From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 06 Dec 2024 14:17:26 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f63.google.com (mail-qv1-f63.google.com [209.85.219.63]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 4B6DHOgR003315 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 6 Dec 2024 14:17:25 +0100 Received: by mail-qv1-f63.google.com with SMTP id 6a1803df08f44-6d8edb40083sf9052066d6.0 for ; Fri, 06 Dec 2024 05:17:25 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1733491039; cv=pass; d=google.com; s=arc-20240605; b=NxX8vWM3pTRjpJ8vnjOwjc4rv43Qh4VNMCC7pClqx3dK9rV1A3XW+AHtX9jZpN8bHP OLRUSYcNV65loQJutGHFS3bKSLLBIlP7xdPKAJbG3xV7GlvrEiEyszkoqe3ikn2rwxE1 vgSa4EYsyIrzTo3IQCUduDxobLTfEiJjbrBmsJ56AiX+sX1LgBEa+Pv2cUptIbKepE// UTvZC6k/GeUEdEp/Ij80ldi0tPeq/f2ngvcuNoAlmk7IofialPbkdHSGqMirJkxTJxZP HXf3PTRcv/ljY1QnJJh4yUVfpyRQZbfEQ6B5/rtIn4mD3I2fiMUIG7Wi9V9oTCM0H69u APAQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=PtRIqy7zwo6Usqm4BKE0n/WaaQ41fQuW7+c9TeFzTbg=; fh=N6STzMQgvkAbzxsmjp2jxXlBaflZEa5nZh9ZO9G6zkM=; b=fkqF17K6SlyhRpU6ScFAqIZxoV0JUhhng1HkoEiNF+QrEzWrMKW6LEjq5ydy5m9t4y Ak9fW97HL8oBIYa0iRklVSRNANRGI6xuZq9XoH1Y6uFEOGJ85m5rjaBDDUVQ2NEvQQkE IMWeDIaFgU0VeVQ02VsgccQRYYKC+e4N/42spcJbtj9rBa4gV0hUC4goOGYUYKKe/gpU r1NzUBNiuowA3w6UKC5bMGvZYF2Fj46Vn0H+J2ZXD7qAibIFpcsFdgG7ceQg1VYl1TVN DcQpdiAgYZylrxfdw6q6SdqLIoKACpJ6OZKabTcq/Qk2BYODYrZqZ/5DUzijw9GfRgHw CT4w==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=TZ6ZctD9; spf=pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-20241206131715da9de7c244d4e7c663-EQSEs7@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1733491039; x=1734095839; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=PtRIqy7zwo6Usqm4BKE0n/WaaQ41fQuW7+c9TeFzTbg=; b=QzoYnyOlvTGvSJKfwXqiPNpqvyp2iUbPltOVKqCtM8imMiUBIUh3hiIbh8z0p/fzMR JeD9Ua6kq2YdrMD1pg06OQ29264EOWNE83fP+GhnjduLPjt2LSAKDkRbdV26MZRBODuW +VdZPuLy1a1UaEGbRIriTrypbcyjbODZzOjMOo4t2eAni7JPYTcXAe1OOoCL1y/85QRO k0GASoTIzQi2GVUqpHQn8EB2OYPZoLR57dlsW+5RWLL1WRrPY/lRvYepnPyomuk0zcnG EYA9RIHqEisFEJrq/4nuuWvcjxgjuK6RUKCOzNf7LtypPgyEmM5uc82Wo4f+Jr5uIfGd TpGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733491039; x=1734095839; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PtRIqy7zwo6Usqm4BKE0n/WaaQ41fQuW7+c9TeFzTbg=; b=jT5BTWQguiY2mIsx5avIbWa+31Hv6s7GL5pnNMK8QRU6HO9pbb3T0VpqRbOAc1YIJy YuA2OLZIcLAO5gDGfdk3JUFck+Bkq6Wz0vF6MgvbyikhAK3LV4v5NldoAwzPx6J0sZ9i 8jMSmrLjIsz9j8Cp2AaQgrjNr6IufUCeQACBSfD+LdIF3SlVtF4E0a/Ug1p7L39CIE7o /ACur2+wbB2HW6H92M0nLILne8IumD/1aImeMzOhUZ7v2lMlS20a2d4Z/7/qwJl6ub0I fQTIzuq1x/ARwLwUpYjrOTNtGNxm5evepo6mTcOPyrzBeLaj32iXYU82Dpny6AjfRM+T v1gQ== X-Forwarded-Encrypted: i=2; AJvYcCUX06bJxziRYcykj7sGRIRHU7geIuTc6HXGy3Cfmjkv6UdXmp0zAzHCIwWJkyoSt0b7L5y4@ilbers.de X-Gm-Message-State: AOJu0YzMeq4pTAL1DKWqKhjmeAcV4Bp4JqgWy8cNaDB+ojRUnaZbdUAF C4/SxsVd4pdEHBr93yEYj1LY7TQfZLbM1NkAIy123sXLQ1IBv5Td X-Google-Smtp-Source: AGHT+IF7O7/niSRaBskF9cmyBDR0hedpfCtebZcm2IQkkYjYJWY6cocpNwAL0cALY//q1WtW4asrgw== X-Received: by 2002:ad4:5b8f:0:b0:6d8:ac7e:9876 with SMTP id 6a1803df08f44-6d8d70351d9mr124900846d6.2.1733491039027; Fri, 06 Dec 2024 05:17:19 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6214:20af:b0:6d4:e40:5156 with SMTP id 6a1803df08f44-6d8d6fb9bd5ls32497826d6.1.-pod-prod-00-us; Fri, 06 Dec 2024 05:17:17 -0800 (PST) X-Received: by 2002:a05:6122:2510:b0:50d:530b:6c0d with SMTP id 71dfb90a1353d-515e6ed14camr6891547e0c.1.1733491036736; Fri, 06 Dec 2024 05:17:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1733491036; cv=none; d=google.com; s=arc-20240605; b=ezoizazLve+vsX6+6mTcmEUO33G+BWteXwTgqGA0P9hy9tBXGOkVVVRaNc5qp/NF0g D4i5Voci4Nu7TgT9nqXYV/1fHKLTZ3EjaBiRLVyCgiWhqEVexwNzhC2tHru6Wfdl3wCy 9FFW0jmcOoM1P7NuplP1js97Z7UhUeTBFVBtVljp7H6zVKH0Ag0UO8W9BTKLaK+l12oA asIrwSNKU2nXjzpHdpUpGsls2OXq2QTCpD3pAPe/1yrev2Hck0Z1r/Wv92WMAjCs2KEo t8YwNsW8RHOM4wweO0uqP8iFGYsY9jj4Q4v5iLUwEeiGgZy6Ipn704elsAC91bMHh5zy fX8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=35zkTLrfYqFVJJtNdG54Co3lmHcpmbkPPAUAFiPZ4ZQ=; fh=BtvPBoyxNXoPZLgPppclw6PlXS6iAePdawqdtRE+SpQ=; b=ZsMhe3JcQII+R7AXSbIrXcBWx+v4VMTa0IHEdWvIFSdp08Gk0sldi3GUCFCv2vb8Gu ugwGul9WpsCrqRJzQ69d63HBkDYifrYzcDzqbpe4AloJtwyYGvObDE5EOx7SD99S0dGl /BZzMhvVWi9/TsokoNs/NPqBIev6dQxV7p6VOJlLW8mCxanxMqx2qDiEgi4keuMrkXgA n9Bq+BEz55Ef1uEHLU0dO7/AJJmXtNYWa+4zl/eqMuZxYkUuffl3te2861j8e1Hq17oI XQ7XQpeNQHe1UgMxMi9Gy0Tkiwh+zBBQWiuR/2wSZZpDMkqHHGNqFt0cS/gdMIf695l1 AH7A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=TZ6ZctD9; spf=pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-20241206131715da9de7c244d4e7c663-EQSEs7@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-515eacaeacfsi175258e0c.0.2024.12.06.05.17.16 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Dec 2024 05:17:16 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 20241206131715da9de7c244d4e7c663 for ; Fri, 06 Dec 2024 14:17:15 +0100 From: "'Felix Moessbauer' via isar-users" To: isar-users@googlegroups.com Cc: Felix Moessbauer , cedric.hombourger@siemens.com, alexander.heinisch@siemens.com, jan.kiszka@siemens.com Subject: [PATCH 1/1] snapshots: add option to use separate timestamp for security component Date: Fri, 6 Dec 2024 14:17:02 +0100 Message-Id: <20241206131702.60476-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1321639:519-21489:flowmailer X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=TZ6ZctD9; spf=pass (google.com: domain of fm-1321639-20241206131715da9de7c244d4e7c663-eqses7@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1321639-20241206131715da9de7c244d4e7c663-EQSEs7@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: eZOk7wrJALfz Before releasing a product all available security fixes should be included. However, you might not want to get other proposed updates. With the previous snapshot logic it was not possible to model this, as a single timestamp is used for all apt source-list entries. We change that by adding a "security" flag to snapshot date variables. By that, dedicated control over the security distribution is possible. For now, we only add this logic for debian distributions (not ubuntu), as only there we have a dedicated security distribution. Signed-off-by: Felix Moessbauer --- For details about the used terms (e.g. "security distribution") please refer to https://wiki.debian.org/SourcesList. doc/user_manual.md | 2 ++ meta/classes/bootstrap.bbclass | 5 ++++- meta/conf/distro/debian-common.conf | 5 ++++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/doc/user_manual.md b/doc/user_manual.md index 1e505c66..fd4fe249 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -447,7 +447,9 @@ Some other variables include: - `ISAR_APT_DELAY_MAX` - Maximum time in seconds apt performs retries. Optional - `DISTRO_APT_SNAPSHOT_PREMIRROR` - Similar to `DISTRO_APT_PREMIRRORS` but for a snapshot, pre-defined for supported distros. - `ISAR_APT_SNAPSHOT_TIMESTAMP` - Unix timestamp of the apt snapshot. Automatically derived from `SOURCE_DATE_EPOCH` if not overwritten. (Consider `ISAR_APT_SNAPSHOT_DATE` for a more user friendly format) + - `ISAR_APT_SNAPSHOT_TIMESTAMP[security]` - Unix timestamp of the security distribution. Optional. - `ISAR_APT_SNAPSHOT_DATE` - Timestamp in upstream format (e.g. `20240702T082400Z`) of the apt snapshot. Overrides `ISAR_APT_SNAPSHOT_TIMESTAMP` if set. Otherwise, will be automatically derived from `ISAR_APT_SNAPSHOT_TIMESTAMP` + - `ISAR_APT_SNAPSHOT_DATE[security]` - Timestamp in upstream format of the security distribution. Optional. - `THIRD_PARTY_APT_KEYS` - List of gpg key URIs used to verify apt repos for apt installation after bootstrapping. - `FILESEXTRAPATHS` - The default directories BitBake uses when it processes recipes are initially defined by the FILESPATH variable. You can extend FILESPATH variable by using FILESEXTRAPATHS. - `FILESOVERRIDES` - A subset of OVERRIDES used by the build system for creating FILESPATH. The FILESOVERRIDES variable uses overrides to automatically extend the FILESPATH variable. diff --git a/meta/classes/bootstrap.bbclass b/meta/classes/bootstrap.bbclass index f5b92808..c0644acb 100644 --- a/meta/classes/bootstrap.bbclass +++ b/meta/classes/bootstrap.bbclass @@ -28,6 +28,7 @@ BOOTSTRAP_DISTRO = "${@d.getVar('HOST_DISTRO' if bb.utils.to_boolean(d.getVar('B BOOTSTRAP_BASE_DISTRO = "${@d.getVar('HOST_BASE_DISTRO' if bb.utils.to_boolean(d.getVar('BOOTSTRAP_FOR_HOST')) else 'BASE_DISTRO')}" BOOTSTRAP_DISTRO_ARCH = "${@d.getVar('HOST_ARCH' if bb.utils.to_boolean(d.getVar('BOOTSTRAP_FOR_HOST')) else 'DISTRO_ARCH')}" ISAR_APT_SNAPSHOT_DATE ?= "${@ get_isar_apt_snapshot_date(d)}" +ISAR_APT_SNAPSHOT_DATE[security] ?= "${@ get_isar_apt_snapshot_date(d, 'security')}" python () { distro_bootstrap_keys = (d.getVar("DISTRO_BOOTSTRAP_KEYS") or "").split() @@ -101,9 +102,11 @@ def parse_aptsources_list_line(source_list_line): return [type, options, source, suite, components] -def get_isar_apt_snapshot_date(d): +def get_isar_apt_snapshot_date(d, dist=None): import time source_date_epoch = d.getVar('ISAR_APT_SNAPSHOT_TIMESTAMP') + if dist: + source_date_epoch = d.getVarFlag('ISAR_APT_SNAPSHOT_TIMESTAMP', dist) or source_date_epoch return time.strftime('%Y%m%dT%H%M%SZ', time.gmtime(int(source_date_epoch))) def get_apt_source_mirror(d, aptsources_entry_list): diff --git a/meta/conf/distro/debian-common.conf b/meta/conf/distro/debian-common.conf index 92a15404..b5d8aa9a 100644 --- a/meta/conf/distro/debian-common.conf +++ b/meta/conf/distro/debian-common.conf @@ -40,4 +40,7 @@ COMPAT_DISTRO_ARCH:amd64 = "i386" COMPAT_DISTRO_ARCH:arm64 = "armhf" # snapshot mirror for reproducible builds -DISTRO_APT_SNAPSHOT_PREMIRROR ??= "deb.debian.org/(.*) snapshot.debian.org/archive/\1/${ISAR_APT_SNAPSHOT_DATE}\n" +DISTRO_APT_SNAPSHOT_PREMIRROR ??= " \ + deb.debian.org/(debian-security)/? snapshot.debian.org/archive/\1/${@d.getVarFlag('ISAR_APT_SNAPSHOT_DATE', 'security')}\n \ + deb.debian.org/(.*)/? snapshot.debian.org/archive/\1/${ISAR_APT_SNAPSHOT_DATE}\n \ +" -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20241206131702.60476-1-felix.moessbauer%40siemens.com.