guix: Test security-check sanity before performing them (with macOS) #22381

pull fanquake wants to merge 8 commits into bitcoin:master from fanquake:20980_macOS_fixups changing 12 files +262 −51
  1. fanquake commented at 1:01 pm on July 1, 2021: member

    This is #20980 rebased (to include the Boost Process fix), and with an additional commit (892d6897f1e613084aa0517a660eab2412308e6e) to fix running the test-security-check target for the macOS build. It should pass inside Guix, as well as when cross-compiling on Ubuntu, or building natively on macOS.

    Note that the test-security-check may output some warnings (similar too):

    0ld: warning: passed two min versions (10.14, 11.4) for platform macOS. Using 11.4.
    1ld: warning: passed two min versions (10.14, 11.4) for platform macOS. Using 11.4.
    2ld: warning: passed two min versions (10.14, 10.14) for platform macOS. Using 10.14.
    

    but those can be ignored, and come about due to us passing -platform_version when -mmacosx-version-min is already part of CC.

    Guix builds:

     071ed0c7a13a4726300779ffc87f7d271086a2744c36896fe6dc51fe3dc33df2e  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/SHA256SUMS.part
     19273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     29c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     31ceddecac113f50a952ba6a201cdcdb722e3dc804e663f219bfac8268ce42bf0  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/SHA256SUMS.part
     4759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     534e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     6e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-5b4703c6a70d/output/dist-archive/SKIPATTEST.TAG
     73664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  guix-build-5b4703c6a70d/output/dist-archive/bitcoin-5b4703c6a70d.tar.gz
     8d6bc35ba0750c1440bb32831b8c12cddee62f6dce10fec2650897444c2bf4748  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/SHA256SUMS.part
     9a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
    107cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
    1193b4cb7b83c4975120ad5de5a92f050f5760a2a3f2c37c204c647f5a581c924a  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/SHA256SUMS.part
    122266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
    1385f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
    141499ca9119926083d8c3714ca10d8d4c8d864cbeee8848fd8445b7a1d081222d  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/SHA256SUMS.part
    151995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    16266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    17cdc3a0dcf80b110443dac5ddf8bc951001a776a651c898c5ea49bb2d487bfe29  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/SHA256SUMS.part
    188538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    19d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    205ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    218c6d7b3f847faa7b4d16ceecf228f26f146ea982615c1d7a00c57f9230a0c484  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/SHA256SUMS.part
    22d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    23d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    2465caaa7f648c7eab1eb82c3331a2ca25b8cd4fe41439de55604501e02571de55  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/SHA256SUMS.part
    255bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    267aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    272f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    281c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    
  2. fanquake added the label Build system on Jul 1, 2021
  3. fanquake added the label Needs Guix build on Jul 1, 2021
  4. fanquake added this to the milestone 22.0 on Jul 1, 2021
  5. MarcoFalke commented at 6:16 pm on July 1, 2021: member

    From ci:

     0Ran 1 test in 1.002s
     1OK
     2F
     3======================================================================
     4FAIL: test_ELF (__main__.TestSymbolChecks)
     5----------------------------------------------------------------------
     6Traceback (most recent call last):
     7  File "./contrib/devtools/test-symbol-check.py", line 82, in test_ELF
     8    self.assertEqual(call_symbol_check(cc, source, executable, ['-lm']),
     9AssertionError: Tuples differ: (1, 'test3: symbol pow from unsupported ve[45 chars]OLS') != (0, '')
    10First differing element 0:
    111
    120
    13+ (0, '')
    14- (1,
    15-  'test3: symbol pow from unsupported version GLIBC_2.29\n'
    16-  'test3: failed IMPORTED_SYMBOLS')
    17----------------------------------------------------------------------
    18Ran 1 test in 0.490s
    19FAILED (failures=1)
    20make: *** [Makefile:1448: test-security-check] Error 1
    
  6. DrahtBot removed the label Needs Guix build on Jul 1, 2021
  7. DrahtBot commented at 1:46 am on July 2, 2021: member

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Conflicts

    No conflicts as of last run.

  8. MarcoFalke deleted a comment on Jul 2, 2021
  9. MarcoFalke added the label Needs Guix build on Jul 6, 2021
  10. fanquake force-pushed on Jul 7, 2021
  11. fanquake marked this as a draft on Jul 7, 2021
  12. lint: Run mypy with --show-error-codes
    When using mypy ignore directives, the error code needs to be specified.
    Somehow mypy doesn't print it by default...
    d6ef3543ae
  13. ci: skip running the Linux test-security-check target for now
    The CI environment is a moving target, and these tests are somewhat
    fragile, so for now, disable them.
    bda62eab38
  14. devtools: Improve *-check.py tool detection
    This is important to make sure that we're not testing tools different
    from the one we're building with.
    
    Introduce determine_wellknown_cmd, which encapsulates how we
    should handle well-known tools specification (IFS splitting, env
    override, etc.).
    9fdc8afe11
  15. guix: Patch binutils to add security-related disable flags
    We use these flags in our test-security-check make target, but they are
    only available because debian patches them in.
    
    We can patch them in for our Guix builds so that we can check the sanity
    of our security/symbol checking suite before running them.
    678348db51
  16. build: Use and test PE binutils with --reloc-section
    Also fix test-security-check.py to account for new PE PIE failure
    indication.
    a8127b34bc
  17. scripts: more robustly test macOS symbol checks 1946b5f77c
  18. scripts: adjust test-symbol-check for guix release environment
    Now that our release binaries are build in a glibc 2.24 and 2.27
    environment, we can't use a symbol from glibc 2.28 to test our checks.
    Replace renameat2() with nextup(), which was introduced in 2.24.
    
    Note that this also means re-disabling the test for RISC-V, however
    RISC-V is built in a glibc 2.27 environment, and our minimum required
    glibc for that binary is 2.27.
    6cf3345297
  19. guix: Test security-check sanity before performing them 5b4703c6a7
  20. fanquake force-pushed on Jul 7, 2021
  21. fanquake commented at 12:42 pm on July 7, 2021: member
    I’ve made a few changes here, including rebasing now that #22405 has been merged, fixing up the ELF test-symbol-check test to account for it being run in the new glibc environments, and re-ordered some commits. Note that I’ve also removed the test-security(symbol)-check target from being run for Linux in the CI, mainly due to these tests being somewhat fragile. We can look at running them again when the security and symbol checks have been split up. I also have one bugfix for the symbol-check tests, that I’ll PR shortly.
  22. fanquake marked this as ready for review on Jul 7, 2021
  23. fanquake removed the label Needs Guix build on Jul 7, 2021
  24. fanquake added the label Needs Guix build on Jul 7, 2021
  25. hebasto commented at 4:50 pm on July 7, 2021: member

    Guix builds:

     0$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     171ed0c7a13a4726300779ffc87f7d271086a2744c36896fe6dc51fe3dc33df2e  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/SHA256SUMS.part
     29273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     39c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     41ceddecac113f50a952ba6a201cdcdb722e3dc804e663f219bfac8268ce42bf0  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/SHA256SUMS.part
     5759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     634e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     7e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-5b4703c6a70d/output/dist-archive/SKIPATTEST.TAG
     83664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  guix-build-5b4703c6a70d/output/dist-archive/bitcoin-5b4703c6a70d.tar.gz
     9d6bc35ba0750c1440bb32831b8c12cddee62f6dce10fec2650897444c2bf4748  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/SHA256SUMS.part
    10a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
    117cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
    1293b4cb7b83c4975120ad5de5a92f050f5760a2a3f2c37c204c647f5a581c924a  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/SHA256SUMS.part
    132266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
    1485f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
    151499ca9119926083d8c3714ca10d8d4c8d864cbeee8848fd8445b7a1d081222d  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/SHA256SUMS.part
    161995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    17266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    18cdc3a0dcf80b110443dac5ddf8bc951001a776a651c898c5ea49bb2d487bfe29  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/SHA256SUMS.part
    198538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    20d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    215ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    228c6d7b3f847faa7b4d16ceecf228f26f146ea982615c1d7a00c57f9230a0c484  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/SHA256SUMS.part
    23d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    24d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    2565caaa7f648c7eab1eb82c3331a2ca25b8cd4fe41439de55604501e02571de55  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/SHA256SUMS.part
    265bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    277aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    282f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    291c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    
  26. hebasto commented at 4:51 pm on July 7, 2021: member
    Approach ACK 5b4703c6a70db2fa72fcace56a15db07d4b0acf1.
  27. dongcarl commented at 8:45 pm on July 7, 2021: member
    Concept ACK! 😄
  28. achow101 commented at 4:09 am on July 8, 2021: member
     0$ cat noncodesigned.SHA256SUMS 
     19273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     29c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     3759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     434e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     53664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  dist-archive/bitcoin-5b4703c6a70d.tar.gz
     6a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
     77cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
     82266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
     985f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
    101995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    11266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    128538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    13d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    145ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    15d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    16d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    175bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    187aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    192f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    201c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    
  29. dongcarl commented at 6:06 pm on July 8, 2021: member

    I seem to be getting matching results!

     09273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     19c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     2759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     334e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     43664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  dist-archive/bitcoin-5b4703c6a70d.tar.gz
     5a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
     67cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
     72266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
     885f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
     91995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    10266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    118538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    12d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    135ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    14d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    15d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    165bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    177aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    182f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    191c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    
  30. in configure.ac:903 in 5b4703c6a7
    899@@ -900,6 +900,7 @@ if test x$use_hardening != xno; then
    900     ])
    901   fi
    902 
    903+  AX_CHECK_LINK_FLAG([[-Wl,--enable-reloc-section]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--enable-reloc-section"],, [[$LDFLAG_WERROR]])
    


    fanquake commented at 2:11 am on July 9, 2021:

    From #20980 (review)

    I think testing for this, and adding to our hardened ldflags when available is fine. It’s enabled by default, however we like to be explicit. It’s also available with the binutils (2.34) we are using for gitian builds.

    Note that some of these flags also imply each other: –high-entropy-va implies –dynamic-base & –enable-reloc-section –dynamic-base implies –enable-reloc-section

  31. in contrib/guix/patches/binutils-mingw-w64-disable-flags.patch:5 in 5b4703c6a7
    0@@ -0,0 +1,171 @@
    1+Description: Add disable opposites to the security-related flags
    2+Author: Stephen Kitt <skitt@debian.org>
    3+
    4+This patch adds "no-" variants to disable the various security flags:
    5+"no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section".
    


    fanquake commented at 2:11 am on July 9, 2021:
  32. in contrib/devtools/test-security-check.py:62 in 5b4703c6a7
    67-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
    68-            (1, executable+': failed HIGH_ENTROPY_VA RELOC_SECTION'))
    69-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-no-pie','-fno-PIE']),
    70-            (1, executable+': failed RELOC_SECTION'))
    71-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
    72+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--disable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
    


    fanquake commented at 2:12 am on July 9, 2021:

    From #20980 (review)

    At this stage we have already given in to not being able to run the test security check target for windows in gitian due to lack of –no options in ld, so adding –disable here to test –enable-reloc-section isn’t making anything worse. If anything this speaks to the usefulness of Guix, given how easy it is to patch these –no/–disable flags back into our toolchain. It would be much more difficult trying to achieve the same using gitian.

  33. fanquake commented at 2:17 am on July 9, 2021: member
    I’m going to go-ahead and merge this now. For additional context, I’ve also copied over some of the comments I left when reviewing #20980, that highlight the benefits of using Guix. The changes we’re making here to patch our mingw-w64 toolchain and run additional security / sanity checks would be much harder / awkward to achieve inside gitian.
  34. fanquake merged this on Jul 9, 2021
  35. fanquake closed this on Jul 9, 2021

  36. Emzy commented at 9:58 am on July 9, 2021: contributor

    Guix builds:

     0$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
     171ed0c7a13a4726300779ffc87f7d271086a2744c36896fe6dc51fe3dc33df2e  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/SHA256SUMS.part
     29273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
     39c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
     41ceddecac113f50a952ba6a201cdcdb722e3dc804e663f219bfac8268ce42bf0  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/SHA256SUMS.part
     5759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
     634e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
     7e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-5b4703c6a70d/output/dist-archive/SKIPATTEST.TAG
     83664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  guix-build-5b4703c6a70d/output/dist-archive/bitcoin-5b4703c6a70d.tar.gz
     9d6bc35ba0750c1440bb32831b8c12cddee62f6dce10fec2650897444c2bf4748  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/SHA256SUMS.part
    10a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
    117cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
    1293b4cb7b83c4975120ad5de5a92f050f5760a2a3f2c37c204c647f5a581c924a  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/SHA256SUMS.part
    132266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
    1485f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
    151499ca9119926083d8c3714ca10d8d4c8d864cbeee8848fd8445b7a1d081222d  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/SHA256SUMS.part
    161995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
    17266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
    18cdc3a0dcf80b110443dac5ddf8bc951001a776a651c898c5ea49bb2d487bfe29  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/SHA256SUMS.part
    198538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
    20d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
    215ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
    228c6d7b3f847faa7b4d16ceecf228f26f146ea982615c1d7a00c57f9230a0c484  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/SHA256SUMS.part
    23d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
    24d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
    2565caaa7f648c7eab1eb82c3331a2ca25b8cd4fe41439de55604501e02571de55  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/SHA256SUMS.part
    265bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
    277aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
    282f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
    291c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
    
  37. DrahtBot commented at 8:23 am on July 10, 2021: member

    Guix builds

    File commit 4129134e844f78a89f8515cf30dad4b6074703c7(master) commit 53ff4d396e2253d1a45c2a9ffa981e4d6afbc94c(master and this pull)
    SHA256SUMS.part c5cf1c6985c1c430... 82bcd13e2b9964b0...
    SKIPATTEST.TAG e3b0c44298fc1c14... e3b0c44298fc1c14...
    *-aarch64-linux-gnu-debug.tar.gz d564c8ce3c2132bb... 55b839bd2aed337b...
    *-aarch64-linux-gnu.tar.gz 8c2cc0b1046d6518... b7450b6181d1c1d5...
    *-arm-linux-gnueabihf-debug.tar.gz 9b2d147ec30ecd15... ab5f00e9fe58fcdc...
    *-arm-linux-gnueabihf.tar.gz bd8da7121fdf38b2... cb14fdf57aa2e0ef...
    *-osx-unsigned.dmg 4dd21a03916bd42e... a6f020ef8ef822c1...
    *-osx-unsigned.tar.gz ff3602163bce9934... 53dadaff1d4c09b7...
    *-osx64.tar.gz 50b1b0f6f8b8eb16... 2f3267e2c3429a30...
    *-powerpc64-linux-gnu-debug.tar.gz aad00c9521d46187... d69dcb6c362e8b12...
    *-powerpc64-linux-gnu.tar.gz 1a326af20ced546f... 488a50541ec3a01f...
    *-powerpc64le-linux-gnu-debug.tar.gz 237b9ee0ddb60e47... 7cf5cf06d3a3e4af...
    *-powerpc64le-linux-gnu.tar.gz 98de1dec19a8b6f9... 6934a86af432f553...
    *-riscv64-linux-gnu-debug.tar.gz 6e0e781bbd611ad7... a8cd716e97ea72c2...
    *-riscv64-linux-gnu.tar.gz 96cff3df87b6f625... b2fa6bc22f08c1ad...
    *-win-unsigned.tar.gz 59721ac4abcebb51... 4d9ee9516edb5b25...
    *-win64-debug.zip d6f919dd523c407d... 0e62ba4f79db6d38...
    *-win64-setup-unsigned.exe 96dc1c8f917b086c... 8e418e209b836d12...
    *-win64.zip e0e5925b0a898b9c... b132e945b467d11e...
    *-x86_64-linux-gnu-debug.tar.gz 3912bb99acf83778... d5977a757a7eb434...
    *-x86_64-linux-gnu.tar.gz eb0edfa33b57ecb7... a905ef1d17e48190...
    *.tar.gz 5b1ee87a8833130e... 1a07c24236de4cf3...
    guix_build.log cc1551ca0837126d... d6734368b63662da...
    guix_build.log.diff ca7b8968b018d47c...
  38. DrahtBot removed the label Needs Guix build on Jul 10, 2021
  39. sidhujag referenced this in commit 976ede38a7 on Jul 10, 2021
  40. fanquake deleted the branch on Jul 14, 2021
  41. laanwj referenced this in commit 90499358e9 on Aug 18, 2021
  42. sidhujag referenced this in commit 0084d93604 on Aug 20, 2021
  43. gwillen referenced this in commit 915d06019a on Jun 1, 2022
  44. DrahtBot locked this on Aug 18, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-17 21:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me