From patchwork Fri Dec 6 13:17:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 3973 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 06 Dec 2024 14:17:26 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f56.google.com (mail-qv1-f56.google.com [209.85.219.56]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 4B6DHOnj003323 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 6 Dec 2024 14:17:25 +0100 Received: by mail-qv1-f56.google.com with SMTP id 6a1803df08f44-6d8edb40083sf9051956d6.0 for ; Fri, 06 Dec 2024 05:17:25 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1733491039; cv=pass; d=google.com; s=arc-20240605; b=GsL2SVQwNBidwTYyd0xsz8UHNCZvaKg7zmdtvBB5hONA94lAy2y3bGehN8LOvc3t10 RVho2fSRGFYwBLQpL6wacAgVALiqc//HwbsbXe56dWvbi9F3272uniYSSlkGv3wKjXBw 5tJJfcFEAWNA4L9MwBGn+Ac2sPe9FpX5SmhgKWVOiGvCo/zFvWo3dVrb4E0jCQP1xlLf mnq8Uh/dxiQZd6U/D1OqdS+Q/ieMgSov3M3O+ksFGTEly10NCY7tYUYh3/tWIhRDyk4/ kyrSBb8NWpFFdRJe6YhC6059HNfSmIk66exZpSAc6YHOv5U2NguxlGPjKxZdfSQ1csSu MQgA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=PtRIqy7zwo6Usqm4BKE0n/WaaQ41fQuW7+c9TeFzTbg=; fh=4AVhk3KA1OFtif61qVb3qp6QOlJ8Kz6JrfG+k97lDhg=; b=hzWNTam3xNRJVcIRlEo17GeL6ASisGDmsxnzMZKOGxBtApb5iYWSks7bNxreHur+4p +YIMi+70rAqlES7u+SR3UeNX2t5dZKkeX8qtG/817oxavEwyHSWtqOGiSY5IEVzGGDMG Yo43tJDxDGmhqt9u3SMuNfT3120tDXusLhoFM2U9BTDWnC2L+v0kFwSWHKLh0wJe6cPM +1FeMn7oER6yartcckjTJPrQ0Y64I0Q4W8s+J0fl/iE8EHf0qn5HgXdTybs0H3MNcPTZ OEsTOindj10InqqSxwkOo8mGD4cinGH49vTu3F1uQoYpDkicOr6KIBU/2MbazQPSZrgu agCw==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=TZ6ZctD9; spf=pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-20241206131715da9de7c244d4e7c663-EQSEs7@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1733491039; x=1734095839; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=PtRIqy7zwo6Usqm4BKE0n/WaaQ41fQuW7+c9TeFzTbg=; b=Ptu8nvWa+9Q1t+AAQ9MfmKgjLCzR3wPFPscnPspsTfIci/gqXSthrTfJ4RtkZkiUDV d5FUbubvWZk7Ya8p0C94O7rqOfXcjIvXcaazXR5cdhVO76g12XscacICwKE7YxayPUPh UoRx5v697T10aqbtCEWmO1SezhxkkRqG9pUGu+sDj7rrhdwa2vk4IQ4Dqu/jZe5LzZq/ MCM27U35oxFUFH2Egr0TQhfVcRAt5Ab5+8c+Y5cWB+n+dOgWYuwWNREK3DG1ewA7AIN6 /lDbPJokk8bnyc3uov7/lQ58h9J0S3zLmgNgXkqCO76FRrEg34Ayd1IV9OZXi2Gj5fiB OWdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733491039; x=1734095839; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PtRIqy7zwo6Usqm4BKE0n/WaaQ41fQuW7+c9TeFzTbg=; b=A3vZCsuWh1TTYZ2U3xoWCt5xoiXCeGD0rD1gFfQyp6ytC7wnFARoUFBjLV7Ly6hqov 1L//L2FRbsVHsrQfQVXF5xEGUXaF3tUVlwWopOCRwQoCyxAh2VuuQW1Eu+mBVn2V1AV1 7M6Vrb4RBD+LI42h2aesz1bhIUWWtYL53VweiRVxWkIki41l7Qp7DCB3dea41pupM+Sw q5gpDJZm1U7tnDe8CzMvq7LN6FZqrLN3VS5BFIlu6gQT2QVQ1EY/wGlEsHOdYPjXOKdA X4SS5mmx5OrdyRfBgOCi3FpfoXbVeiBhGr1SoJuF6EMZLf3XKZyPp+UZ+dbKpg3tTC/W 2Vsg== X-Forwarded-Encrypted: i=2; AJvYcCUOfnmk2XSvaEvBk7BmwmMNC5QQ9bEn0khZH+dbJ+Qt4OC60pwi+IHiXOVcqIyvW0+pufZ8ZGA=@isar-build.org X-Gm-Message-State: AOJu0Ywloevjj8FsJ7oiSGnDonRiXBjVmwJeQXPl+Bs8kfWOhCnLqtYd F7KhSHllOYsXV0ekZAYCEg5qe3/BAnZZopKoZkpUis7lM0ZMIvsj X-Google-Smtp-Source: AGHT+IF7O7/niSRaBskF9cmyBDR0hedpfCtebZcm2IQkkYjYJWY6cocpNwAL0cALY//q1WtW4asrgw== X-Received: by 2002:ad4:5b8f:0:b0:6d8:ac7e:9876 with SMTP id 6a1803df08f44-6d8d70351d9mr124900846d6.2.1733491039027; Fri, 06 Dec 2024 05:17:19 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6214:20af:b0:6d4:e40:5156 with SMTP id 6a1803df08f44-6d8d6fb9bd5ls32497826d6.1.-pod-prod-00-us; Fri, 06 Dec 2024 05:17:17 -0800 (PST) X-Received: by 2002:a05:6122:2510:b0:50d:530b:6c0d with SMTP id 71dfb90a1353d-515e6ed14camr6891547e0c.1.1733491036736; Fri, 06 Dec 2024 05:17:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1733491036; cv=none; d=google.com; s=arc-20240605; b=ezoizazLve+vsX6+6mTcmEUO33G+BWteXwTgqGA0P9hy9tBXGOkVVVRaNc5qp/NF0g D4i5Voci4Nu7TgT9nqXYV/1fHKLTZ3EjaBiRLVyCgiWhqEVexwNzhC2tHru6Wfdl3wCy 9FFW0jmcOoM1P7NuplP1js97Z7UhUeTBFVBtVljp7H6zVKH0Ag0UO8W9BTKLaK+l12oA asIrwSNKU2nXjzpHdpUpGsls2OXq2QTCpD3pAPe/1yrev2Hck0Z1r/Wv92WMAjCs2KEo t8YwNsW8RHOM4wweO0uqP8iFGYsY9jj4Q4v5iLUwEeiGgZy6Ipn704elsAC91bMHh5zy fX8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=35zkTLrfYqFVJJtNdG54Co3lmHcpmbkPPAUAFiPZ4ZQ=; fh=BtvPBoyxNXoPZLgPppclw6PlXS6iAePdawqdtRE+SpQ=; b=ZsMhe3JcQII+R7AXSbIrXcBWx+v4VMTa0IHEdWvIFSdp08Gk0sldi3GUCFCv2vb8Gu ugwGul9WpsCrqRJzQ69d63HBkDYifrYzcDzqbpe4AloJtwyYGvObDE5EOx7SD99S0dGl /BZzMhvVWi9/TsokoNs/NPqBIev6dQxV7p6VOJlLW8mCxanxMqx2qDiEgi4keuMrkXgA n9Bq+BEz55Ef1uEHLU0dO7/AJJmXtNYWa+4zl/eqMuZxYkUuffl3te2861j8e1Hq17oI XQ7XQpeNQHe1UgMxMi9Gy0Tkiwh+zBBQWiuR/2wSZZpDMkqHHGNqFt0cS/gdMIf695l1 AH7A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=TZ6ZctD9; spf=pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-20241206131715da9de7c244d4e7c663-EQSEs7@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-515eacaeacfsi175258e0c.0.2024.12.06.05.17.16 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Dec 2024 05:17:16 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20241206131715da9de7c244d4e7c663 for ; Fri, 06 Dec 2024 14:17:15 +0100 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: Felix Moessbauer To: isar-users@googlegroups.com Cc: Felix Moessbauer , cedric.hombourger@siemens.com, alexander.heinisch@siemens.com, jan.kiszka@siemens.com Subject: [PATCH 1/1] snapshots: add option to use separate timestamp for security component Date: Fri, 6 Dec 2024 14:17:02 +0100 Message-Id: <20241206131702.60476-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=TZ6ZctD9; spf=pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-20241206131715da9de7c244d4e7c663-EQSEs7@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Before releasing a product all available security fixes should be included. However, you might not want to get other proposed updates. With the previous snapshot logic it was not possible to model this, as a single timestamp is used for all apt source-list entries. We change that by adding a "security" flag to snapshot date variables. By that, dedicated control over the security distribution is possible. For now, we only add this logic for debian distributions (not ubuntu), as only there we have a dedicated security distribution. Signed-off-by: Felix Moessbauer --- For details about the used terms (e.g. "security distribution") please refer to https://wiki.debian.org/SourcesList. doc/user_manual.md | 2 ++ meta/classes/bootstrap.bbclass | 5 ++++- meta/conf/distro/debian-common.conf | 5 ++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/doc/user_manual.md b/doc/user_manual.md index 1e505c66..fd4fe249 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -447,7 +447,9 @@ Some other variables include: - `ISAR_APT_DELAY_MAX` - Maximum time in seconds apt performs retries. Optional - `DISTRO_APT_SNAPSHOT_PREMIRROR` - Similar to `DISTRO_APT_PREMIRRORS` but for a snapshot, pre-defined for supported distros. - `ISAR_APT_SNAPSHOT_TIMESTAMP` - Unix timestamp of the apt snapshot. Automatically derived from `SOURCE_DATE_EPOCH` if not overwritten. (Consider `ISAR_APT_SNAPSHOT_DATE` for a more user friendly format) + - `ISAR_APT_SNAPSHOT_TIMESTAMP[security]` - Unix timestamp of the security distribution. Optional. - `ISAR_APT_SNAPSHOT_DATE` - Timestamp in upstream format (e.g. `20240702T082400Z`) of the apt snapshot. Overrides `ISAR_APT_SNAPSHOT_TIMESTAMP` if set. Otherwise, will be automatically derived from `ISAR_APT_SNAPSHOT_TIMESTAMP` + - `ISAR_APT_SNAPSHOT_DATE[security]` - Timestamp in upstream format of the security distribution. Optional. - `THIRD_PARTY_APT_KEYS` - List of gpg key URIs used to verify apt repos for apt installation after bootstrapping. - `FILESEXTRAPATHS` - The default directories BitBake uses when it processes recipes are initially defined by the FILESPATH variable. You can extend FILESPATH variable by using FILESEXTRAPATHS. - `FILESOVERRIDES` - A subset of OVERRIDES used by the build system for creating FILESPATH. The FILESOVERRIDES variable uses overrides to automatically extend the FILESPATH variable. diff --git a/meta/classes/bootstrap.bbclass b/meta/classes/bootstrap.bbclass index f5b92808..c0644acb 100644 --- a/meta/classes/bootstrap.bbclass +++ b/meta/classes/bootstrap.bbclass @@ -28,6 +28,7 @@ BOOTSTRAP_DISTRO = "${@d.getVar('HOST_DISTRO' if bb.utils.to_boolean(d.getVar('B BOOTSTRAP_BASE_DISTRO = "${@d.getVar('HOST_BASE_DISTRO' if bb.utils.to_boolean(d.getVar('BOOTSTRAP_FOR_HOST')) else 'BASE_DISTRO')}" BOOTSTRAP_DISTRO_ARCH = "${@d.getVar('HOST_ARCH' if bb.utils.to_boolean(d.getVar('BOOTSTRAP_FOR_HOST')) else 'DISTRO_ARCH')}" ISAR_APT_SNAPSHOT_DATE ?= "${@ get_isar_apt_snapshot_date(d)}" +ISAR_APT_SNAPSHOT_DATE[security] ?= "${@ get_isar_apt_snapshot_date(d, 'security')}" python () { distro_bootstrap_keys = (d.getVar("DISTRO_BOOTSTRAP_KEYS") or "").split() @@ -101,9 +102,11 @@ def parse_aptsources_list_line(source_list_line): return [type, options, source, suite, components] -def get_isar_apt_snapshot_date(d): +def get_isar_apt_snapshot_date(d, dist=None): import time source_date_epoch = d.getVar('ISAR_APT_SNAPSHOT_TIMESTAMP') + if dist: + source_date_epoch = d.getVarFlag('ISAR_APT_SNAPSHOT_TIMESTAMP', dist) or source_date_epoch return time.strftime('%Y%m%dT%H%M%SZ', time.gmtime(int(source_date_epoch))) def get_apt_source_mirror(d, aptsources_entry_list): diff --git a/meta/conf/distro/debian-common.conf b/meta/conf/distro/debian-common.conf index 92a15404..b5d8aa9a 100644 --- a/meta/conf/distro/debian-common.conf +++ b/meta/conf/distro/debian-common.conf @@ -40,4 +40,7 @@ COMPAT_DISTRO_ARCH:amd64 = "i386" COMPAT_DISTRO_ARCH:arm64 = "armhf" # snapshot mirror for reproducible builds -DISTRO_APT_SNAPSHOT_PREMIRROR ??= "deb.debian.org/(.*) snapshot.debian.org/archive/\1/${ISAR_APT_SNAPSHOT_DATE}\n" +DISTRO_APT_SNAPSHOT_PREMIRROR ??= " \ + deb.debian.org/(debian-security)/? snapshot.debian.org/archive/\1/${@d.getVarFlag('ISAR_APT_SNAPSHOT_DATE', 'security')}\n \ + deb.debian.org/(.*)/? snapshot.debian.org/archive/\1/${ISAR_APT_SNAPSHOT_DATE}\n \ +"