Merge pull request #4135 from PawelWMS/pawelwi/october_release_merge

Full October release merge, Mariner 2.0

Author: PawelWMS

.github/pull_request_template.md

@@ -12,7 +12,7 @@ Feel free to delete sections of the template which do not apply to your PR, or a
 - [ ] Packages depending on static components modified in this PR (Golang, `*-static` subpackages, etc.) have had their `Release` tag incremented.
 - [ ] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
 - [ ] All package sources are available
-- [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/tools/cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`, `.github/workflows/cgmanifest.json`)
+- [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`, `.github/workflows/cgmanifest.json`)
 - [ ] LICENSE-MAP files are up-to-date (`./SPECS/LICENSES-AND-NOTICES/data/licenses.json`, `./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md`, `./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON`)
 - [ ] All source files have up-to-date hashes in the `*.signatures.json` files
 - [ ] `sudo make go-tidy-all` and `sudo make go-test-coverage` pass

.github/workflows/check-clean-stage.yml

@@ -20,13 +20,13 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
         run: |
           git fetch origin ${{ github.base_ref }}
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV 
+          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}
         run: |
           git fetch origin ${{ github.event.before }}
-          echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV 
+          echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
 
       - name: Check the modified spec files
         run: |

.github/workflows/check-package-cgmanifest.yml

@@ -20,14 +20,14 @@ jobs:
       if: ${{ github.event_name == 'pull_request' }}
       run: |
         git fetch origin ${{ github.base_ref }}
-        echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV 
+        echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
         echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
 
     - name: Get base commit for Pushes
       if: ${{ github.event_name == 'push' }}
       run: |
         git fetch origin ${{ github.event.before }}
-        echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV 
+        echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
         echo "Merging ${{ github.sha }} into ${{ github.event.before }}"
 
     - name: Get the changed files
@@ -39,4 +39,4 @@ jobs:
 
     - name: Check each spec
       run: |
-        .github/workflows/validate-cg-manifest.sh ${{ env.updated-specs }}
+        .github/workflows/validate-cg-manifest.sh ${{ env.updated-specs }}

.github/workflows/check-spec.yml

@@ -29,14 +29,14 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
         run: |
           git fetch origin ${{ github.base_ref }}
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV 
+          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
           echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}
         run: |
           git fetch origin ${{ github.event.before }}
-          echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV 
+          echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
           echo "Merging ${{ github.sha }} into ${{ github.event.before }}"
 
       - name: Get the changed files
@@ -46,12 +46,12 @@ jobs:
           echo "Files to validate: '${changed_specs}'"
           echo "updated-specs=$(echo ${changed_specs})" >> $GITHUB_ENV
 
-      - name: Main branch checkout 
+      - name: Main branch checkout
         uses: actions/checkout@v2
         with:
           ref: 'main'
           path: 'main-checkout'
-      
+
       - name: Verify .spec files
         if: ${{ env.updated-specs != '' }}
         run: python3 toolkit/scripts/check_spec_guidelines.py ${{ env.updated-specs }}

.github/workflows/check-static-glibc.yml

@@ -0,0 +1,29 @@
+name: Static glibc version check
+
+on:
+  push:
+    branches: [main, dev, 1.0*, 2.0*]
+  pull_request:
+    branches: [main, dev, 1.0*, 2.0*]
+
+jobs:
+  spec-check:
+    name: Static glibc version check
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout the branch of our repo that triggered this action
+      - name: Workflow trigger checkout
+        uses: actions/checkout@v2
+
+      # For consistency, we use the same major/minor version of Python that CBL-Mariner ships
+      - name: Setup Python 3.9
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+
+      - name: Get Python dependencies
+        run: python3 -m pip install python-rpm-spec
+
+      - name: Verify .spec files
+        run: python3 toolkit/scripts/check_static_glibc.py SPECS/**/*.spec SPECS-EXTENDED/**/*.spec SPECS-SIGNED/**/*.spec

.github/workflows/go-test-coverage.yml

@@ -54,12 +54,12 @@ jobs:
           sudo make go-test-coverage | grep "no test files"
           echo Missing $noTestCount Go Tests!
         fi
-    
+
     - name: Evaluate test coverage
       run: |
         pushd toolkit
         sudo make go-test-coverage
-    
+
     - name: Upload test coverage
       uses: actions/[email protected]
       with:

.github/workflows/lint-specs.yml

@@ -24,14 +24,14 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
         run: |
           git fetch origin ${{ github.base_ref }}
-          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV 
+          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
           echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
 
       - name: Get base commit for Pushes
         if: ${{ github.event_name == 'push' }}
         run: |
           git fetch origin ${{ github.event.before }}
-          echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV 
+          echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
           echo "Merging ${{ github.sha }} into ${{ github.event.before }}"
 
       - name: Get the changed files
@@ -41,7 +41,7 @@ jobs:
           echo "Files to validate: '${changed_specs}'"
           echo "updated-specs=$(echo ${changed_specs})" >> $GITHUB_ENV
 
-      - name: Main branch checkout 
+      - name: Main branch checkout
         uses: actions/checkout@v2
         with:
           ref: 'main'
@@ -61,7 +61,7 @@ jobs:
         uses: actions/setup-python@v2
         with:
           python-version: 3.7
-        
+
       # We take our version of the linting tool from the master branch to ensure rules
       # are consistent across all branches
       - name: Patch spec-cleaner with Mariner-specific lints
@@ -74,7 +74,7 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -e ./spec-cleaner
-      
+
       # Set continue-on-error to true if we're blocking too many PRs here
       # We don't want this tool to have a low signal-to-noise ratio
       - name: Lint changed spec files

.github/workflows/validate-cg-manifest.sh

@@ -50,16 +50,9 @@ ignore_no_source_tarball=" \
   qt5-rpm-macros \
   verity-read-only-root \
   web-assets \
+  sgx-backwards-compatability \
   "
 
-# Specs for signed packages. Their unsigned versions should already be included in the manifest.
-ignore_signed_package=" \
-  grub2-efi-binary-signed-aarch64 \
-  grub2-efi-binary-signed-x86_64 \
-  kernel-signed-aarch64 \
-  kernel-signed-x86_64 \
-  shim"
-
 # Specs where cgmanifest validation has known issues checking URLs.
 ignore_known_issues=" \
   virglrenderer"
@@ -90,6 +83,13 @@ do
   spec="$WORK_DIR/$(basename "$original_spec")"
   cp "$original_spec" "$spec"
 
+  # Skipping specs for signed packages. Their unsigned versions should already be included in the manifest.
+  if echo "$original_spec" | grep -q "SPECS-SIGNED"
+  then
+    echo "    $spec is being ignored (reason: signed package), skipping"
+    continue
+  fi
+
   # Pre-processing alternate sources (commented-out "Source" lines with full URLs), if present. Currently we only care about the first source.
   # First, we replace "%%" with "%" in the alternate source's line.
   sed -Ei "/^#\s*Source0?:.*%%.*/s/%%/%/g" "$spec"
@@ -108,9 +108,9 @@ do
   fi
 
   # Skipping specs from the ignore lists.
-  if echo "$ignore_multiple_sources $ignore_signed_package $ignore_no_source_tarball $ignore_known_issues" | grep -P "(^|\s)$name($|\s)" > /dev/null
+  if echo "$ignore_multiple_sources $ignore_no_source_tarball $ignore_known_issues" | grep -qP "(^|\s)$name($|\s)"
   then
-    echo "    $name is being ignored, skipping"
+    echo "    $name is being ignored (reason: explicitly ignored package), skipping"
     continue
   fi
 
@@ -154,7 +154,7 @@ do
       # Parsing output instead of using error codes because 'wget' returns code 8 for FTP, even if the file exists.
       # Sample HTTP(S) output:  Remote file exists.
       # Sample FTP output:      File ‘time-1.9.tar.gz’ exists.
-      if ! wget --spider --timeout=1 --tries=10 "${manifesturl}" 2>&1 | grep -qP "^(Remote file|File ‘.*’) exists\.$"
+      if ! wget --spider --timeout=2 --tries=10 "${manifesturl}" 2>&1 | grep -qP "^(Remote file|File ‘.*’) exists.*"
       then
         echo "Registration for $name:$version has invalid URL '$manifesturl' (could not download)"  >> bad_registrations.txt
       fi

README.md

@@ -39,7 +39,7 @@ Any Linux distribution, including CBL-Mariner, benefits from contributions by th
 
 1) The [Photon OS Project](https://vmware.github.io/photon/) for SPEC files originating from the Photon distribution.   
 
-2) [The Fedora Project](https://start.fedoraproject.org/) for SPEC files, particularly with respect to QT, DNF and several of their dependencies. 
+2) [The Fedora Project](https://start.fedoraproject.org/) for SPEC files, particularly with respect to Qt, DNF and content in the SPECS-EXTENDED folder. 
 
 3) [GNU](https://www.gnu.org/) and the [Free Software Foundation](https://www.fsf.org/)
 

SPECS-EXTENDED/buildah/buildah.spec

@@ -31,7 +31,7 @@ Distribution:   Mariner
 
 Name: %{repo}
 Version: 1.18.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: A command line tool used for creating OCI Images
 License: ASL 2.0
 URL: https://%{name}.io
@@ -40,7 +40,7 @@ BuildRequires: device-mapper-devel
 BuildRequires: golang
 BuildRequires: git
 BuildRequires: glib2-devel
-BuildRequires: glibc-static
+BuildRequires: glibc-static >= 2.35-3%{?dist}
 BuildRequires: go-md2man
 BuildRequires: go-rpm-macros
 BuildRequires: gpgme-devel
@@ -146,6 +146,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test
 
 %changelog
+* Tue Sep 13 2022 Andy Caldwell <[email protected]> - 1.18.0-5
+- Rebuilt for glibc-static 2.35-3
+
 * Mon Aug 22 2022 Olivia Crain <[email protected]> - 1.18.0-4
 - Bump release to rebuild against Go 1.18.5