Commit Graph

136 Commits

Author SHA1 Message Date
Cory Fields
aa26ee0101
release: Add security/export checks to gitian and fix current failures
- fix parsing of BIND_NOW with older readelf
- add _IO_stdin_used to ignored exports

For details see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109

- add check-symbols and check-security make targets

These are not added to the default checks because some of them depend on
release-build configs.

- always link librt for glibc back-compat builds

glibc absorbed clock_gettime in 2.17. librt (its previous location) is safe to
link in anyway for back-compat.

Fixes #7420

- add security/symbol checks to gitian

Github-Pull: #7424
Rebased-From: cd27bf51e0 475813ba5b f3d3eaf78e a8ce872118 a81c87fafc
2016-01-27 11:33:33 +01:00
Wladimir J. van der Laan
5bb3e263e2
build: Make networking work inside LXC builder in gitian-building.md
These are changes I needed to get gitian building to work with Debian
8.2, which is the version we tell to use.

- Set up NAT, so that container can access network beyond host
- Remove explicit cgroup setup - these are mounted automatically now
- gitian: Need `ca-certificates` and `python` for LXC builds

Github-Pull: #7060
Rebased-From: 99fda26de0 3b468a0e60
2016-01-20 13:26:49 +01:00
Cory Fields
fbea2f64e2
release: remove libc6 dependency from the osx signing descriptor
It is unneeded after the last toolchain update, and missing from Trusty.

Github-Pull: #7342
Rebased-From: 3503a78670
2016-01-14 13:47:06 +01:00
MarcoFalke
f6c8c1242b
[gitian] Set reference date to something more recent
Github-Pull: #7251
Rebased-From: fa095622c2
2016-01-04 11:43:06 +01:00
MarcoFalke
fa22a10028 contrib: Del. gitian downloader config and update gitian README 2015-11-30 16:34:11 +01:00
Wladimir J. van der Laan
957c0fd7c0 gitian: make windows build deterministic 2015-11-19 13:01:35 +01:00
Wladimir J. van der Laan
2e31d74b71 gitian: use trusty for building 2015-11-16 16:39:24 +01:00
Wladimir J. van der Laan
21d27ebad5 net: Disable upnp by default
Common sentiment is that the miniupnpc codebase likely contains further
vulnerabilities.

I'd prefer to get rid of the dependency completely, but a compromise for
now is to at least disable it by default.
2015-10-09 21:09:44 +02:00
Cory Fields
a3ba9a553a gitian: make the windows signing process match OSX 2015-06-30 10:57:14 -04:00
Cory Fields
d08cfc2bd7 gitian: add a gitian-win-signer descriptor
This is exactly like the current OSX signing process.

osslsigncode has been patched to detach and re-attach Windows signatures.
The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature

There's a pull-request open upstream for the changes:
https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/

This work has been back-ported to the stable 1.7.1 release of osslsigncode, so
that a smaller patch can be reviewed.
2015-06-18 18:17:36 -04:00
Cory Fields
c110575a92 gitian: Use the new bitcoin-detached-sigs git repo for OSX signatures
Rather than fetching a signature.tar.gz from somewhere on the net, instruct
Gitian to use a signature from a tag in the bitcoin-detached-sigs repository
which corresponds to the tag of the release being built.

This changes detached-sig-apply.sh to take a dirname rather than a tarball as
an argument, though detached-sig-create.sh still outputs a tarball for
convenience.
2015-06-10 17:54:46 -04:00
Cory Fields
960e99404f gitian: Bump cache dir for current master
Do not backport.
2015-06-02 10:41:56 -04:00
Cory Fields
be656283f9 gitian: bump faketime to something more recent
This helps in file views where binaries are sorted by time
2015-06-02 10:39:34 -04:00
Jonas Schnelli
7cef321e65 [Mac only] rename Bitcoin-Qt.app to "Bitcoin Core.app" 2015-05-19 11:03:49 +02:00
Cory Fields
c95ac83e51 gitian: fix x86_64 build with static libstdc++ 2015-02-23 19:43:25 -05:00
Cory Fields
06715165f9 build: change reduce exports/static libstdc++ options for gitian and travis
For Gitian releases:
  - Windows builds remain unchanged. libstdc++ was already linked statically.
  - OSX builds remain unchanged. libstdc++ is tied to the SDK and not worth
    messing with.
  - Linux builds now statically link libstdc++.

For Travis:
  - Match the previous behavior by adding --enable-reduce-exports as
  necessary.
  - Use static libstdc++ for the full Linux build.
2015-02-23 18:22:58 -05:00
Cory Fields
0c6ab676ee gitian: don't add . to tar list
Since permissions and timestamps are changed for the sake of determinism,
. must not be added to the archive. Otherwise, tar may try to modify pwd when
extracting.
2015-02-13 03:08:08 -05:00
Cory Fields
f0172bf91e osx: bump build sdk to 10.9 2015-01-20 01:49:20 -05:00
Cory Fields
46f54bf796 build: osx builders no longer need 32bit compiler support 2015-01-02 15:09:43 -05:00
Cory Fields
0d50c2fd81 dmg: fix deterministic dmg creation and docs 2014-12-30 02:47:38 -05:00
Cory Fields
566c6cb8a2 gitian: attempt to fix tarball determinisim 2014-12-23 19:43:27 -05:00
Cory Fields
914868a05d build: add a deterministic dmg signer 2014-11-26 00:57:16 -05:00
Cory Fields
52bb7a7e1b gitian: update descriptors to use a sane uniform output 2014-11-25 18:49:02 -05:00
Cory Fields
246659aff1 gitian: make tarballs deterministic and nuke .la files from build output 2014-11-19 22:49:41 -05:00
Cory Fields
4bbbdf3244 gitian: quick docs update 2014-11-19 22:49:41 -05:00
Cory Fields
1aead42d41 gitian: descriptors overhaul
Descriptors now make use of the dependencies builder, so results are cached.
A very new version (>= e9741525c) of Gitian should be used in order to take
advantage of caching.
2014-11-19 22:49:41 -05:00
Luke Dashjr
ab72068565 Bugfix: Replace bashisms with standard sh in gitian descriptors 2014-10-03 23:45:26 +00:00
Cory Fields
a7ec027311 gitian: remove unneeded option after last commit 2014-07-22 09:21:09 -04:00
Cory Fields
b150b09edc secp256k1: add libtool as a dependency 2014-07-01 12:27:15 -04:00
Wladimir J. van der Laan
6e7c4d17d8 gitian: upgrade OpenSSL to 1.0.1h
Upgrade for https://www.openssl.org/news/secadv_20140605.txt

Just in case - there is no vulnerability that affects ecdsa signing or
verification.

The MITM attack vulnerability (CVE-2014-0224) may have some effect on
our usage of SSL/TLS.

As long as payment requests are signed (which is the common case), usage
of the payment protocol should also not be affected.

The TLS usage in RPC may be at risk for MITM attacks. If you have
`-rpcssl` enabled, be sure to update OpenSSL as soon as possible.
2014-06-05 17:24:38 +02:00
Wladimir J. van der Laan
386e732a5f gitian: make linux qt intermediate deterministic
A qt installation date snuck into the host utils (lrelease etc)
This doesn't affect the end product, so no dependency version bump.

It also doesn't explain why gavin's and mine build is different
2014-06-02 09:46:59 +02:00
Cory Fields
2869b1349b release: Bump the OSX SDK to 10.7 for gitian builds
This fixes the display on Retina Macbooks. It also moves us away from depending
on the ancient XCode3 sdk.
2014-05-24 11:47:08 -04:00
Cory Fields
1a97b22b9c
gitian: Add OSX build descriptors
Github-Pull: #4185
Rebased-By: Wladimir J. van der Laan
Rebased-From: bb5da27, 2288206, 7fe8fe6, f76db78, ebcf375, fa1ed7c, 397e9b8
2014-05-21 11:20:52 +02:00
Wladimir J. van der Laan
51cb8fe870
gitian: use right qt tools in linux build
If the `libqt4-dev` package is installed it picks the moc executable
from the system instead of our custom-built one. This results in
compatibility errors.

This commit convinces configure to pick the right one.
2014-05-02 15:15:45 +02:00
Wladimir J. van der Laan
92e3022f88 gitian: don't export any symbols from executable
This avoids conflicts between the libraries statically linked into bitcoin and any
libraries we may link dynamically (such as Qt and OpenSSL, see issue #4094).
It also avoids start-up overhead to not export any unnecessary symbols.
To do this, build a linker script that marks all symbols as local.
2014-04-30 15:30:39 +02:00
Wladimir J. van der Laan
3ab1664594 gitian: build against Qt 4.6
Should make it possible to run the resulting GUI executable on
Linux distributions that use Qt 4.6, such as Debian Wheezy and Tails.

Builds a mini-SDK for building against Qt 4.6. This includes the headers
as well as host utilities such as `lrelease`, `qrc` and `moc`.

This speeds up the gitian build a bit - libqt4-dev pulled in a lot of packages,
and is no longer needed as this provides a replacement of our own.

Note: This does not replace the Qt build with at static library. After this
commit we still build dynamically against the system Qt library. The only
difference is that compatibility with an older version is maintained. This
loses minor GUI functionality (such as setPlaceholderText) but still
allows integration into the window management of the host OS, unlike
when statically linking.
2014-04-30 15:30:39 +02:00
Warren Togami
49a3352c1c gitian-linux: --enable-glibc-back-compat 2014-04-10 22:28:26 -04:00
Wladimir J. van der Laan
25d4911e86 gitian: upgrade miniupnpc input to 1.9
Bumps deps-linux, deps-win dependency versions as well.

qt-win does not need to be bumped, as although it depends on deps-win,
Qt doesn't use miniupnp. I verified this by rebuilding the dependency
and checking the the output is the same. Not having to rebuild Qt is a
good thing as it is huge.
2014-04-09 14:24:17 +02:00
Wladimir J. van der Laan
178825dec3
gitian: Version bump for Qt dependency
Bump Qt dependency version after OpenSSL update.
Very important. Thanks @michagogo for noting.
2014-04-08 11:51:59 +02:00
Wladimir J. van der Laan
fa2b42533a
Merge pull request #4023
4a811b0 gitian: upgrade openssl to 1.0.1g for both win and linux (Wladimir J. van der Laan)
2014-04-08 10:56:01 +02:00
Wladimir J. van der Laan
4a811b0053
gitian: upgrade openssl to 1.0.1g for both win and linux
OpenSSL 1.0.1g fixes CVE-2014-0160.

Also bump dependency versions.
2014-04-08 08:40:02 +02:00
Wladimir J. van der Laan
ddcd1afc5f gitian: add statically built variant of bitcoind/bitcoin-cli 2014-03-26 09:48:22 +01:00
Wladimir J. van der Laan
c337e2e905 Update gitian README.md 2014-03-21 13:31:22 +01:00
Wladimir J. van der Laan
93c3e21e92 Re-enable UPnP by default in gitian builds
IIRC this was the case with 0.8.6, so let's keep this to avoid the risk
of losing connectable nodes with 0.9 release.

Also our miniupnpc library was recently updated and I've heard
reports that it works better than before now.
2014-02-27 15:44:00 +01:00
Wladimir J. van der Laan
31b3d94ef5 gitian: Make protobuf win32 intermediate output deterministic
While building protobuf in different environments we noticed that
the host tool protoc was slightly different between builds (a symbol table
sorting issue).
Add a deterministic seed as well as disable zlib support.

Exected output is now:

    e2e403e1a08869c7eed4d4293bce13d51ec6a63592918b90ae215a0eceb44cb4 protobuf-win32-2.5.0-gitian-r4.zip
    a0999037e8b0ef9ade13efd88fee261ba401f5ca910068b7e0cd3262ba667db0 protobuf-win64-2.5.0-gitian-r4.zip

No effect on final executables so no version bump.
2014-02-25 07:58:11 +01:00
Wladimir J. van der Laan
6c0276ae69 gitian: add libz-dev dependency package for linux boost
Boost iostreams was picking up libz-dev in VirtualBox, as the recommended
way to build is now to make a VM with all dependency packages installed.

This caused a divergence between KVM/LXC build and VirtualBox
build results.

Fix this in the simplest possible way: add the libz-dev package.
2014-02-22 08:18:07 +01:00
Wladimir J. van der Laan
d5fa3eff03
Merge pull request #3622
c13a13e gitian: add -D flag to ar for deterministic output for linux deps (Wladimir J. van der Laan)
1552145 gitian: Sort generated source distribution archive (Wladimir J. van der Laan)
aabcd11 gitian: Make linux boost dependency completely deterministic (Wladimir J. van der Laan)
aa93485 gitian: Make linux build of OpenSSL deterministic (Wladimir J. van der Laan)
2014-02-10 18:35:04 +01:00
Wladimir J. van der Laan
4ce9106ff8 gitian: sort generated source distribution archive for windows
Make the bitcoin-X.X.X.tar.gz deterministic.
2014-02-10 17:07:36 +01:00
Wladimir J. van der Laan
6b55e6b97d gitian: Post-process .a libraries for win to be deterministic 2014-02-10 17:07:35 +01:00
Wladimir J. van der Laan
c13a13efec gitian: add -D flag to ar for deterministic output for linux deps
ar -D: Operate in deterministic mode. When adding files and the archive
index use zero for UIDs, GIDs, timestamps, and use consistent file modes
for all files.  When this option is used, if ar is used with identical
options and identical input files, multiple runs will create identical
output files regardless of the input files' owners, groups, file modes,
or modification times.
2014-02-10 16:20:13 +01:00