Skip to content

Commit 6919a49

Browse files
author
Antonio Salinas
committed
refactor: replacing modify_sources script with toml driven archive overlays
1 parent 892f6f0 commit 6919a49

29 files changed

Lines changed: 435 additions & 136 deletions

File tree

base/comps/apache-commons-compress/apache-commons-compress.comp.toml

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -17,25 +17,25 @@
1717
# will be skipped/excluded at build time if they reference these
1818
# fixtures.
1919
#
20-
# We replace Source0 (effectively) with a deterministically-repacked
21-
# tarball that is byte-identical to upstream except for the stripped
22-
# files. The repack is produced by
23-
# base/comps/apache-commons-compress/modify_source.sh, which is
24-
# reproducible — re-running it always yields the same SHA-512. We keep
25-
# the upstream filename (commons-compress-1.27.1-src.tar.gz) and use the
26-
# `replace-upstream` mechanism on the source-files entry below to swap it
27-
# in place in the Fedora `sources` manifest — no spec edit required.
28-
#
29-
# When bumping the apache-commons-compress version (or changing
30-
# REMOVE_PATHS):
31-
# 1. Edit VERSION and UPSTREAM_SHA512 in modify_source.sh.
32-
# 2. Re-run the script and copy the new SHA-512 into the source-files entry.
33-
# 3. Upload the new tarball to the modified-source lookaside (see script output).
20+
# Archive overlays strip the scanner-flagged fixtures from upstream Source0
21+
# during source preparation, avoiding a separate modified-source tarball.
22+
23+
[[components.apache-commons-compress.overlays]]
24+
type = "file-remove"
25+
file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/bla.encrypted.7z"
26+
description = "Remove encrypted 7-Zip test fixture flagged by AZL signing-pipeline AV scanner"
27+
28+
[[components.apache-commons-compress.overlays]]
29+
type = "file-remove"
30+
file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/password-encrypted.zip"
31+
description = "Remove encrypted ZIP test fixture flagged by AZL signing-pipeline AV scanner"
32+
33+
[[components.apache-commons-compress.overlays]]
34+
type = "file-remove"
35+
file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/COMPRESS-256.7z"
36+
description = "Remove crafted 7-Zip test fixture flagged by AZL signing-pipeline AV scanner"
3437

35-
[[components.apache-commons-compress.source-files]]
36-
filename = "commons-compress-1.27.1-src.tar.gz"
37-
hash = "aeecee8776c60a549cbca9fc3c0312c8c98a953d024db64e5c480c643357be7b270193df69fc2172632e472feb9b9221eedf3b40dd933997b881a398dfb3a02b"
38-
hash-type = "SHA512"
39-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/apache-commons-compress/commons-compress-1.27.1-src.tar.gz/sha512/aeecee8776c60a549cbca9fc3c0312c8c98a953d024db64e5c480c643357be7b270193df69fc2172632e472feb9b9221eedf3b40dd933997b881a398dfb3a02b/commons-compress-1.27.1-src.tar.gz" }
40-
replace-upstream = true
41-
replace-reason = "AZL-repacked tarball with scanner-flagged encrypted and crafted-archive test fixtures stripped; see modify_source.sh REMOVE_PATHS"
38+
[[components.apache-commons-compress.overlays]]
39+
type = "file-remove"
40+
file = "commons-compress-1.27.1-src.tar.gz/src/test/resources/zip64support.tar.bz2"
41+
description = "Remove crafted tar.bz2 test fixture flagged by AZL signing-pipeline AV scanner"

base/comps/espeak-ng/espeak-ng.comp.toml

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,16 +12,11 @@
1212
# our spec does not reference it or ship it in any binary RPM, so stripping
1313
# this file is functionally inert.
1414
#
15-
# Replace upstream Source0 with a deterministically-repacked tarball produced
16-
# by base/comps/espeak-ng/modify_source.sh. The upstream filename is preserved
17-
# so `replace-upstream = true` swaps the entry in place in the Fedora `sources`
18-
# manifest without requiring a `Source0`/filename change.
15+
# Archive overlays strip this scanner-flagged fixture from upstream Source0
16+
# during source preparation, avoiding a separate modified-source tarball.
1917
[components.espeak-ng]
2018

21-
[[components.espeak-ng.source-files]]
22-
filename = "espeak-ng-1.51.1.tar.gz"
23-
hash = "84685a24e93e743c4f0be73dd9d553a96ed95bc8c2c0c683d84935183e517ae039066de93e3f83617b2114b27b427ec18ff8169972188d2a81b55f839c7c726f"
24-
hash-type = "SHA512"
25-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/espeak-ng/espeak-ng-1.51.1.tar.gz/sha512/84685a24e93e743c4f0be73dd9d553a96ed95bc8c2c0c683d84935183e517ae039066de93e3f83617b2114b27b427ec18ff8169972188d2a81b55f839c7c726f/espeak-ng-1.51.1.tar.gz" }
26-
replace-upstream = true
27-
replace-reason = "Strips the `chromium_extension/index.php` demo file flagged as PHP/Webshell.NWM by anti-malware scanners on the AZL RPM-signing pipeline. See `modify_source.sh` next to this file."
19+
[[components.espeak-ng.overlays]]
20+
type = "file-remove"
21+
file = "espeak-ng-1.51.1.tar.gz/chromium_extension/index.php"
22+
description = "Remove PHP webshell demo flagged as PHP/Webshell.NWM by AZL signing-pipeline AV scanner"
Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,6 @@
11
[components.exfatprogs]
22

3-
[[components.exfatprogs.source-files]]
4-
filename = "exfatprogs-1.3.1.tar.xz"
5-
hash = "ded26326feab2b0013c1031fda7add53100e0581711555b8a64e8036448775a51304e4c5c368049cb26633dbf02e814b6f97bd804cafff324921a8e6a3a975d0"
6-
hash-type = "SHA512"
7-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/exfatprogs/exfatprogs-1.3.1.tar.xz/sha512/ded26326feab2b0013c1031fda7add53100e0581711555b8a64e8036448775a51304e4c5c368049cb26633dbf02e814b6f97bd804cafff324921a8e6a3a975d0/exfatprogs-1.3.1.tar.xz" }
8-
replace-upstream = true
9-
replace-reason = "The upstream `tests/` tree ships 19 deliberately-corrupted exFAT filesystem images (e.g. bad_bitmap, bad_dentries, bs_bad_csum, loop_chain) whose malformed metadata sends the malware scanner into runaway behaviour on the crafted FAT/dentry structures -- the shell harness alongside them (tests/upcase_table/, test_fsck.sh) is not itself problematic; it is removed as collateral because it becomes unused once the images are gone. The `tests/` tree is EXTRA_DIST-only, never built or installed, and the spec has no %check, so stripping it is functionally inert. See modify_source.sh."
3+
[[components.exfatprogs.overlays]]
4+
type = "file-remove"
5+
file = "exfatprogs-1.3.1.tar.xz/tests/**"
6+
description = "Remove tests/ directory containing deliberately-corrupted exFAT filesystem images that trip AZL signing-pipeline AV scanner"

base/comps/firefox/firefox.comp.toml

Lines changed: 12 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -143,28 +143,19 @@ replacement = 'Release: %[1 + %{azl_release}]%{?pre_tag}%{?dist}'
143143
# The authoritative list of stripped files lives in
144144
# base/comps/firefox/modify_source.sh (REMOVE_PATHS).
145145
#
146-
# We replace Source0 with a deterministically-repacked tarball that is
147-
# byte-identical to the upstream one except for the stripped files.
148-
# The repack is produced by base/comps/firefox/modify_source.sh, which
149-
# is reproducible — re-running it always yields the same SHA-512. We keep
150-
# the upstream filename (firefox-<version>.source.tar.xz) and use the
151-
# `replace-upstream` mechanism on the source-files entry below to swap it
152-
# in place in the Fedora `sources` manifest — no spec edit required.
146+
# Archive overlays strip the scanner-flagged fixtures from upstream Source0
147+
# during source preparation, avoiding a separate modified-source tarball.
153148
#
154149
# When bumping the firefox version (or changing REMOVE_PATHS):
155-
# 1. Edit VERSION and UPSTREAM_SHA512 in modify_source.sh.
156-
# 2. Re-run the script and copy the new SHA-512 into the source-files entry.
157-
# 3. Upload the new tarball to the modified-source lookaside (see script output).
150+
# 1. Update the overlay paths below if upstream fixture paths change.
151+
# 2. Re-render and build to verify the archive overlays still apply.
158152

159-
# Drop the upstream firefox-<version>.source.tar.xz entry from the Fedora
160-
# `sources` lookaside manifest so the build does not also try to fetch the
161-
# unmodified upstream tarball alongside our repacked one. This is handled
162-
# by `replace-upstream = true` on the source-files entry below.
153+
[[components.firefox.overlays]]
154+
type = "file-remove"
155+
file = "firefox-148.0.source.tar.xz/toolkit/components/mediasniffer/test/unit/data/ff-inst.exe"
156+
description = "Remove obfuscated Windows executable test fixture flagged by AZL signing-pipeline AV scanner"
163157

164-
[[components.firefox.source-files]]
165-
filename = "firefox-148.0.source.tar.xz"
166-
hash = "c9c9f29fbd8f889bf3cf3d88776e1a62da7b2a65d386538d2bd048dd70caaaf8324adb5303a5fa9aa73c2cf6eb9f89cb4b34f9e67c4208d88636dd5376af90a9"
167-
hash-type = "SHA512"
168-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/firefox/firefox-148.0.source.tar.xz/sha512/c9c9f29fbd8f889bf3cf3d88776e1a62da7b2a65d386538d2bd048dd70caaaf8324adb5303a5fa9aa73c2cf6eb9f89cb4b34f9e67c4208d88636dd5376af90a9/firefox-148.0.source.tar.xz" }
169-
replace-upstream = true
170-
replace-reason = "AZL-repacked tarball with malware-flagged upstream test fixtures stripped (trips RPM signing pipeline); see modify_source.sh REMOVE_PATHS"
158+
[[components.firefox.overlays]]
159+
type = "file-remove"
160+
file = "firefox-148.0.source.tar.xz/dom/base/crashtests/607222.html"
161+
description = "Remove crashtest HTML fixture flagged by AZL signing-pipeline AV scanner"

base/comps/gdal/gdal.comp.toml

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,19 +12,14 @@
1212
# no-op (exits 0; gcore tests were OOM-killing the build POD), so stripping
1313
# this fixture is functionally inert.
1414
#
15-
# Replace upstream Source1 with a deterministically-repacked tarball produced
16-
# by base/comps/gdal/modify_source.sh. The upstream filename is preserved so
17-
# `replace-upstream = true` swaps the entry in place in the Fedora `sources`
18-
# manifest -- no spec edit required.
15+
# Archive overlays strip this scanner-flagged fixture from upstream Source1
16+
# during source preparation, avoiding a separate modified-source tarball.
1917
[components.gdal]
2018

21-
[[components.gdal.source-files]]
22-
filename = "gdalautotest-3.11.5.tar.gz"
23-
hash = "a39cc826885a2336c80545203947c4693851aae3de02b980be25b4b579658e6314e058dc228660294b2370242df8f298c4fe64c6d3b1cd0bf5adf56b3e321b77"
24-
hash-type = "SHA512"
25-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/gdal/gdalautotest-3.11.5.tar.gz/sha512/a39cc826885a2336c80545203947c4693851aae3de02b980be25b4b579658e6314e058dc228660294b2370242df8f298c4fe64c6d3b1cd0bf5adf56b3e321b77/gdalautotest-3.11.5.tar.gz" }
26-
replace-upstream = true
27-
replace-reason = "Repacked source tarball without gcore/data/zero_5GB_sozip_of_sozip.zip which was flagged as a Trojan. See modify_source.sh."
19+
[[components.gdal.overlays]]
20+
type = "file-remove"
21+
file = "gdalautotest-3.11.5.tar.gz/gcore/data/zero_5GB_sozip_of_sozip.zip"
22+
description = "Remove large test fixture to reduce source size"
2823

2924
[components.gdal.build]
3025
# Azure Linux does not support MinGW cross-compilation.

base/comps/kf6-karchive/kf6-karchive.comp.toml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,16 +12,16 @@
1212
# upstream's CMake gates them on BUILD_TESTING=ON, which we don't set), so
1313
# stripping these test fixtures is functionally inert.
1414
#
15-
# Replace upstream Source0 with a deterministically-repacked tarball produced
16-
# by base/comps/kf6-karchive/modify_source.sh. The upstream filename is
17-
# preserved so `replace-upstream = true` swaps the entry in place in the
18-
# Fedora `sources` manifest -- no spec edit required.
15+
# Archive overlays strip these scanner-flagged fixtures from upstream Source0
16+
# during source preparation, avoiding a separate modified-source tarball.
1917
[components.kf6-karchive]
2018

21-
[[components.kf6-karchive.source-files]]
22-
filename = "karchive-6.23.0.tar.xz"
23-
hash = "dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a"
24-
hash-type = "SHA512"
25-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/kf6-karchive/karchive-6.23.0.tar.xz/sha512/dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a/karchive-6.23.0.tar.xz" }
26-
replace-upstream = true
27-
replace-reason = "AZL-repacked tarball with autotest fixtures stripped that trip anti-malware scanning on the AZL RPM-signing pipeline: autotests/data/password_protected.7z (password-protected 7-Zip) and autotests/data/zip64_extra_zip64_size_first.zip.gz (ZIP64 edge-case fixture whose inner .zip the scanner rejects after decompressing the .gz wrapper). The autotests are not built or run in our spec (no %check, BUILD_TESTING is off), so removing these test fixtures is functionally inert. See modify_source.sh."
19+
[[components.kf6-karchive.overlays]]
20+
type = "file-remove"
21+
file = "karchive-6.23.0.tar.xz/autotests/data/password_protected.7z"
22+
description = "Remove password-protected 7-Zip test fixture flagged by AZL signing-pipeline AV scanner"
23+
24+
[[components.kf6-karchive.overlays]]
25+
type = "file-remove"
26+
file = "karchive-6.23.0.tar.xz/autotests/data/zip64_extra_zip64_size_first.zip.gz"
27+
description = "Remove ZIP64 edge-case test fixture flagged by AZL signing-pipeline AV scanner"

base/comps/libabigail/libabigail.comp.toml

Lines changed: 8 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -10,24 +10,18 @@
1010
# across separated-debuginfo + dwz layouts. The scanner flags both
1111
# .debug files as "packer_high_entropy:eod".
1212
#
13-
# Replace upstream Source0 with a deterministically-repacked tarball produced
14-
# by base/comps/libabigail/modify_source.sh, which strips the entire
15-
# PR30329/ fixture directory so nothing in-tree references the missing
16-
# files. The two corresponding `InOutSpec in_out_specs[]` entries in
13+
# Archive overlays strip the entire PR30329/ fixture directory from upstream
14+
# Source0 so nothing in-tree references the missing files. The two
15+
# corresponding `InOutSpec in_out_specs[]` entries in
1716
# tests/test-abidiff-exit.cc are dropped by a companion overlay patch
1817
# (`tests-drop-PR30329-fixture-entries.patch`, applied below), keeping
19-
# `make check` green. The upstream filename is preserved so
20-
# `replace-upstream = true` swaps the entry in place in the Fedora `sources`
21-
# manifest -- no spec edit required.
18+
# `make check` green. This avoids a separate modified-source tarball.
2219
[components.libabigail]
2320

24-
[[components.libabigail.source-files]]
25-
filename = "libabigail-2.9.tar.xz"
26-
hash = "efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4"
27-
hash-type = "SHA512"
28-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/libabigail/libabigail-2.9.tar.xz/sha512/efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4/libabigail-2.9.tar.xz" }
29-
replace-upstream = true
30-
replace-reason = "Repacked source tarball with tests/data/test-abidiff-exit/PR30329/ removed (two libsqlite3.so.0.8.6.debug fixtures inside it were flagged as packer_high_entropy:eod by the AZL signing-pipeline AV scanner). The matching InOutSpec entries in tests/test-abidiff-exit.cc are dropped by the companion overlay patch tests-drop-PR30329-fixture-entries.patch. See modify_source.sh."
21+
[[components.libabigail.overlays]]
22+
type = "file-remove"
23+
file = "libabigail-2.9.tar.xz/tests/data/test-abidiff-exit/PR30329/**"
24+
description = "Remove PR30329 fixture directory (two libsqlite3.so.0.8.6.debug files flagged as packer_high_entropy:eod by AZL signing-pipeline AV scanner)"
3125

3226
[[components.libabigail.overlays]]
3327
description = "Drop the two tests/test-abidiff-exit.cc InOutSpec entries that exercise the PR30329 fixture set (removed from the AZL-repacked Source0 because its two libsqlite3.so.0.8.6.debug files are flagged packer_high_entropy:eod by the AZL signing-pipeline AV scanner). Without this patch `make check` fails trying to open the missing fixtures."

base/comps/libkml/libkml.comp.toml

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,18 @@
11
[components.libkml]
22

3-
[[components.libkml.source-files]]
4-
filename = "libkml-1.3.0.tar.gz"
5-
hash = "6f93fcd390c6b21e307638df5d85b15dcb81af81c7409797a247b322df843fb1c36dc6c5eb7dc1346adbf228e09ec4ffdbf450dfe1f9b73cbc32e8803a098c58"
6-
hash-type = "SHA512"
7-
origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/libkml/libkml-1.3.0.tar.gz/sha512/6f93fcd390c6b21e307638df5d85b15dcb81af81c7409797a247b322df843fb1c36dc6c5eb7dc1346adbf228e09ec4ffdbf450dfe1f9b73cbc32e8803a098c58/libkml-1.3.0.tar.gz" }
8-
replace-upstream = true
9-
replace-reason = "Strips the scanner-flagged `testdata/kmz/bad-too-large.kmz` test fixture (a benign-by-intent crafted-malformed ZIP whose on-disk shape matches malicious-archive heuristics) and the matching `ZipFileTest.TestBadTooLarge` block from `tests/kml/base/zip_file_test.cc`. See `modify_source.sh` next to this file."
3+
# Remove decompression-bomb test fixture flagged by AV scanner
4+
[[components.libkml.overlays]]
5+
type = "file-remove"
6+
file = "libkml-1.3.0.tar.gz/testdata/kmz/bad-too-large.kmz"
7+
description = "Remove crafted decompression-bomb KMZ fixture flagged by AZL signing-pipeline AV scanner"
8+
9+
# Surgically remove the TEST_F block that exercises the stripped fixture.
10+
# The sed range `TEST_F(ZipFileTest, TestBadTooLarge) {` through the next
11+
# column-0 `}` is safe because nested braces inside the test body are
12+
# always indented.
13+
[[components.libkml.overlays]]
14+
type = "file-search-replace"
15+
file = "libkml-1.3.0.tar.gz/tests/kml/base/zip_file_test.cc"
16+
regex = 'TEST_F\(ZipFileTest, TestBadTooLarge\) \{[^}]*\}\n'
17+
replacement = ''
18+
description = "Remove TestBadTooLarge test block that references stripped bad-too-large.kmz fixture"

0 commit comments

Comments
 (0)