These are changes I needed to get gitian building to work with Debian
8.2, which is the version we tell to use.
- Set up NAT, so that container can access network beyond host
- Remove explicit cgroup setup - these are mounted automatically now
- gitian: Need `ca-certificates` and `python` for LXC builds
Github-Pull: #7060
Rebased-From: 99fda26de03b468a0e60
- Add new translations (finally, after a long time)
- update-translation script was not considering new translations - oops
- fixed this, also remove (nearly) empty translations
- Update translation process, it was still describing the old repository
structure
2cecb24 doc: change suite to trusty in gitian-building.md (Wladimir J. van der Laan)
957c0fd gitian: make windows build deterministic (Wladimir J. van der Laan)
2e31d74 gitian: use trusty for building (Wladimir J. van der Laan)
0b416c6 depends: qt PIDLIST_ABSOLUTE patch (Wladimir J. van der Laan)
9f251b7 devtools: add libraries for bitcoin-qt to symbol check (Wladimir J. van der Laan)
Perform the following ELF security checks:
- PIE: Check for position independent executable (PIE), allowing for address space randomization
- NX: Check that no sections are writable and executable (including the stack)
- RELRO: Check for read-only relocations, binding at startup
- Canary: Check for use of stack canary
Also add a check to symbol-check.py that checks that only the subset of
allowed libraries is imported (to avoid incompatibilities).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This message is to inform you that I, Paul Rabahy have rolled over GPG
keys.
My old key = EA695E0CE2D0DCB0D65167A8D1CBA2A21BCD88F6
My new key = D62A803E27E7F43486035ADBBCD04D8E9CCCAC2A
My new key now has an offline primary key with an online subkey that I
will be
using for normal communications.
I have signed this message with both the old and new key so it should show
up
as validly signed. Please add my new key to your keyring so that future
communication will be properly verified.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWB3/LAAoJENHLoqIbzYj2LBwQAMgH5u2KDuxK2gmpRjEpVXe8
XPOon+SRL5zXfu1dFInXCg8APJEVaXhSeY+/s0GmUq0INRpK4r0tvZVN84X2UoHz
y88P6BeHzQI7dsCStINhW4Hb7DVpFvkHAxsRhy05/geD56/IOXnsG+5SvsH3essJ
O6DuRQOipDWkZ9NQuQPrqzlkcBErMbL4Cs0ED5DOOYccntnt5HM909KDHfKcG8iJ
/qNTVzVFYMGbLn6MVq89reatmIOxuVBkbixsqad5M4P9rQ3iGPnUzIEp4wn7/Ssd
XDiCZypzlHkcs1GKBLtWnYWahlWHItcd/Yz3AiHLfUehcZb52p0mvIaTf4lyAR5p
kQFTXZwrrzJDaomSE2Y2IeMIATZE7/7RInkHD6okUTFSoCFgxOeAxLBI6sxLH5x5
xLIdv45iiv3P5fz1gungfzn2OYy+dHgT74bJ32N18hs+xwZM2G6AYYvVvkTSDqC0
c3AopnjEV4i+4Aq0QfDD9fXpBc0QuDN7c5GkcFCiFlhN+gffjT8hkFliiW3e2X5K
Vsycv1sYXFSS/YYZ7RCixWgTkpi18ABaLu/N1ses7hLNMxx9ovjrMIJ5gC6Nyga9
2BiumvNMh0iE9yhPiN0a4YsZZnW/tc5K1+OJxnKZvxWrXqOgIhnKZA1U1Y83COgA
6pI5uKrggGQWgQFJxTmciQEcBAEBCAAGBQJWB3/LAAoJEDJeXsBcJ6amLBwH/ib+
wiD3wDy+VeTDFvh4AgQqDRCk+CvGEKJlcoBLm3ZDwzi+/26XB/BCFoopW9h67ZmC
yMFhgvCJ3RwPcVGgZBOZ//88E2symcYRBSZJVwMN/n3McmEKBmmEH6/tTqhLeBal
2pynse7qgfZV7P/rSMcqFdhzMYq6Jt25obTl3IqTo939G1oOxRK8ORNT3Hs4/uiF
7xsx+nUBe/L6dvw2Rxr8bWm7WKi/LF7fKN/HZuBfK2qH0S4ctG49fiBw3DTV+erO
lYHdOMA9sjk90Le5sNBw75Hyr4WMLUkGFkh9SvDK1Xe3bUCfCpBTpcPnRUqnHL32
9GbqORFiaUGPRCnaWKQ=
=JR4m
-----END PGP SIGNATURE-----
Common sentiment is that the miniupnpc codebase likely contains further
vulnerabilities.
I'd prefer to get rid of the dependency completely, but a compromise for
now is to at least disable it by default.