diff mbox series

[bug#43160,v3,1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases.

Message ID 20200911144459.27220-1-maxim.cournoyer@gmail.com
State New
Headers show
Series [bug#43160,v3,1/2] gnu: linux-libre: Compare generated sources against Linux-libre releases. | expand

Commit Message

Maxim Cournoyer Sept. 11, 2020, 2:44 p.m. UTC
* gnu/packages/linux.scm (make-linux-libre-source): Rename the UPSTREAM-SOURCE
parameter to LINUX-UPSTREAM-SOURCE.  Add a new LINUX-LIBRE-UPSTREAM-SOURCE
parameter.  Update doc.  Adjust variable names.  Capitalize "Linux" in the
user messages.  Remove empty directories from the generated sources, then
invoke diff between these sources and those of the corresponding Linux-libre
release, unless LINUX-LIBRE-UPSTREAM-SOURCE is #f.
(%upstream-linux-source): Convert the hash as base32 inside the definition, to
simplify its use.
(%upstream-linux-libre-source): New procedure.
(linux-libre-5.8-pristine-source): Add a LIBRE-HASH binding and use it with
%UPSTREAM-LINUX-LIBRE-SOURCE to provide the Linux-libre release origin to the
make-linux-libre-source procedure call.
(linux-libre-5.4-pristine-source): Likewise.
(linux-libre-4.19-pristine-source): Likewise.
(linux-libre-4.14-pristine-source): Likewise.
(linux-libre-4.9-pristine-source): Likewise.
(linux-libre-4.4-pristine-source): Likewise.
---
 gnu/packages/linux.scm | 79 ++++++++++++++++++++++++++++++++----------
 1 file changed, 61 insertions(+), 18 deletions(-)

Comments

Mark H Weaver Sept. 12, 2020, 5:07 p.m. UTC | #1
I've grown tired of arguing about this.  You have the authority, so do
as you will, and I will take my leave from maintenance of the kernel
packages.  Thanks for asking my opinion, anyway.

      Mark
Maxim Cournoyer Sept. 13, 2020, 11:50 p.m. UTC | #2
Hello Mark,

Mark H Weaver <mhw@netris.org> writes:

> I've grown tired of arguing about this.  You have the authority, so do
> as you will, and I will take my leave from maintenance of the kernel
> packages.  Thanks for asking my opinion, anyway.
>
>       Mark

I was hoping this latest modified patch would meet both our goals
(strictly verified for the usual case, with an option to switch to
manual verification of the kernel sources for the exceptional security
quick releases).

Sorry to have worn you out on this.  I'll leave 2 weeks for the issue to
settle, hoping you might reconsider.

Thanks again,

Maxim
Mark H Weaver Sept. 15, 2020, 10:33 a.m. UTC | #3
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> Mark H Weaver <mhw@netris.org> writes:
>
>> I've grown tired of arguing about this.  You have the authority, so do
>> as you will, and I will take my leave from maintenance of the kernel
>> packages.  Thanks for asking my opinion, anyway.
>>
>>       Mark
>
> I was hoping this latest modified patch would meet both our goals
> (strictly verified for the usual case, with an option to switch to
> manual verification of the kernel sources for the exceptional security
> quick releases).
>
> Sorry to have worn you out on this.  I'll leave 2 weeks for the issue to
> settle, hoping you might reconsider.

I appreciate that.  I'll attempt another followup in the next few days.

       Mark
Mark H Weaver April 22, 2021, 6:35 a.m. UTC | #4
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> I was hoping this latest modified patch would meet both our goals
> (strictly verified for the usual case, with an option to switch to
> manual verification of the kernel sources for the exceptional security
> quick releases).
>
> Sorry to have worn you out on this.  I'll leave 2 weeks for the issue to
> settle, hoping you might reconsider.

I'm sorry for not following up on this sooner.  My opinion on this issue
has not changed, but I've run out of energy to continue arguing about
it, and anyway it's probably more important to make the Linux-libre
developers happy.  Do as you think best, and I'll make adjustments on my
private branch as needed.

     Thanks,
       Mark
Maxim Cournoyer July 27, 2023, 4:18 p.m. UTC | #5
Hi Mark,

Mark H Weaver <mhw@netris.org> writes:

> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
>
>> I was hoping this latest modified patch would meet both our goals
>> (strictly verified for the usual case, with an option to switch to
>> manual verification of the kernel sources for the exceptional security
>> quick releases).
>>
>> Sorry to have worn you out on this.  I'll leave 2 weeks for the issue to
>> settle, hoping you might reconsider.
>
> I'm sorry for not following up on this sooner.  My opinion on this issue
> has not changed, but I've run out of energy to continue arguing about
> it, and anyway it's probably more important to make the Linux-libre
> developers happy.  Do as you think best, and I'll make adjustments on my
> private branch as needed.

I think there's still value in this series, but due to the already high
build requirements of running the verification script, I don't think
adding more to it is a good idea.

A better idea will be to build straight from the Git Linux-libre
repository, which will lighten the load to build these kernels while
simplifying things a bit.

Closing for now.
diff mbox series

Patch

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 72fb3ca49d..1df66330cb 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -221,10 +221,18 @@  from forcing GEXP-PROMISE."
                       #:guile-for-build guile)))
 
 (define (make-linux-libre-source version
-                                 upstream-source
+                                 linux-upstream-source
+                                 linux-libre-upstream-source
                                  deblob-scripts)
   "Return a 'computed' origin that generates a Linux-libre tarball from the
-corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
+corresponding LINUX-UPSTREAM-SOURCE (an origin), using the given
+DEBLOB-SCRIPTS.  The generated Linux-libre source is compared against the
+corresponding LINUX-LIBRE-UPSTREAM-SOURCE upstream release (an origin), to
+ensure correctness.  This comparison is skipped when
+LINUX-LIBRE-UPSTREAM-SOURCE is set to #f.  This can be used in exceptional
+cases where for security reasons an update must be pushed before the
+Linux-libre project could publish a cleaned up tree.  Manual screening of the
+new Linux changes for nonfree code is required when skipping the comparison."
   (match deblob-scripts
     ((deblob-version (? origin? deblob) (? origin? deblob-check))
      (unless (string=? deblob-version (version-major+minor version))
@@ -281,14 +289,14 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
                       (("/bin/sed") (which "sed"))
                       (("/usr/bin/python") (which "python"))))
 
-                  (if (file-is-directory? #+upstream-source)
+                  (if (file-is-directory? #+linux-upstream-source)
                       (begin
-                        (format #t "Copying upstream linux source...~%")
-                        (invoke "cp" "--archive" #+upstream-source dir)
+                        (format #t "Copying upstream Linux source...~%")
+                        (invoke "cp" "--archive" #+linux-upstream-source dir)
                         (invoke "chmod" "--recursive" "u+w" dir))
                       (begin
-                        (format #t "Unpacking upstream linux tarball...~%")
-                        (invoke "tar" "xf" #$upstream-source)
+                        (format #t "Unpacking upstream Linux tarball...~%")
+                        (invoke "tar" "xf" #$linux-upstream-source)
                         (match (scandir "."
                                         (lambda (name)
                                           (and (not (member name '("." "..")))
@@ -315,7 +323,22 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
 
                   (format #t "~%Scanning the generated tarball for blobs...~%")
                   (invoke "/tmp/bin/deblob-check" "--use-awk" "--list-blobs"
-                          #$output))))))))))
+                          #$output)
+
+                  (if #+linux-libre-upstream-source
+                      (begin
+
+                        ;; Git doesn't track empty directories, so remove them
+                        ;; from our local tree for the sake of comparison.
+                        (invoke "find" dir "-type" "d" "-empty" "-delete")
+                        (invoke "diff" "-ur"
+                                dir
+                                #+linux-libre-upstream-source))
+                      (begin
+                        (format #t "~%Skipping comparison with the upstream \
+Linux-libre release...  Ensure new sources have been manually verified \
+against nonfree software.~%")
+                        #t)))))))))))
 
 
 ;;;
@@ -344,8 +367,16 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
     (uri (string-append "mirror://kernel.org"
                         "/linux/kernel/v" (version-major version) ".x/"
                         "linux-" version ".tar.xz"))
-    (sha256 hash)))
+    (sha256 (base32 hash))))
 
+(define (%upstream-linux-libre-source version hash)
+  (origin
+    (method git-fetch)
+    (uri (git-reference
+          (url "git://linux-libre.fsfla.org/releases.git")
+          (commit (string-append "sources/v" version "-gnu"))))
+    (file-name (git-file-name "linux-libre-source" version))
+    (sha256 (base32 hash))))
 
 ;; The current "stable" kernel. That is, the most recently released major
 ;; version.
@@ -357,9 +388,11 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "0j6jba5fcddqlb42f95gjl78jisfla4nswqila074gglcrbnl9q7")))
 (define-public linux-libre-5.8-pristine-source
   (let ((version linux-libre-5.8-version)
-        (hash (base32 "0xm901zvvrwsb9k88la6pb65nybi43bygiyz1z68njwsx6ripxik")))
+        (hash "0xm901zvvrwsb9k88la6pb65nybi43bygiyz1z68njwsx6ripxik")
+        (libre-hash "0zjw82xrmlgmjb5w0ar4mhjsn9pf8halwzq6dvv71hmrmskjxbyn"))
    (make-linux-libre-source version
                             (%upstream-linux-source version hash)
+                            (%upstream-linux-libre-source version libre-hash)
                             deblob-scripts-5.8)))
 
 ;; The "longterm" kernels — the older releases with long-term upstream support.
@@ -373,10 +406,12 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "1b3q88i2qfdxyvpi9f7jds0qlb8hfpw87mgia096ax6822c2cmyb")))
 (define-public linux-libre-5.4-pristine-source
   (let ((version linux-libre-5.4-version)
-        (hash (base32 "1vymhl6p7i06gfgpw9iv75bvga5sj5kgv46i1ykqiwv6hj9w5lxr")))
-   (make-linux-libre-source version
-                            (%upstream-linux-source version hash)
-                            deblob-scripts-5.4)))
+        (hash "1vymhl6p7i06gfgpw9iv75bvga5sj5kgv46i1ykqiwv6hj9w5lxr")
+        (libre-hash "150cz1h9cn8klh8dhnbhb9zmxc6pf6x9rj5fa2wv9k7r42lk9kis"))
+    (make-linux-libre-source version
+                             (%upstream-linux-source version hash)
+                             (%upstream-linux-libre-source version libre-hash)
+                             deblob-scripts-5.4)))
 
 (define-public linux-libre-4.19-version "4.19.144")
 (define deblob-scripts-4.19
@@ -386,9 +421,11 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "1jiaw0as1ippkrjdpd52657w5mz9qczg3y2hlra7m9k0xawwiqlf")))
 (define-public linux-libre-4.19-pristine-source
   (let ((version linux-libre-4.19-version)
-        (hash (base32 "0jnj65bdy5y9lcj5zhrn4iaszpww8z41ac66j00l75sd931l1g9k")))
+        (hash "0jnj65bdy5y9lcj5zhrn4iaszpww8z41ac66j00l75sd931l1g9k")
+        (libre-hash "04lijps8qjk3kwsgvkw9plhmy5rxgrp6ld82d96jgjm27s5xd308"))
     (make-linux-libre-source version
                              (%upstream-linux-source version hash)
+                             (%upstream-linux-libre-source version libre-hash)
                              deblob-scripts-4.19)))
 
 (define-public linux-libre-4.14-version "4.14.197")
@@ -399,9 +436,11 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "1qij18inijj6c3ma8hv98yjagnzxdxyn134da9fd23ky8q6hbvky")))
 (define-public linux-libre-4.14-pristine-source
   (let ((version linux-libre-4.14-version)
-        (hash (base32 "029h46yki2hxdbn7afmnf3yar1pnwrpszx76irsa5mf8gnrasyp0")))
+        (hash "029h46yki2hxdbn7afmnf3yar1pnwrpszx76irsa5mf8gnrasyp0")
+        (libre-hash "1hbp1shhhifk3xy8026c466vpfpgll11xx1kawq97llx1pars4hn"))
     (make-linux-libre-source version
                              (%upstream-linux-source version hash)
+                             (%upstream-linux-libre-source version libre-hash)
                              deblob-scripts-4.14)))
 
 (define-public linux-libre-4.9-version "4.9.235")
@@ -412,9 +451,11 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "0fxajshb75siq39lj5h8xvhdj8lcmddkslwlyj65rhlwk6g2r4b2")))
 (define-public linux-libre-4.9-pristine-source
   (let ((version linux-libre-4.9-version)
-        (hash (base32 "1hqcb3zw4546h6x5xy2mywdznha8813lx15mxbgfbvwm4qhsc9g6")))
+        (hash "1hqcb3zw4546h6x5xy2mywdznha8813lx15mxbgfbvwm4qhsc9g6")
+        (libre-hash "0sz73pxdz4kl4fyfvbkm7xzdhzx8x2xajr93mhapc65hssyz3059"))
     (make-linux-libre-source version
                              (%upstream-linux-source version hash)
+                             (%upstream-linux-libre-source version libre-hash)
                              deblob-scripts-4.9)))
 
 (define-public linux-libre-4.4-version "4.4.235")
@@ -425,9 +466,11 @@  corresponding UPSTREAM-SOURCE (an origin), using the given DEBLOB-SCRIPTS."
    (base32 "0hhin1jpfkd6nwrb6xqxjzl3hdxy4pn8a15hy2d3d83yw6pflbsf")))
 (define-public linux-libre-4.4-pristine-source
   (let ((version linux-libre-4.4-version)
-        (hash (base32 "0w5pkv936zb0shjgnpv17gcp5n8f91djznzq54p6j1bl5q2qdyqd")))
+        (hash "0w5pkv936zb0shjgnpv17gcp5n8f91djznzq54p6j1bl5q2qdyqd")
+        (libre-hash "1pydy3cr4malqlr69ksw22nphpydfmpbrfh190ahgym741zdfncg"))
     (make-linux-libre-source version
                              (%upstream-linux-source version hash)
+                             (%upstream-linux-libre-source version libre-hash)
                              deblob-scripts-4.4)))
 
 (define %boot-logo-patch