Since sqlite 3.32.0, Gentoo ebuild does not deal with non-full archive,
but fetches only full archive. On top of that, the upstream sqlite's
full archive requires `tclsh` to be installed on the host system. Since
Flatcar SDK does not include `dev-lang/tcl`, it is not possible to build
sqlite from the full-archive. It means that we need to either make the
Flatcar SDK include `dev-lang/tcl`, (which takes time) or bring back the
non-full archive mechanism just like ebuilds from sqlite 3.31.x.
So adapt the full-archive patches on top of the non-full archive.
Make the ebuild fetch the non-full archive.
GCE recommends images to ship Python in them. Instead of shipping the
binaries inside our vendor partition, install an alias that will
download the latest official container, for both python2 and python3.
We were setting `CONFIG_VGACON_SOFT_SCROLLBACK=y`, but this config
option was deleted with 20782abbbdfe922496a28f9cc0c3c0030f7dfb8f, due to
security issues.
Remove the config to let the kernel image build again.
This change updates to the latest oslogin version provided by Google.
Since our last update, this was split into a different repo and the
directory structure changed significantly.
It also added group support, which needed to be added to the
nsswitch.conf file that we ship.
Flatcar users require docker group permissions, so ensure oslogin gives
that permission by shipping a separate group.conf file that gets
installed when oslogin is enabled.
The qemu update caused several errors:
* We currently don't have Python 3.8 available in the SDK, so adding it in
the PYTHON_COMPAT field causes a build failure.
* The manifest needed to be updated
* A patch file was missing
This commit fixes these errors and makes the package build.
Since rsync 3.2.0, the ebuild sets `--enable-simd` option in case of
amd64. However, the cross toolchain in Flatcar SDK is not able to deal
with the SIMD feature, so configure in rsync fails like:
```
gcc version 8.3.0 (Gentoo Hardened 8.3.0-r1 p1.1)
configure.sh:3774: $? = 0
configure.sh:3763: x86_64-cros-linux-gnu-g++ -V >&5
x86_64-cros-linux-gnu-g++: error: unrecognized command line option '-V'
x86_64-cros-linux-gnu-g++: fatal error: no input files
compilation terminated.
```
Until we could resolve the toolchain issue, we should disable
`cpu_flags_x86_sse2`, to disable simd for rsync.
Update net-libs/libpcap to 1.9.1, to address security issue
CVE-2019-15163, an issue of allowing attackers to cause a denial of
service (NULL pointer dereference and daemon crash) if a crypt() call
fails.
Update rsync to 3.2.3, actually to update zlib bundled in rsync.
It is to address security issue CVE-2016-9841, an issue of allowing
context-dependent attackers to have unspecified impact by leveraging
improper pointer arithmetic.
Update app-misc/jq to 1.6-r3, to address security issue CVE-2015-8863.
It is mainly to fix off-by-one error in the tokenadd function. It allows
remote attackers to cause a denial of service (crash) via a long
JSON-encoded number, which triggers a heap-based buffer overflow.
Improve body text of each PR for `virtual/rust`, by mentioning that
it should be merged together with its paired PR in coreos-overlay.
Explicitly name `virtual/rust` instead of `Cargo`, because there is
no more ebuild for `cargo`.
Rename the dispatched event-type name to `rust-pull-request-main`, as
`cargo` has already disappeared.
Make the repository-dispatch action receive additional client-payload with
a field `coreos-overlay-pull-request-number` sent by the corresponding PR
in coreos-overlay. The PR number is then used for adding a link in the body
text, for pointing back to the PR in coreos-overlay.
Improve body text of each PR for `dev-lang/rust`, by mentioning that
it should be merged together with its paired PR in portage-stable.
Explicitly name `dev-lang/rust` instead of `Rust`, because now there are
`dev-lang/rust` as well as `virtual/rust`.
Rename the dispatched event-type name to `rust-pull-request-main`, as
`cargo` has already disappeared.
Make the repository-dispatch action send additional client-payload with
a field `coreos-overlay-pull-request-number`, which will be later used
by the corresponding PR in portage-stable for adding a link back to the
PR in coreos-overlay.
This will not be enabled by default, and still requires the "lockdown"
kernel parameter. Users can test by setting in
`/usr/share/oem/grub.cfg`:
```
set linux_append="lockdown=integrity"
```
After this is set, dmesg output you'll see:
```
[ 0.000000] Kernel is locked down from command line; see man
kernel_lockdown.7
```
Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
