diff --git a/base/comps/components.toml b/base/comps/components.toml index 368a3b86f41..35ae6afcdb9 100644 --- a/base/comps/components.toml +++ b/base/comps/components.toml @@ -1647,7 +1647,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min [components.libXp] [components.libXpm] [components.libXpresent] -[components.libabigail] [components.libaccounts-glib] [components.libaccounts-qt] [components.libadwaita] diff --git a/base/comps/libabigail/libabigail.comp.toml b/base/comps/libabigail/libabigail.comp.toml new file mode 100644 index 00000000000..fce2d75e19a --- /dev/null +++ b/base/comps/libabigail/libabigail.comp.toml @@ -0,0 +1,36 @@ +# The upstream libabigail tarball `libabigail-2.9.tar.xz` (Source0) ships an +# abidiff regression-test fixture set whose two separated-debuginfo files trip +# anti-malware scanning on the AZL RPM-signing pipeline, which rejects +# encrypted / unscannable payloads inside SRPMs: +# +# - tests/data/test-abidiff-exit/PR30329/{old,new}-image/usr/lib/debug/ +# usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6.debug +# Stripped DWARF debuginfo for a pre-built upstream sqlite3 shared +# library, used (with dwz multifile companions) to exercise abidiff +# across separated-debuginfo + dwz layouts. The scanner flags both +# .debug files as "packer_high_entropy:eod". +# +# Replace upstream Source0 with a deterministically-repacked tarball produced +# by base/comps/libabigail/modify_source.sh, which strips the entire +# PR30329/ fixture directory so nothing in-tree references the missing +# files. The two corresponding `InOutSpec in_out_specs[]` entries in +# tests/test-abidiff-exit.cc are dropped by a companion overlay patch +# (`tests-drop-PR30329-fixture-entries.patch`, applied below), keeping +# `make check` green. The upstream filename is preserved so +# `replace-upstream = true` swaps the entry in place in the Fedora `sources` +# manifest -- no spec edit required. +[components.libabigail] + +[[components.libabigail.source-files]] +filename = "libabigail-2.9.tar.xz" +hash = "efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4" +hash-type = "SHA512" +origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/libabigail/libabigail-2.9.tar.xz/sha512/efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4/libabigail-2.9.tar.xz" } +replace-upstream = true +replace-reason = "Repacked source tarball with tests/data/test-abidiff-exit/PR30329/ removed (two libsqlite3.so.0.8.6.debug fixtures inside it were flagged as packer_high_entropy:eod by the AZL signing-pipeline AV scanner). The matching InOutSpec entries in tests/test-abidiff-exit.cc are dropped by the companion overlay patch tests-drop-PR30329-fixture-entries.patch. See modify_source.sh." + +[[components.libabigail.overlays]] +description = "Drop the two tests/test-abidiff-exit.cc InOutSpec entries that exercise the PR30329 fixture set (removed from the AZL-repacked Source0 because its two libsqlite3.so.0.8.6.debug files are flagged packer_high_entropy:eod by the AZL signing-pipeline AV scanner). Without this patch `make check` fails trying to open the missing fixtures." +type = "patch-add" +file = "tests-drop-PR30329-fixture-entries.patch" +source = "tests-drop-PR30329-fixture-entries.patch" diff --git a/base/comps/libabigail/modify_source.sh b/base/comps/libabigail/modify_source.sh new file mode 100644 index 00000000000..396f2d44b2e --- /dev/null +++ b/base/comps/libabigail/modify_source.sh @@ -0,0 +1,168 @@ +#!/usr/bin/env bash +# +# libabigail: deterministic strip-and-repack of upstream `libabigail-2.9.tar.xz` +# with the PR30329 testsuite fixture set (which trips anti-malware scanning on +# the AZL RPM-signing pipeline) removed. The corresponding two entries in +# `tests/test-abidiff-exit.cc` that exercise the removed fixture are dropped +# by a companion overlay patch (see `libabigail.comp.toml`); this script does +# file removal only, no in-tarball source patching. +# Rationale lives in the comp.toml `replace-reason` field. +# +# Usage: bash base/comps/libabigail/modify_source.sh +# Output: base/build/work/scratch/libabigail/libabigail-2.9.tar.xz (+ .sha512) +# The upstream tarball is cached under a `.upstream` suffix; re-runs reuse it. + +set -euo pipefail + +# Pin umask so the extraction step below produces the same mode bits +# regardless of the caller's umask. With `--no-same-permissions`, tar ANDs +# each entry's mode against `~umask`, so e.g. umask 077 would silently strip +# group/other read bits and change the bytes of the repacked tarball. The +# repack step does not re-assert per-file modes (only owner/group/mtime), so +# this pin is what guarantees a byte-identical output across machines. +umask 022 + +# --- Constants -------------------------------------------------------------- + +readonly COMPONENT="libabigail" +readonly UPSTREAM_VERSION="2.9" +readonly UPSTREAM_FILENAME="${COMPONENT}-${UPSTREAM_VERSION}.tar.xz" +readonly UPSTREAM_TOPDIR="${COMPONENT}-${UPSTREAM_VERSION}" +readonly UPSTREAM_URL="https://mirrors.kernel.org/sourceware/libabigail/${UPSTREAM_FILENAME}" + +readonly UPSTREAM_SHA512="5bdf5ec49a5931a61bf28317b41eee583d6277d00ac621b2d2a97bbc0d816c3662bcfe13a5ac7aeee11c947afb69a5a0a9a8015fcebad09965b45af9b1e23606" + +# Directory (relative to ${UPSTREAM_TOPDIR}) to strip in its entirety. The +# PR30329 fixture set is a libabigail abidiff regression test built around a +# pair of stripped sqlite3 shared libraries + their separated debuginfo + +# dwz-multifile components. The two `libsqlite3.so.0.8.6.debug` separated- +# debuginfo files inside it are flagged as encrypted/unscannable payloads by +# the AV scanner ("packer_high_entropy:eod") in the AZL RPM-signing pipeline. +# We strip the whole PR30329/ directory (not just the two .debug files) so +# nothing in the tarball still references the missing pieces; the two +# corresponding `InOutSpec` entries in tests/test-abidiff-exit.cc are dropped +# by the companion overlay patch +# `tests-drop-PR30329-fixture-entries.patch` (see libabigail.comp.toml) so +# `make check` still passes. +readonly REMOVE_DIRS=( + "tests/data/test-abidiff-exit/PR30329" +) + +# Deterministic-repack mtime: 2020-01-01T00:00:00Z (1577836800). +# Any fixed epoch works; do not change without also bumping the +# `hash` in libabigail.comp.toml. +readonly DETERMINISTIC_MTIME="@1577836800" + +# --- Work directory --------------------------------------------------------- + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)" +WORKDIR="${REPO_ROOT}/base/build/work/scratch/${COMPONENT}" + +mkdir -p "${WORKDIR}" +cd "${WORKDIR}" + +echo "[1/5] Working in ${WORKDIR}" + +# --- Download upstream ------------------------------------------------------ +# +# The upstream tarball is cached under a `.upstream` suffix so that +# the repacked output written at the canonical `${UPSTREAM_FILENAME}` +# path below cannot clobber the cache on re-runs. Treat the cache +# as authoritative only after SHA-512 verification. + +UPSTREAM_CACHE="${WORKDIR}/${UPSTREAM_FILENAME}.upstream" + +if [[ ! -f "${UPSTREAM_CACHE}" ]]; then + echo "[2/5] Downloading ${UPSTREAM_FILENAME} from ${UPSTREAM_URL}" + # `--proto` / `--proto-redir` restrict the initial request *and* any + # redirect target to HTTPS, so a downgrade to plain HTTP is refused. + curl -fsSL --retry 3 \ + --proto '=https' --proto-redir '=https' \ + -o "${UPSTREAM_CACHE}.part" "${UPSTREAM_URL}" + mv "${UPSTREAM_CACHE}.part" "${UPSTREAM_CACHE}" +else + echo "[2/5] Using cached upstream tarball ${UPSTREAM_CACHE}" +fi + +# --- Verify upstream SHA-512 ------------------------------------------------ + +echo "[3/5] Verifying upstream SHA-512" +COMPUTED_UPSTREAM_SHA512="$(sha512sum "${UPSTREAM_CACHE}" | awk '{print $1}')" +if [[ "${COMPUTED_UPSTREAM_SHA512}" != "${UPSTREAM_SHA512}" ]]; then + echo "ERROR: upstream SHA-512 mismatch (cache may be corrupt; delete ${UPSTREAM_CACHE} and re-run)" >&2 + echo " expected: ${UPSTREAM_SHA512}" >&2 + echo " computed: ${COMPUTED_UPSTREAM_SHA512}" >&2 + exit 1 +fi + +# --- Extract + strip -------------------------------------------------------- + +echo "[4/5] Extracting and stripping ${#REMOVE_DIRS[@]} fixture dir(s) from ${UPSTREAM_TOPDIR}" +rm -rf "${WORKDIR}/${UPSTREAM_TOPDIR}" +# `--no-same-owner` / `--no-same-permissions` prevent tar from applying the +# archive's uid/gid/mode bits to the extracted tree. They are already the +# default for non-root users, but explicit hardening makes the script safe +# to run under sudo (where the defaults flip) and defends against any +# setuid/setgid bits or unexpected ownership in the upstream tarball. +# Deterministic owner/group is re-asserted in the repack step below. +tar -C "${WORKDIR}" --no-same-owner --no-same-permissions -xf "${UPSTREAM_CACHE}" +for REMOVE_DIR in "${REMOVE_DIRS[@]}"; do + if [[ ! -d "${WORKDIR}/${UPSTREAM_TOPDIR}/${REMOVE_DIR}" ]]; then + echo "ERROR: expected '${UPSTREAM_TOPDIR}/${REMOVE_DIR}' not present in upstream tarball" >&2 + exit 1 + fi + echo " stripping ${UPSTREAM_TOPDIR}/${REMOVE_DIR}" + rm -rf "${WORKDIR}/${UPSTREAM_TOPDIR}/${REMOVE_DIR}" +done + +# --- Repack deterministically ----------------------------------------------- + +echo "[5/5] Repacking deterministically as ${UPSTREAM_FILENAME}" +# Deterministic flags: +# --sort=name stable entry order +# --owner=0 --group=0 no host uid/gid leakage +# --numeric-owner force numeric uid/gid +# --mtime=@ fixed mtime +# --format=gnu handles long paths deterministically +# LC_ALL=C pins sort collation so --sort=name is locale-independent. +# xz -9e -T1 picks max compression with single-threaded output (multi-threaded +# xz produces non-deterministic byte streams). The upstream tarball is .xz so +# we re-emit .xz to keep the filename and Source0 unchanged. +# +# Heads-up: this step is slow. libabigail-2.9 unpacks to ~990 MiB (the source +# tree is dominated by abidiff regression-test fixtures), so the single- +# threaded `xz -9e` pass below is on the order of minutes, not seconds. +# Reference timing on a 12th-gen Intel desktop (i9-12900K, 12 vCPUs): ~6-7 +# minutes wall time for the full tar+xz pipeline (xz dominates; tar itself +# is a few seconds). The download (~500 MiB) and extract/strip steps before +# this finish in well under a minute on the same hardware. Slower CPUs can +# easily push this past 10 minutes -- so if it looks hung, give it time. +MODIFIED_TARBALL="${WORKDIR}/${UPSTREAM_FILENAME}" +rm -f "${MODIFIED_TARBALL}" +LC_ALL=C tar \ + -C "${WORKDIR}" \ + --sort=name \ + --owner=0 --group=0 --numeric-owner \ + --mtime="${DETERMINISTIC_MTIME}" \ + --format=gnu \ + -cf - "${UPSTREAM_TOPDIR}" \ + | xz -9e -T1 -c > "${MODIFIED_TARBALL}" + +MODIFIED_SHA512="$(sha512sum "${MODIFIED_TARBALL}" | awk '{print $1}')" +echo "${MODIFIED_SHA512} ${UPSTREAM_FILENAME}" > "${MODIFIED_TARBALL}.sha512" + +echo +echo "================================================================" +echo "DONE" +echo " modified tarball: ${WORKDIR}/${UPSTREAM_FILENAME}" +echo " SHA512: ${MODIFIED_SHA512}" +echo "================================================================" +echo +echo " To upload the modified tarball to the lookaside:" +echo " az storage blob upload \\" +echo " --auth-mode login \\" +echo " --account-name azltempstaginglookaside \\" +echo " --container-name repo \\" +echo " --name \"pkgs_modified/${COMPONENT}/${UPSTREAM_FILENAME}/sha512/${MODIFIED_SHA512}/${UPSTREAM_FILENAME}\" \\" +echo " --file \"${WORKDIR}/${UPSTREAM_FILENAME}\"" diff --git a/base/comps/libabigail/tests-drop-PR30329-fixture-entries.patch b/base/comps/libabigail/tests-drop-PR30329-fixture-entries.patch new file mode 100644 index 00000000000..7ec922d4f4d --- /dev/null +++ b/base/comps/libabigail/tests-drop-PR30329-fixture-entries.patch @@ -0,0 +1,50 @@ +Drop test-abidiff-exit entries that reference the PR30329 fixture set + +The two `InOutSpec in_out_specs[]` entries referencing +`tests/data/test-abidiff-exit/PR30329/` are dropped here because the +AZL-repacked source tarball strips the PR30329 fixture directory +(`base/comps/libabigail/modify_source.sh`). The PR30329 fixture's two +separated-debuginfo files (`libsqlite3.so.0.8.6.debug`) trip the +anti-malware scanner on the AZL RPM-signing pipeline as +`packer_high_entropy:eod`. Without this patch `make check` would fail +trying to open the missing fixture files. + +--- a/tests/test-abidiff-exit.cc ++++ b/tests/test-abidiff-exit.cc +@@ -983,36 +983,6 @@ + "output/test-abidiff-exit/ada-subrange/test2-ada-subrange-redundant/test2-ada-subrange-redundant-report-2.txt" + }, + { +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "", +- "", +- "", +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/debug", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/debug", +- "", +- "", +- "--no-default-suppression", +- abigail::tools_utils::ABIDIFF_ABI_CHANGE, +- "data/test-abidiff-exit/PR30329/PR30329-report-1.txt", +- "output/test-abidiff-exit/PR30329/PR30329-report-1.txt" +- }, +- { +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "", +- "", +- "", +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/debug,data/test-abidiff-exit/PR30329/old-image/usr/lib/debug/dwz/components/sqlite.bst", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/debug,data/test-abidiff-exit/PR30329/old-image/usr/lib/debug/dwz/components/sqlite.bst", +- "", +- "", +- "--no-default-suppression", +- abigail::tools_utils::ABIDIFF_ABI_CHANGE, +- "data/test-abidiff-exit/PR30329/PR30329-report-1.txt", +- "output/test-abidiff-exit/PR30329/PR30329-report-1.txt" +- }, +- { + "data/test-abidiff-exit/PR30503/libsdl/1.2.60/lib64/libSDL-1.2.so.1.2.60", + "data/test-abidiff-exit/PR30503/libsdl/1.2.64/lib64/libSDL-1.2.so.1.2.64", + "", diff --git a/locks/libabigail.lock b/locks/libabigail.lock index c56040b2b5c..07d59cfe7a9 100644 --- a/locks/libabigail.lock +++ b/locks/libabigail.lock @@ -2,5 +2,5 @@ version = 1 import-commit = 'c90c403e2296469fc2120e6c36d876019dbccdb7' upstream-commit = 'c90c403e2296469fc2120e6c36d876019dbccdb7' -input-fingerprint = 'sha256:5072c84946e03de807482d8749bd233a5b3c48c3a0fe9515d16d992e09e31fec' +input-fingerprint = 'sha256:08c8fcd70b13bc7bd751b8254df5002a33fc13ed4c19691fbc0c951cd2c1d7bf' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/specs/l/libabigail/libabigail.spec b/specs/l/libabigail/libabigail.spec index c7d51554994..37fe3810483 100644 --- a/specs/l/libabigail/libabigail.spec +++ b/specs/l/libabigail/libabigail.spec @@ -9,7 +9,7 @@ Name: libabigail Version: 2.9 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Set of ABI analysis tools License: Apache-2.0 WITH LLVM-exception @@ -41,6 +41,7 @@ BuildRequires: python3-koji %endif BuildRequires: wget +Patch0: tests-drop-PR30329-fixture-entries.patch %description The libabigail package comprises seven command line utilities: abidiff, kmidiff, abipkgdiff, abicompat, abidw, and abilint. diff --git a/specs/l/libabigail/sources b/specs/l/libabigail/sources index ee4135f100d..55e55c25342 100644 --- a/specs/l/libabigail/sources +++ b/specs/l/libabigail/sources @@ -1 +1 @@ -SHA512 (libabigail-2.9.tar.xz) = 5bdf5ec49a5931a61bf28317b41eee583d6277d00ac621b2d2a97bbc0d816c3662bcfe13a5ac7aeee11c947afb69a5a0a9a8015fcebad09965b45af9b1e23606 +SHA512 (libabigail-2.9.tar.xz) = efa38b7de791d97910e292dc638537c98d920a68201110727bb5c2d6a6055b6da24beace05db5d540ef4349ce2b4f1592a6aceb4e4249e30a179a037bec2f5d4 diff --git a/specs/l/libabigail/tests-drop-PR30329-fixture-entries.patch b/specs/l/libabigail/tests-drop-PR30329-fixture-entries.patch new file mode 100644 index 00000000000..7ec922d4f4d --- /dev/null +++ b/specs/l/libabigail/tests-drop-PR30329-fixture-entries.patch @@ -0,0 +1,50 @@ +Drop test-abidiff-exit entries that reference the PR30329 fixture set + +The two `InOutSpec in_out_specs[]` entries referencing +`tests/data/test-abidiff-exit/PR30329/` are dropped here because the +AZL-repacked source tarball strips the PR30329 fixture directory +(`base/comps/libabigail/modify_source.sh`). The PR30329 fixture's two +separated-debuginfo files (`libsqlite3.so.0.8.6.debug`) trip the +anti-malware scanner on the AZL RPM-signing pipeline as +`packer_high_entropy:eod`. Without this patch `make check` would fail +trying to open the missing fixture files. + +--- a/tests/test-abidiff-exit.cc ++++ b/tests/test-abidiff-exit.cc +@@ -983,36 +983,6 @@ + "output/test-abidiff-exit/ada-subrange/test2-ada-subrange-redundant/test2-ada-subrange-redundant-report-2.txt" + }, + { +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "", +- "", +- "", +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/debug", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/debug", +- "", +- "", +- "--no-default-suppression", +- abigail::tools_utils::ABIDIFF_ABI_CHANGE, +- "data/test-abidiff-exit/PR30329/PR30329-report-1.txt", +- "output/test-abidiff-exit/PR30329/PR30329-report-1.txt" +- }, +- { +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6", +- "", +- "", +- "", +- "data/test-abidiff-exit/PR30329/old-image/usr/lib/debug,data/test-abidiff-exit/PR30329/old-image/usr/lib/debug/dwz/components/sqlite.bst", +- "data/test-abidiff-exit/PR30329/new-image/usr/lib/debug,data/test-abidiff-exit/PR30329/old-image/usr/lib/debug/dwz/components/sqlite.bst", +- "", +- "", +- "--no-default-suppression", +- abigail::tools_utils::ABIDIFF_ABI_CHANGE, +- "data/test-abidiff-exit/PR30329/PR30329-report-1.txt", +- "output/test-abidiff-exit/PR30329/PR30329-report-1.txt" +- }, +- { + "data/test-abidiff-exit/PR30503/libsdl/1.2.60/lib64/libSDL-1.2.so.1.2.60", + "data/test-abidiff-exit/PR30503/libsdl/1.2.64/lib64/libSDL-1.2.so.1.2.64", + "",