Once we've built the packages, verify against the Gentoo Linux Security
Advisories to ensure that we're not shipping anything with known
vulnerabilities.
To make branches easier to use this splits the branch manifest into two:
build-????.xml is now only pins revisions of projects that do not have a
corresponding branch (yet) while release.xml pins all revisions. Unlike
before the script can now be used to tag branched releases.
The step to switch any particular project to a branch is still manual
but that will be a simple future expansion. First this will be migrated
to Go though, this script has hit the limit of sophistication that
should be attempted with mixing XML and bash. ;-)
We need to ship some PCR measurements alongside images in order to make it
easier for admins to provide an appropriate policy. Add some tooling to
generate the appropriate hashes during build, pack those into a zip file
and upload it.
We have never actually deleted anything from our mirror since gsutil cp
didn't really have a way to do that and the for some unknown reason
emirrordist never tried to delete anything anyway. Additionally we
actually don't want to delete anything from our mirror to ensure that
the source remains available for old releases.
The build bucket should now be writable anyone performing releases,
allowing us to ensure that the original build and public buckets are
exactly in sync.
profile is already set up to source /usr/share/baselayout/profile.env
but it never has because I forgot to add this line during the migration
to amd64-usr images. Sure took us a while to notice that one... :(
This resolves two issues:
- Large dependencies are *never* built during image_to_vm,
build_packages must now handle that.
- Since build_packages can't resonably do the oem-* packages (they all
conflict with eachother) we do want to build them from the ebuild.
This is now enforced so a old binpkg is never used. This resolves
confusing issues people have always had while when editing oem
ebuilds but getting a stale build instead.
Allows build_image to be used without first running build_packages.
Note: setup_board --force is required before build_packages will work
properly after doing this since baselayout won't be installed otherwise.
- May be sourced early, so explicitly die if source fails.
- Add a function for getting the latest version of a package.
- Read PROVIDES metadata using portageq, enabling data to be read from
binary packages in addition to installed packages. The performance
issue is not an issue here and needed to support empty build roots.
