The MANIFEST files were obtained by
(a) verifying the signature on the 10.3-RELEASE announcement against
the GPG key in the FreeBSD documentation repository;
(b) downloading all of the bootonly.iso.xz ISOs;
(c) verifying those files against the hashes listed in the signed release
announcement; and
(d) extracting the MANIFEST files.
/usr/local/share/poudriere/MANIFESTS, where poudriere (as of version
3.1.11) checks for pre-distributed MANIFEST files before fetching them
from the ftp/http/https server.
This allows poudriere to ensure that the bits it is downloading and
installing really match the bits provided by the release engineering
team, and have not been subtly trojanned in transit. (Note that this
does not apply if poudriere is creating a jail from -STABLE or -CURRENT
since we cannot pre-distribute those MANIFESTs.)
The MANIFEST files were obtained by
(a) finding the GPG-signed announcements for 9.0 and later releases;
(b) verifying those signatures against the GPG keys in the FreeBSD
documentation repository;
(c) downloading all of the relevant bootonly ISOs;
(d) verifying the ISOs against the hashes listed in the signed release
announcements; and
(e) extracting the MANIFEST files from those ISOs.
Reviewed by: bdrewery
Security: If someone could trick you into building packages in a
world which they tampered with, they could do all sorts
of nasty things to those packages...
Changes: https://github.com/freebsd/poudriere/wiki/release_notes_317
- Restore /usr/sbin and /sbin to PATH lost in 3.1.5
- HTML: Fix broken log link from 3.1.5
- Avoid copying /var/db/freebsd-update into build jails
- QEMU: Fix handling of elftoolchain install for older src checkouts.
When using GH_TAGNAME the DISTNAME would have GH_PROJECT and GH_ACCOUNT in
it. When not using GH_TAGNAME it would not have this. Now both cases
will add in the GH_PROJECT and GH_ACCOUNT.
Add special care to ensure that the DISTVERSION is not added in twice. If
a port does GH_TAGNAME=v${PORTVERSION} it will be added in twice though. For
that case DISTVERSIONPREFIX=v should be set and no GH_TAGNAME should be used.
empty() is used rather than (!defined || !${}) to support fmake.
The purpose of setting DISTNAME at all in these cases is to make it more clear
that the distfile is from *GITHUB* and to avoid collisions if a project were
to be renamed or moved. Without adding in GH_PROJECT and GH_ACCOUNT then there
are real risks that collisions on filenames would happen on renamed or moved
projects, which is fairly common. A GITHUB-generated file may not match
a custom-rolled or git-archive-rolled distfile.
PR: 199069
With hat: portmgr
Testing done: All USE_GITHUB ports without GH_COMMIT were checksum/fetch/extract/WRKSRC tested.
conflict with the old scheme and cause a "reroll" or "invalid checksums". This
also avoids clobbering the FreeBSD distcache.
Use a revision in the DISTNAME for USE_GITHUB in case we need to bump this
again for anything. It's more a hint of how to handle it in the future.
Reported by: mat
Discused with: mat, antoine, swills
With hat: portmgr
Using this new scheme allows only setting the _tag_ or _commit hash_ in
GH_TAGNAME and not having to know the hash for a tag. This scheme will
download a tarball that has a different checksum than before due to a changed
directory name for extraction.
The following MASTER_SITES are provided to retain the old checksum and
directory structure (that require GH_COMMIT):
GH -> GHL
GITHUB -> GITHUB_LEGACY
Differential Revision: https://reviews.freebsd.org/D748
Submitted by: amdmi3
Reviewed by: mat, swills, antoine, bdrewery
With hat: portmgr
19 months have passed since the release of 3.0.0 and there have been 1259
commits from over 24 contributors. Though many of the bugfixes did make it into
the 3.0 branch, not all of them did.
3.1 brings many speedups, new features and commands, a new web interface, and
build hooks. The new web interface works at a top-level, jail-level and the
build-level still by using a static site with AJAX.
There is a queue system that is not quite ready yet but should make it into
3.2.
The release notes documenting the major changes is at
https://github.com/freebsd/poudriere/wiki/release_notes_31
Thank you to everyone involved.
Support can be found in #poudriere on Freenode.
Changes:
* Add a check for 3.1 repository and reject the build. 3.0 does not know
how to handle 3.1's repository format. Downgrading is not supported
at this point.
* Allow securelevel>=1 with USE_TMPFS=all
* Add a warning that DEVELOPER=yes is ignored in lieu of bulk -t/testport
Changes:
* Workaround regression with pkg-1.3 causing all packages to have new options.
* distclean: Fix some false-positives
* Fix dead link in poudriere.conf
- Move to using pkg-plist
Changes:
This will likely be the last 3.0.x release. 3.1 is almost complete.
* Leftovers checking has moved to Ports Mk/Scripts/check_leftovers.sh,
which allows more consistency and easier maintenance without requiring
a Poudriere release to make changes.
* Staging Orphans has moved to Ports 'make check-plist' for the same
reasons. See r351587 for more information on the new behavior.
The new leftover/orphan code has new %%PLIST%% sub behavior and also
fixes many false-positive orphans, leftovers, and @dirrm showing.
* Fix many races in port cleanup/skip handling.
* Fix crashed builder detection.
* Hide pkg_install EOL warnings and disable WARNING/ERROR waits when
testing
* Disable DEVELOPER from make.conf; Poudriere will automatically
set it when appropriate. This prevents testing of port dependencies
that were not requested to be tested.
* distclean: Prevent removing all files by accident.
* Having PKG_REPO_SIGNING_KEY set but the file missing is now fatal.
* kern.securelevel >=1 is now fatal.
* Fix 'kill: No such process' warnings with older /bin/sh (8.x)
* Fix crash on 8.3 due to bug with $(()) handling of _vars (fixed in
base r234001)
* Fix case of packages always rebuilding with "changed options" when
the port has an OPTION defined multiple times (such as fixed in
ports r352512)
* Fix 'Terminated' warning showing at shutdown with older /bin/sh (fixed
by r218105 but never made it to stable/8)
Changes:
- Fix ipv6 only usage
- Ensure /sbin and /usr/sbin are in PATH when running
- Remove trailing slashes from listed_ports.
- Fix child process cleanup logic to only sleep if child
still running.
- Always dismount filesystems and try cleaning up when exiting and in jail -k
- For stage_orphans, ignore modified files (such as nobody vs root)
- testport -I: Mark cleanup done, not as recursively failing
- testport -i: Use a local.conf instead of PACKAGESITE
- testport -I: Suggest same login method which is more sane/clean than exec /bin/sh
- options: Require dialog4ports as it runs from host and
jail may be for a different ARCH
- Ignore parents of home directories too during leftovers check
- Ignore /var/db/dbus/machine-id leftover
- Restrict ZFS on 9.0/9.1 due to known deadlock
- bulk: Parse MOVED for given port build list
- Add support for svnlite and overriding SVN_CMD
- Show warning when jail is newer than host
- Show host/jail OSVERSION in build logs
Changes:
* Fix dependencies when existing packages have their origins moved
via MOVED by now loading and parsing MOVED for existing packages
only.
* Force umount some directories to avoid desktop utils traversing them
causing them to remain mounted.
* Fix stage orphan false-positives with KDE4_PREFIX
* Fix a race condition in bulk which could lead to 'unknown stuck queue bug'
* Fix usage of cpdup(1) -X [no functional change]
* Speedup bulk startup by not rolling back fresh builder jails
* Various parallel execution fixes
* Parallel execution errors now wait up to 30 seconds for children to
finish before ending the build.
* Ignore home directory of users created by ports during leftover check
Changes:
* Fix leftover detection on HEAD due to new nmtree
* Fix jail rollback on HEAD due to new nmtree which manifested
as missing dependencies in /new_packages
* Don't exclude anything when looking for stage orphans, which
fixes finding /var/run/PORTNAME as an orphan
Changes:
* poudriere.8: Document that -j is required for bulk
* bulk/testport: Delete packages that have changed PKGNAME during startup,
which will avoid pkg-repo duplicate package warnings/bugs. This will not
clean up existing duplicates, just fix new ones going forward.
Changes:
* Fix random crashes with parallel process handling
* jail -cu: Disable CCACHE on 10
* testport/bulk -t: Fix staging absolute link checking with files
that have spaces
* testport: Fix so that MAKE_JOBS runs by default
* bulk -t: Fix so that MAKE_JOBS does not run by default
* testport: Fix so that the port being tested shows in the web ui.
Note that this is still in data/logs/bulk/
* jail: Make -m http work
* jail -c: Fix -m ftp-archive for 9.0
