.sh +++ b/sdk_lib/make_chroot.sh @@ -423,6 +423,16 @@ sudo sh -c "echo STAGE3=$STAGE3 > $CHROOT_STATE" info "Updating portage" early_enter_chroot emerge -uNv --quiet portage +# Packages that inherit cros-workon commonly get a circular dependency +# curl->openssl->git->curl that is broken by emerging an early version of git +# without curl (and webdav that depends on it). +need_git_rebuild=${FLAGS_FALSE} +if [[ ! -e "${FLAGS_chroot}/usr/bin/git" ]]; then + need_git_rebuild=${FLAGS_TRUE} + info "Updating early git" + USE="-curl -webdav" early_enter_chroot emerge -uNv $USEPKG dev-vcs/git +fi + info "Updating host toolchain" early_enter_chroot emerge -uNv --quiet crossdev TOOLCHAIN_ARGS=( --deleteold ) @@ -440,7 +450,13 @@ early_enter_chroot $EMERGE_CMD --deselect dhcpcd info "Running emerge curl sudo ..." early_enter_chroot $EMERGE_CMD -uNv $USEPKG --select $EMERGE_JOBS \ - pbzip2 net-misc/curl sudo + pbzip2 dev-libs/openssl net-misc/curl sudo + +if [[ ${need_git_rebuild} -eq ${FLAGS_TRUE} ]]; then + # (Re-)emerge the full version of git, without preventing curl. + info "Updating full verison of git" + early_enter_chroot emerge -uNv $USEPKG dev-vcs/git +fi if [ -n "${INITIALIZE_CHROOT}" ]; then # If we're creating a new chroot, we also want to set it to the latest