SLSA provenance generation iterates over $A (which is a subset of $SRC_URI) and
for each of those tries to find a match in $SRC_URI. That's quadratic
complexity, and the performance impact is bad because we shell out to a helper
utility (basename) for every entry. This is leading to long stalls when
generating SLSA for packages with long distfile lists, like go and rust
packages. Iterate over SRC_URI once and create a dictionary to speed up
subsequent lookups. dev-db/etcdctl is a good candidate for testing.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
- Update to slsa 1.0. This is only partially done, as we still need to
provide a proper build type. Maybe we could reuse the Github Actions
Workflow
(https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1).
- Stop using portageq - its use in ebuilds is banned, so eventually it
would stop working. Replace it with our hack.
- Stop trying to get a commit hash of coreos-overlay or portage-stable
as if they were submodules. This setup is long gone, so a commit
hash of toplevel scripts repo is enough.
- Use zstd for compressing generated JSON files.
In the release profile of Cargo.toml, add `codegen-units = 1`,
`strip = true`, and remove `debug = true`, to reduce binary size of
afterburn included in production images.
Fix build issue that started to appear in afterburn 5.5.0. Every public
function for the amd64 part must have a corresponding empty function in
the unsupported part, so that cross-compile for arm64 can work.
0003-encode-information-for-systemd-networkd-wait-online.patch
can be dropped, as it was already merged to upstream.
d2cc340038
Since upstream does not enable `lto = true` any more in
464c7f9f0a,
it is not necessary to keep the LTO patch.
Just drop it.
Adjust Flatcar patches 000[12]* for afterburn 5.5.0.
For 0001* to be compiled, it is necessary to add again the hostname
crate, which is not included in 5.5 any more by default.
Otherwise it gets restarted a few times, which displays this line in the
logs:
```
Nov 30 13:28:41.819250 enable-oslogin[1232]: /etc/pam.d/sshd already exists. Not enabling OS Login
```
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
The removal of files in the overlay present in the lowerdir creates
whiteout entries that mask the lowerdir entries. For those files that
have a tmpfile rule for creation, a reboot would cause the file to be
created in the upperdir, meaning this file is not updated from the
lowerdir when it changes. In addition we have filtered out some tmpfile
rules that caused upcopies (symlinks and directories) which meant that
removing the /etc/resolv.conf symlink didn't bring it back after reboot.
To make files from the lowerdir show up if they have a tmpfile rule that
normally would recreate them we keep a list of whiteout entries that we
clean up on boot. This also prevents freezing files because
systemd-tmpfiles does not need to recreate them in the upperdir.
