This removes the following executables from the binary gitian release:
- test_bitcoin-qt[.exe]
- bench_bitcoin[.exe]
@jonasschnelli and me discussed this on IRC a few days ago - unlike the
normal `bitcoin_tests` which is useful to see if it is safe to run
bitcoin on a certain OS/environment combination, there is no good reason
to include these. Better to leave them out to reduce the download
size.
Sizes from the 0.12 release:
```
2.4M bitcoin-0.12.0/bin/bench_bitcoin.exe
22M bitcoin-0.12.0/bin/test_bitcoin-qt.exe
```
Github-Pull: #7776
Rebased-From: f063863d1f
- fix parsing of BIND_NOW with older readelf
- add _IO_stdin_used to ignored exports
For details see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109
- add check-symbols and check-security make targets
These are not added to the default checks because some of them depend on
release-build configs.
- always link librt for glibc back-compat builds
glibc absorbed clock_gettime in 2.17. librt (its previous location) is safe to
link in anyway for back-compat.
Fixes#7420
- add security/symbol checks to gitian
Github-Pull: #7424
Rebased-From: cd27bf51e0475813ba5bf3d3eaf78ea8ce872118a81c87fafc
These are changes I needed to get gitian building to work with Debian
8.2, which is the version we tell to use.
- Set up NAT, so that container can access network beyond host
- Remove explicit cgroup setup - these are mounted automatically now
- gitian: Need `ca-certificates` and `python` for LXC builds
Github-Pull: #7060
Rebased-From: 99fda26de03b468a0e60
Common sentiment is that the miniupnpc codebase likely contains further
vulnerabilities.
I'd prefer to get rid of the dependency completely, but a compromise for
now is to at least disable it by default.
Rather than fetching a signature.tar.gz from somewhere on the net, instruct
Gitian to use a signature from a tag in the bitcoin-detached-sigs repository
which corresponds to the tag of the release being built.
This changes detached-sig-apply.sh to take a dirname rather than a tarball as
an argument, though detached-sig-create.sh still outputs a tarball for
convenience.
For Gitian releases:
- Windows builds remain unchanged. libstdc++ was already linked statically.
- OSX builds remain unchanged. libstdc++ is tied to the SDK and not worth
messing with.
- Linux builds now statically link libstdc++.
For Travis:
- Match the previous behavior by adding --enable-reduce-exports as
necessary.
- Use static libstdc++ for the full Linux build.
Since permissions and timestamps are changed for the sake of determinism,
. must not be added to the archive. Otherwise, tar may try to modify pwd when
extracting.
Rebased-From: 0c6ab676ee
Github-Pull: #5790
Since permissions and timestamps are changed for the sake of determinism,
. must not be added to the archive. Otherwise, tar may try to modify pwd when
extracting.
Not necessary for windows or linux, as the intermedate build result
doesn't change.
However for OSX on 0.9 the builds for the intermediates are not
deterministic, so this cannot be assessed. Bump the dep version just in
case.
Descriptors now make use of the dependencies builder, so results are cached.
A very new version (>= e9741525c) of Gitian should be used in order to take
advantage of caching.
Make the instdate for lrelease etc deterministic. This should have been
part of 0.9.2. Luckily this doesn't affect the end product, it is just
a bit annoying.
Rebased-From: 386e732
Rebased-By: Wladimir J. van der Laan <laanwj@gmail.com>
Upgrade for https://www.openssl.org/news/secadv_20140605.txt
Just in case - there is no vulnerability that affects ecdsa signing or
verification.
The MITM attack vulnerability (CVE-2014-0224) may have some effect on
our usage of SSL/TLS.
As long as payment requests are signed (which is the common case), usage
of the payment protocol should also not be affected.
The TLS usage in RPC may be at risk for MITM attacks. If you have
`-rpcssl` enabled, be sure to update OpenSSL as soon as possible.
Rebased-By: Wladimir J. van der Laan <laanwj@gmail.com>
Rebased-From: 6e7c4d1
Upgrade for https://www.openssl.org/news/secadv_20140605.txt
Just in case - there is no vulnerability that affects ecdsa signing or
verification.
The MITM attack vulnerability (CVE-2014-0224) may have some effect on
our usage of SSL/TLS.
As long as payment requests are signed (which is the common case), usage
of the payment protocol should also not be affected.
The TLS usage in RPC may be at risk for MITM attacks. If you have
`-rpcssl` enabled, be sure to update OpenSSL as soon as possible.
A qt installation date snuck into the host utils (lrelease etc)
This doesn't affect the end product, so no dependency version bump.
It also doesn't explain why gavin's and mine build is different
This fixes the display on Retina Macbooks. It also moves us away from depending
on the ancient XCode3 sdk.
Conflicts:
doc/release-process.md
Rebased-By: Wladimir J. van der Laan <laanwj@gmail.com>
Rebased-From: 2869b13
If the `libqt4-dev` package is installed it picks the moc executable
from the system instead of our custom-built one. This results in
compatibility errors.
This commit convinces configure to pick the right one.
This avoids conflicts between the libraries statically linked into bitcoin and any
libraries we may link dynamically (such as Qt and OpenSSL, see issue #4094).
It also avoids start-up overhead to not export any unnecessary symbols.
To do this, build a linker script that marks all symbols as local.
Should make it possible to run the resulting GUI executable on
Linux distributions that use Qt 4.6, such as Debian Wheezy and Tails.
Builds a mini-SDK for building against Qt 4.6. This includes the headers
as well as host utilities such as `lrelease`, `qrc` and `moc`.
This speeds up the gitian build a bit - libqt4-dev pulled in a lot of packages,
and is no longer needed as this provides a replacement of our own.
Note: This does not replace the Qt build with at static library. After this
commit we still build dynamically against the system Qt library. The only
difference is that compatibility with an older version is maintained. This
loses minor GUI functionality (such as setPlaceholderText) but still
allows integration into the window management of the host OS, unlike
when statically linking.
Bumps deps-linux, deps-win dependency versions as well.
qt-win does not need to be bumped, as although it depends on deps-win,
Qt doesn't use miniupnp. I verified this by rebuilding the dependency
and checking the the output is the same. Not having to rebuild Qt is a
good thing as it is huge.
IIRC this was the case with 0.8.6, so let's keep this to avoid the risk
of losing connectable nodes with 0.9 release.
Also our miniupnpc library was recently updated and I've heard
reports that it works better than before now.
While building protobuf in different environments we noticed that
the host tool protoc was slightly different between builds (a symbol table
sorting issue).
Add a deterministic seed as well as disable zlib support.
Exected output is now:
e2e403e1a08869c7eed4d4293bce13d51ec6a63592918b90ae215a0eceb44cb4 protobuf-win32-2.5.0-gitian-r4.zip
a0999037e8b0ef9ade13efd88fee261ba401f5ca910068b7e0cd3262ba667db0 protobuf-win64-2.5.0-gitian-r4.zip
No effect on final executables so no version bump.
Boost iostreams was picking up libz-dev in VirtualBox, as the recommended
way to build is now to make a VM with all dependency packages installed.
This caused a divergence between KVM/LXC build and VirtualBox
build results.
Fix this in the simplest possible way: add the libz-dev package.
c13a13e gitian: add -D flag to ar for deterministic output for linux deps (Wladimir J. van der Laan)
1552145 gitian: Sort generated source distribution archive (Wladimir J. van der Laan)
aabcd11 gitian: Make linux boost dependency completely deterministic (Wladimir J. van der Laan)
aa93485 gitian: Make linux build of OpenSSL deterministic (Wladimir J. van der Laan)
ar -D: Operate in deterministic mode. When adding files and the archive
index use zero for UIDs, GIDs, timestamps, and use consistent file modes
for all files. When this option is used, if ar is used with identical
options and identical input files, multiple runs will create identical
output files regardless of the input files' owners, groups, file modes,
or modification times.
It appears that the output was different every time.
This doesn't affect the final bitcoind/bitcoin-qt, but is confusing
nevertheless.
Fix it by using FAKETIME and zipping files in deterministic order.
OpenSSL was embedding a timestamp causing its build to be
non-deterministic.
Change deps-linux to be deterministic by using FAKETIME
as needed and disabling it when it gets in the way.
- Add 'g++' package (virtualbox images don't have this by default)
- Workaround for determinism in Qt5 resources
- Pass --disable-maintainer-mode --disable-dependency-tracking to
configure for libqrencode to avoid random errors about missing m4
directory
- Fix typo -with-pic -> --with-pic
It is not necessary to rebuild dependencies after this commit.
Fixes#3610 and #3612.
1cbbeb6 gitian: Add openssl to linux deps (Wladimir J. van der Laan)
64be7f7 gitian: Build boost dependency for linux (Wladimir J. van der Laan)
7eb99a8 gitian: Reduce build time for boost windows dependency (Wladimir J. van der Laan)
714cdec build: Pass BOOST_CPPFLAGS to sleep implementation test (Wladimir J. van der Laan)
0d40f5a build: Allow providing extra libs for Boost Chrono (Wladimir J. van der Laan)
e4b991e build: Auto-detect whether -DBOOST_TEST_DYN_LINK is needed (Wladimir J. van der Laan)
Instead of using the boost provided by Ubuntu 12.04, build our own
dependency like we do for Windows.
This allows using a much newer version (1.55 versus 1.46) as well as
building with `-fPIC` so that `-pie` can be used in the x86-64 build.
Build only the mt-s (multithreaded, static runtime link)
variant of the library.
This cuts the build time in half.
Also prevent unpacked boost from ending up in output directory,
checking and hashing all the source files as output files this
takes a lot of time and is pointless.
0425715 gitian: add explicit dependency build for linux (Wladimir J. van der Laan)
279af1a build: use Ubuntu 12.04 for linux gitian build (Wladimir J. van der Laan)
In the win32 gitian descriptor the C*FLAGS are being overridden on
`configure`, which causes the built-in optimization flags to be removed.
Add `-O2` manually (but not `-g` as we're not doing anything with the
debug information).
Improves performance of win32 gitian builds.
As a bonus, fixes issue #3497.
Credit: sipa, cfields, Luke-Jr and michagogo contributed to this fix.
Removing wine as a win32 build dep is beneficial to fixing Gitian LXC,
which would enable many more people to join in the gitian.sigs process
by being able to build with a linux VM instead of a virt capable host.
The final revision of PR 3029 incorporated a review suggestion of replacing
i686-w64-mingw32 with $HOST. But we forgot that $HOST is not expanded when
within single quotes so it actually broke qt-win32.yml build. This is the
minimal changes necessary to fix the qt-win32.yml build.
Workaround 1.54.0 build bug, upstream #9156
Workaround 1.51.0+ human bug, upstream #7262
This commit also demonstrates a method to verify the integrity of inputs.
mingw upgrade allows more hardening, compiler bug fixes and possibily win64 later.
Rename deps .zip files to be more consistent in revision format.
Boost #4258 build fix for mingw32
- rename URL into URI in paymentserver where correct
- add some missing Qt-coding-stuff in paymentserver
- change QSpinBox to QLineEdit as base for BitcoinAmountField in .ui files
(as this is the result when converting the BAF back into base)
- remove some c_str() and replace with QString::fromStdString()
- remove several new-lines
- remove unneeded spaces
- indentation fixes
Add support for a Payment Protocol to Bitcoin-Qt.
Payment messages are protocol-buffer encoded and communicated over
http(s), so this adds a dependency on the Google protocol buffer
library, and requires Qt with OpenSSL support.
Two changes: make some linux-specific linker options linux and linker specific.
And in the cross-compile environment, prefer the $HOME/qt/bin tools to
whatever might be somewhere else in the path.
All client version information is moved to version.cpp, which optionally
(-DHAVE_BUILD_INFO) includes build.h. build.h is automatically generated
on supporting platforms via contrib/genbuild.sh, using git describe.
The git export-subst attribute is used to put the commit id statically
in version.cpp inside generated archives, and this value is used if no
build.h is present.
The gitian descriptors are modified to use git archive instead of a
copy, to create the src/ directory in the output. This way,
src/src/version.cpp will contain the static commit id. To prevent
gitian builds from getting the "-dirty" marker in their git-describe
generated identifiers, no touching of files or running sed on the
makefile is performed anymore. This does not seem to influence
determinism.
It could just as well be on either part of the gitian build, but to safely put it on the Qt side would require bumping the filename, and every gitian user rebuilding it.
v0.5.3.1 put it on the Bitcoin side, and this is easier to work with and keep safe, so I'm moving it.
Use `qmake MINGW_THREAD_BUGFIX=0` to disable