Now that GLSA metadata was updated as of 2021-09-03, we need to
add the following entries to the GLSA allow list, to avoid build
failures caused by `glsa-check -t all`.
202006-03: perl 5.26.2, only SDK, allowlist
202008-01: python 2.7.15 & 3.6.5, only SDK, allowlist
202101-18: python 2.7.15 & 3.6.5, only SDK, allowlist
202104-04: python 2.7.15 & 3.6.5, only SDK, allowlist
202105-22: samba 4.12.9, not affected, samba has no ldap flag, no smbd.
202105-34: bash 4.3, non-trivial to update
202107-31: polkit 0.113, in-progress
202107-48: systemd 247.9, backported the fixes to v247.9.
201904-13: git 2.26.3, so not affected
201909-08: dbus 1.12.20, so not affected
201911-01: openssh 8.6, so not affected
202003-12: sudo 1.9.5, so not affected
202003-20: systemd 246+, so not affected
202003-24: file 5.39, so not affected
202003-30: git 2.26.3, so not affected
202003-31: gdb 9.2, so not affected
202003-52: samba 4.12.9, so not affected
202004-10: openssl 1.1.1l, so not affected
202004-13: git 2.26.3, so not affected
202005-02: qemu 5.2, so not affected
systemd and sudo are already fixed. Git was fixed by updating to 2.23.2,
not 2.24.1. Samba is 2 years old and customized, thus difficult to update.
file, Python, and gdb are only in the SDK.
This is the same story as the others: our images will fail the GLSA
checks as long as we build old Go versions. However, this one will
fail for any version less than 1.10.1 now.
This is the same case as the previous one. Our Go 1.8 package has
the fix, but none of the older unsupported versions do. Since we
have multiple installed versions and this says anything less than
Go 1.9 is vulnerable, we have to whitelist it until all older
versions of Go are removed from the OS.
We handle Go differently than Gentoo, so our 1.8.4 package includes
the same security fixes. When all packages are built with Go 1.9,
the older Go packages shouldn't be installed anymore, so this line
can be dropped.
Once we've built the packages, verify against the Gentoo Linux Security
Advisories to ensure that we're not shipping anything with known
vulnerabilities.
The new python script check_root uses data that portage already
maintains on what shared libraries packages need or provide instead of
re-scanning whatever ELF files that can be found. This is much more
comprehensive but there is a bit of a transition issue for folks with
long-lived SDKs: packages built with portage older than 2.2.18 do not
include this data. As such for now the check is non-fatal and provides a
command you can use to refresh locally installed packages.
The code checking for conflicts between top level directories and /usr
has also been rewritten. Both tests now are considerably faster.
Now uses the package database instead of filesystem so the check works
even if /bin and friends are symlinks to /usr. Also disable the
whitelist and check that the expected symlinks are correct if the
symlink-usr USE flag is enabled.
Switching the toolchain to upstream Gentoo brought this directory back
and based on the Chromium OS history keeping this directory out of the
builds is a bit tedious. Keeping image sizes down isn't *that* important
right now so just let it be.
This makes us fail if /etc/localtime doesn't point at
/var/lib/timezone/localtime.
BUG=chromium-os:27413
TEST=manual: error from build_image after i patched chromeos-base to not create the symlink
Change-Id: I11ef272c2dcd67a189a5d67c46792490ec6d27a1
Reviewed-on: https://gerrit.chromium.org/gerrit/19335
Tested-by: Daniel Erat <derat@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Daniel Erat <derat@chromium.org>
Also, blacklist /usr/share/locale. Most recently this unused directory crept
back into the image after some "sudo" package changes/upgrades.
BUG=chromium-os:11820
TEST=build_image dev for x86-alex, tegra2, amd64-generic
Change-Id: I0a209a5030a3da3674d3a38faf2367032c6e3423
Reviewed-on: https://gerrit.chromium.org/gerrit/16352
Tested-by: Darin Petkov <petkov@chromium.org>
Reviewed-by: Chris Sosa <sosa@chromium.org>
Commit-Ready: Darin Petkov <petkov@chromium.org>
With Aura, we won't have a need for the WM any more.
TEST=built an image without chromeos-wm, verified that the build system didn't complain.
Change-Id: Id6e5006770f72ea45f440dbe56ff7f53262864c1
Reviewed-on: https://gerrit.chromium.org/gerrit/15212
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Daniel Erat <derat@chromium.org>
Commit-Ready: Stéphane Marchesin <marcheu@chromium.org>
Renamed the fuction from "test_image" to "test_image_content";
renamed the source file to match.
BUG=None
TEST=build both x86 and arm images
Change-Id: I158f2c5bc0f2fc260d48bd125a1899e6a21d7b79
Reviewed-on: http://gerrit.chromium.org/gerrit/5821
Reviewed-by: Vince Laviano <vlaviano@chromium.org>
Tested-by: Richard Barnette <jrbarnette@chromium.org>
