When catalyst tries to fetch a file via https, wget sometimes fails
to do so, with the following messages:
```
https://www.kernel.org/pub/software/scm/git/git-2.24.1.tar.xz: HTTPS
support not compiled in.
!!! Couldn't download 'git-2.24.1.tar.xz'. Aborting.
```
That probably happens because wget in some catalyst stages are compiled
without `ssl` USE flag. If a catalyst stage is lucky enough to rebuild
wget with `ssl` before actually fetching a file, it would work well.
Though if not, it would fail. It is not deterministic, and hard to
reproduce.
So backport the fix from upstream Gentoo,
https://github.com/gentoo/gentoo/commit/d141380b915d , for both amd64
and arm64. By setting `ssl` for wget in `package.use.force`, it is now
not possible to disable `ssl` for wget.
More details: https://bugs.gentoo.org/611072
Drop pkg_pretend since it breaks build_image if cross-compilers are
not installed yet (e.g. in Jenkins jobs).
Drop the libidn2 runtime dependency since it breaks bootstrapping,
and it's dlopen()ed so the resolver can work without it.
Drop the host /dev/pts checks since the SDK doesn't control it.
Apply our gshadow segfault patch, and adapt into glibc 2.30.
Install nscd.conf in /usr and set up tmpfiles to link it in /etc.
Wipe out /etc files (except for an environment file that is still
needed in the SDK).
Originally comes from eb07324f4de3 ("sys-libs/glibc: Apply CoreOS
changes").
When 788f328dc752a75da08d4c6fc27d094ecb4807d5 introduced pulling from
docker by default, "--insecure-options=image" was added for all
docker registries. However, when the user also needs to set "http" as
in "--insecure-options=image,http" it will not be used because the
other argument is added as last disregarding the option was already
set by the user.
Check if the option was set by the user and only add it if it is not
provided. If the user forgets to add "image" then rkt will simply
fail and tell that this option is needed; thus no complex logic of
appending and detecting only "image" is needed. Do the same for the
"--trust-keys-from-https" option to be consistent in allowing to
overwrite it with "--trust-keys-from-https=false".
- Mask sig 0x000406e3, pf_mask 0xc0, revision=0xd6 [Link 1]
- Mask sig 0x000406e3, pf_mask 0xc0, revision=0xda [Bug 722768]
This will basically downgrade microcode for 0x000406e3 back to rev 0x00d6 from 2019-10-03.
Link1: c1d8ba62ab
Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
There is no portage-stable/licenses/Apache-2 file because the
correct name for the license is Apache-2.0, and the missing
license file causes the build to fail.
Now that bind-tools are built with gssapi only for AMD, without gssapi
for ARM, we need to get the USE flag requirement relaxed. Profile for
each architecture will instead choose whether to use gssapi.
bind-tools has been disabled since a long time, probably because of
build errors around cross-compilation for ARM. However, bind-tools
binaries should be at least included in ARM images. So enable bind-tools
again for ARM without gssapi included.
To do that, disable gssapi for bind-tools only in the ARM profile, and
enable gssapi only in the AMD profile.
Since Docker >= 19.03.9 started to depend on github.com/pkg/errors
v0.9.1 or newer, it is now necessary to set `go1.13` in
`DOCKER_BUILDTAGS`. Otherwise, it cannot find `Is` function.
See also https://github.com/pkg/errors/blob/v0.9.1/go113.go#L16 .
They were needed when Jenkins did not have qemu-static to run compiled
binaries of the target architecture.
Remove the patches as Jenkins is ready now and qemu-static is there to
stay because we need it for SELinux and other things.
The unzip update in the portage-stable branch going along with this PR
suddenly fails to compile because ccache permissions are wrong in one
subfolder.
Disable ccache because it only gives a low hit rate anyway and once a
package is compiled, emerge will reuse the binary package. (A possible
compilation performance regression would be if a kernel patch is tested
and the kernel package needs to be build over and over again without being
able to keep the object files - not sure if this or something similar is
often the case.)
