guix: Use `gcc-8` across the board #21799

dongcarl · 2021-04-28T19:26:27Z

Only non-base commit is the last commit: b5abb07

Right now, here's what we use in Gitian:

Linux: Focal's g++-8-<arch>-linux-gnu (8.4.0-3ubuntu1cross1)
MinGW-w64: Focal's g++-mingw-w64 (9.3.0-7ubuntu1+22~exp1ubuntu4)

In Guix right now we use gcc-9 across the board.

I think it makes more sense to use gcc-8 across the board, as it doesn't suffer from the memcmp bug, and is what debian buster (stable) does, meaning it will be well tested (g++-mingw-w64, g++-aarch64-linux-gnu).

We can accomplish this somewhat easily using Guix as we have tighter control over the toolchain (see: b5abb07).

Let me know your thoughts!

hebasto · 2021-04-28T19:57:31Z

Concept ACK on keeping the same compiler while migrating from gitian to guix.

dongcarl · 2021-04-28T20:04:21Z

Concept ACK on keeping the same compiler while migrating from gitian to guix.

Note that we won't be keeping the same compiler for mingw-w64 (but I think that's okay) :-)

DrahtBot · 2021-04-29T05:29:16Z

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

No conflicts as of last run.

maflcko · 2021-04-29T07:46:32Z

The switch from gitian->guix will be a major bump, so I think we don't need to use the exact same versions for all packages. However, looking at Debian (and Ubuntu) to see which packages are well-propagated among users (and thus tested) makes sense. I presume, once Debian/Ubuntu upgrade from gcc-10.2 to gcc-10.3, we could use that.

Concept ACK to prefer 8 over 9 in the meantime.

sipa · 2021-04-29T07:48:05Z

I think using GCC 8 is decent choice.

dongcarl · 2021-05-03T18:44:31Z

Pushed b5abb07 -> c90f6e5

Updated to be based on master instead of on guix: Add guix-{attest,verify} scripts #21462
Updated commit description

maflcko · 2021-05-03T18:46:49Z

Approach ACK c90f6e5, haven't reviewed

hebasto · 2021-05-03T19:52:45Z

contrib/guix/libexec/build.sh

-    powerpc64-linux-*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;
+    powerpc64-linux-*|riscv64-linux-*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;


Why this change?

It was required to pass the NX check for riscv64, I'm guessing the default execstack behavior changed between gcc 8 and 9

Found it!

commit 12af29ab10fb5677cf947bcd7530c5f57c97522e Author: Jim Wilson <jimw@sifive.com> Date: Sat Jul 14 20:05:39 2018 +0000 RISC-V: Fix nested function trampolines. gcc/ * config/riscv/linux.h (TARGET_ASM_FILE_END): New. From-SVN: r262660 diff --git a/gcc/ChangeLog b/gcc/ChangeLog index 776a3c4434d..9179987e98c 100644 --- a/gcc/ChangeLog +++ b/gcc/ChangeLog @@ -1,3 +1,7 @@ +2018-07-14 Jim Wilson <jimw@sifive.com> + + * config/riscv/linux.h (TARGET_ASM_FILE_END): New. + 2018-07-14 Paul Koning <ni1d@arrl.net> * config/pdp11/pdp11.c (pdp11_rtx_costs): Bugfixes. diff --git a/gcc/config/riscv/linux.h b/gcc/config/riscv/linux.h index 85561846dad..e208c95fe13 100644 --- a/gcc/config/riscv/linux.h +++ b/gcc/config/riscv/linux.h @@ -66,3 +66,5 @@ along with GCC; see the file COPYING3. If not see %{rdynamic:-export-dynamic} \ -dynamic-linker " GNU_USER_DYNAMIC_LINKER "} \ %{static:-static}}" + +#define TARGET_ASM_FILE_END file_end_indicate_exec_stack

$ git tag --contains 12af29ab10fb5677cf947bcd7530c5f57c97522e basepoints/gcc-10 basepoints/gcc-11 basepoints/gcc-12 misc/cutover-git misc/first-auto-changelog misc/first-auto-changelog-10 misc/first-auto-changelog-9 releases/gcc-10.1.0 releases/gcc-10.2.0 releases/gcc-10.3.0 releases/gcc-11.1.0 releases/gcc-9.1.0 releases/gcc-9.2.0 releases/gcc-9.3.0

Correct, this used to be needed for RISC-V as well. We did have it in the gitian build. However, for the gitian build it was removed in 2ecaf21.
(I don't understand why it's no longer needed on Focal's g++8, maybe Ubuntu is patching it somehow?)

I've double-checked that when building RISC-V binaries using g++-8-riscv64-linux-gnu on Focal (20.04), the stack isn't being marked as executable. I did the following inside a new Ubuntu Focal Docker container:

# binutils for readelf apt update && apt install g++-8-riscv64-linux-gnu binutils-riscv64-linux-gnu binutils # riscv64-linux-gnu-gcc-8 --version riscv64-linux-gnu-gcc-8 (Ubuntu 8.4.0-3ubuntu1) 8.4.0 # compile minimal binary echo "int main() { return 0; }" > test.c riscv64-linux-gnu-gcc-8 test.c -o test # check stack readelf -lW test|grep GNU_STACK GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10 # recompile, tell linker to mark stack as executable riscv64-linux-gnu-gcc-8 test.c -o test -Wl,-z,execstack # recheck stack readelf -lW test|grep GNU_STACK GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10

If you perform the same inside a Ubuntu Bionic (18.04) container:

# binutils for readelf apt update && apt install g++-8-riscv64-linux-gnu binutils-riscv64-linux-gnu binutils # riscv64-linux-gnu-gcc-8 --version riscv64-linux-gnu-gcc-8 (Ubuntu 8.4.0-1ubuntu1~18.04) 8.4.0 # compile minimal binary echo "int main() { return 0; }" > test.c riscv64-linux-gnu-gcc-8 test.c -o test # check stack readelf -lW test|grep GNU_STACK < no output > # recompile, tell linker to not mark stack as executable riscv64-linux-gnu-gcc-8 test.c -o test -Wl,-z,noexecstack # recheck stack readelf -lW test|grep GNU_STACK GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10

So it's less that the stack is being marked as executable when building on Bionic, and more that the GNU_STACK section is just missing entirely, unless you explicitly tell the linker you want either a executable or non-executable stack. This makes sense when combined with the change linked by @dongcarl above (more context here), as the GNU_STACK section only started being added by default in GCC 9+. However it doesn't explain why the section is being added when using GCC 8 on Focal (and no additional linker flags). My assumption was that the change had been backported / applied by Debian/Ubuntu, however I can't seem to find evidence of that so far.

Thanks for checking!

So it's less that the stack is being marked as executable when building on Bionic, and more that the GNU_STACK section is just missing entirely

Right—not having a GNU_STACK section is effectively the same as having a GNU_STACK section with RWE, so, executable stack. Our security check takes this into account.

hebasto

ACK c90f6e5, I have reviewed the code and it looks OK, I agree it can be merged.

laanwj · 2021-05-05T08:42:51Z

No strong opinion on what gcc to use, but I think the argument is fair that going with what we know is the safest choice. The change looks consistent, in any case.
Code review ACK c90f6e5

c90f6e5 guix: Consistently use gcc-8 for $HOST (Carl Dong) Pull request description: Only non-base commit is the last commit: bitcoin@b5abb07 Right now, here's what we use in Gitian: - Linux: Focal's [`g++-8-<arch>-linux-gnu`](https://packages.ubuntu.com/focal/g++-8-aarch64-linux-gnu) (`8.4.0-3ubuntu1cross1`) - MinGW-w64: Focal's [`g++-mingw-w64`](https://packages.ubuntu.com/focal/g++-mingw-w64) (`9.3.0-7ubuntu1+22~exp1ubuntu4`) In Guix right now we use `gcc-9` across the board. I think it makes more sense to use `gcc-8` across the board, as it doesn't suffer from the `memcmp` bug, and is what debian buster (stable) does, meaning it will be well tested ([`g++-mingw-w64`](https://packages.debian.org/buster/g++-mingw-w64), [`g++-aarch64-linux-gnu`](https://packages.debian.org/buster/g++-aarch64-linux-gnu)). We can accomplish this somewhat easily using Guix as we have tighter control over the toolchain (see: bitcoin@b5abb07). Let me know your thoughts! ACKs for top commit: MarcoFalke: Approach ACK c90f6e5, haven't reviewed laanwj: Code review ACK c90f6e5 hebasto: ACK c90f6e5, I have reviewed the code and it looks OK, I agree it can be merged. Tree-SHA512: 3e5b9297305232273323aa745ec417ed1be2418ead0e432db7742f5d5f45efe6e4a2ed44328731512cff4bfde80e5f2dc350a131b8b8fb9207a2ef66bce27ed2

Now that we use GCC 10 for release builds, we no-longer need to pass-Wl,-z,noexecstack to get a non-executable stack in RISC-V binaries. This was originally removed in bitcoin#21036, but then re-added in bitcoin#21799, when we reverted to using GCC 8.

2dcf3e1 guix: re-revert riscv execstack workaround (fanquake) Pull request description: Now that we use GCC 10 for release builds, we no-longer need to pass `-Wl,-z,noexecstack` to get a non-executable stack in RISC-V binaries. This was originally removed in #21036, but then re-added in #21799, when we reverted to using GCC 8. Guix Build (arm64): ```bash 0655a94f88e8e89b1e048ae96e99c7dd45aed32011fe4ed9d03d0d1dfa073650 guix-build-2dcf3e153fbc/output/arm-linux-gnueabihf/SHA256SUMS.part 7c803347073839e2c7d8c1260e691964ab00b149da506edda4dc693df8e7f345 guix-build-2dcf3e153fbc/output/arm-linux-gnueabihf/bitcoin-2dcf3e153fbc-arm-linux-gnueabihf-debug.tar.gz 3b9ce2f349b9a4a463f66c9a2838e8490d4990c5b8dea9ad458b0bafeba8d1ac guix-build-2dcf3e153fbc/output/arm-linux-gnueabihf/bitcoin-2dcf3e153fbc-arm-linux-gnueabihf.tar.gz 557c01453e3cedf6ef171715a02fe63abd7223f779a8c9b94ddc9ec17a4a45e4 guix-build-2dcf3e153fbc/output/arm64-apple-darwin/SHA256SUMS.part 26fcdbd10ad372ef541f519cc4990bdb5d513b51b05252ce9bde6e84258157b9 guix-build-2dcf3e153fbc/output/arm64-apple-darwin/bitcoin-2dcf3e153fbc-arm64-apple-darwin-unsigned.dmg b145a9f6716f8e7f8c23d247fa82a02e4e7b76bebb17d55a1190448d0db5ab23 guix-build-2dcf3e153fbc/output/arm64-apple-darwin/bitcoin-2dcf3e153fbc-arm64-apple-darwin-unsigned.tar.gz f172cd4c799a7ab065a36829fb8d546e83ce6791d9cb326d7cef14ad74d63d7a guix-build-2dcf3e153fbc/output/arm64-apple-darwin/bitcoin-2dcf3e153fbc-arm64-apple-darwin.tar.gz 9a6c886a0bc81e729e3bb50dd972e10c8d4563bcbd917a9ba9c418a6fbe2de71 guix-build-2dcf3e153fbc/output/dist-archive/bitcoin-2dcf3e153fbc.tar.gz 254a11143d61aeb98749cd405ed307cca77e80198d58b7bb669ef9490cc8eaf6 guix-build-2dcf3e153fbc/output/powerpc64-linux-gnu/SHA256SUMS.part 83d7dc51404e328f6965f4d2da0b76fbe0a712d48465d6713348e0c4eb314a0a guix-build-2dcf3e153fbc/output/powerpc64-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64-linux-gnu-debug.tar.gz 522b98c63ab76dac6083a17f6b8f8173e9683f7d79e6f46b0a2e56c48e841a02 guix-build-2dcf3e153fbc/output/powerpc64-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64-linux-gnu.tar.gz 96053b629ba60446f499d19400a25913932a02920bad963aaa12f1b6337b9f6e guix-build-2dcf3e153fbc/output/powerpc64le-linux-gnu/SHA256SUMS.part 147f0b1d07b986879a859e6d6186c339085bcfcac4c5fe30586f94e0ab09ce77 guix-build-2dcf3e153fbc/output/powerpc64le-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64le-linux-gnu-debug.tar.gz c916680e75fb265e4099244cb876c2535c45981fbba9cfef9ad47c3aa58bc60b guix-build-2dcf3e153fbc/output/powerpc64le-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64le-linux-gnu.tar.gz b90329d8531afb450678ec3d0981d3b1542f7b17d2feb0f2630216d0479630ad guix-build-2dcf3e153fbc/output/riscv64-linux-gnu/SHA256SUMS.part c77f02947d57ad2b841d594dca55271c9aecc1ef03f55371e0109ccaa5782aba guix-build-2dcf3e153fbc/output/riscv64-linux-gnu/bitcoin-2dcf3e153fbc-riscv64-linux-gnu-debug.tar.gz 234f54da9df09ef2f330be016d58ab11e81e49644db01b6093050b5fcd5c5c82 guix-build-2dcf3e153fbc/output/riscv64-linux-gnu/bitcoin-2dcf3e153fbc-riscv64-linux-gnu.tar.gz 637f4a77d17493b319fb404e91c949373e0105caff61200f2a62729ca515f6de guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/SHA256SUMS.part 6cbe6c91e0a35df9f92af461f68f823c7d12c37237c33e0169825ba56eb9a7c3 guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/bitcoin-2dcf3e153fbc-x86_64-apple-darwin-unsigned.dmg b9b8cc7317e62a34f2286e07f743d4274b7ad00e93653e281257fc3bc068f30c guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/bitcoin-2dcf3e153fbc-x86_64-apple-darwin-unsigned.tar.gz b846df40c5a956ca02a017fbd2b97bc39caba876f7b6ad080ba1962b9092cb0d guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/bitcoin-2dcf3e153fbc-x86_64-apple-darwin.tar.gz 5260fe7678567af5e73d296bfb115e09cc352e039fa6ae41007a6a93a5d1d6fd guix-build-2dcf3e153fbc/output/x86_64-linux-gnu/SHA256SUMS.part 2ddbf9afe86ff3bcde44a6beb8e1fa2a8b9a35ceae33aa1633878d8c7f611939 guix-build-2dcf3e153fbc/output/x86_64-linux-gnu/bitcoin-2dcf3e153fbc-x86_64-linux-gnu-debug.tar.gz a21eb3ad0671d3f09ce3b1e5263ba6cd9ea56f2c51d849bc39010b9c2b273ebf guix-build-2dcf3e153fbc/output/x86_64-linux-gnu/bitcoin-2dcf3e153fbc-x86_64-linux-gnu.tar.gz 0043277076a16b2baf5dc1957c2e176d5c5d95abe693b3d6bd6dec7ccb9f5481 guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/SHA256SUMS.part c7271c7ee7361c2f3349a00fd444fcfd42b07dbe77905a5570366312ba413fbc guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64-debug.zip 19197d3abd2f422ad860a888578369da453509be3f8cab04cbf80055263b83c9 guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64-setup-unsigned.exe 21bfae266d684e95ebe8bcf40102c3ee8468e3d7364f6d6c5c6dd9dfc06b376a guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64-unsigned.tar.gz 2feb16aab1fb0007670f816b1e25bff031acca01f68e3b5a8b20d13b60542b48 guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64.zip ``` ACKs for top commit: laanwj: ACK 2dcf3e1 hebasto: ACK 2dcf3e1 Tree-SHA512: 04dd2fcd731c6370a903bdc4bff493ed3f4b2c853be47da1a1f8838a6f6b69333464181ea945d513247a81fab1c798b3d2ad61aa8b23314890d9bd83b2f55873

2dcf3e1 guix: re-revert riscv execstack workaround (fanquake) Pull request description: Now that we use GCC 10 for release builds, we no-longer need to pass `-Wl,-z,noexecstack` to get a non-executable stack in RISC-V binaries. This was originally removed in bitcoin#21036, but then re-added in bitcoin#21799, when we reverted to using GCC 8. Guix Build (arm64): ```bash 0655a94f88e8e89b1e048ae96e99c7dd45aed32011fe4ed9d03d0d1dfa073650 guix-build-2dcf3e153fbc/output/arm-linux-gnueabihf/SHA256SUMS.part 7c803347073839e2c7d8c1260e691964ab00b149da506edda4dc693df8e7f345 guix-build-2dcf3e153fbc/output/arm-linux-gnueabihf/bitcoin-2dcf3e153fbc-arm-linux-gnueabihf-debug.tar.gz 3b9ce2f349b9a4a463f66c9a2838e8490d4990c5b8dea9ad458b0bafeba8d1ac guix-build-2dcf3e153fbc/output/arm-linux-gnueabihf/bitcoin-2dcf3e153fbc-arm-linux-gnueabihf.tar.gz 557c01453e3cedf6ef171715a02fe63abd7223f779a8c9b94ddc9ec17a4a45e4 guix-build-2dcf3e153fbc/output/arm64-apple-darwin/SHA256SUMS.part 26fcdbd10ad372ef541f519cc4990bdb5d513b51b05252ce9bde6e84258157b9 guix-build-2dcf3e153fbc/output/arm64-apple-darwin/bitcoin-2dcf3e153fbc-arm64-apple-darwin-unsigned.dmg b145a9f6716f8e7f8c23d247fa82a02e4e7b76bebb17d55a1190448d0db5ab23 guix-build-2dcf3e153fbc/output/arm64-apple-darwin/bitcoin-2dcf3e153fbc-arm64-apple-darwin-unsigned.tar.gz f172cd4c799a7ab065a36829fb8d546e83ce6791d9cb326d7cef14ad74d63d7a guix-build-2dcf3e153fbc/output/arm64-apple-darwin/bitcoin-2dcf3e153fbc-arm64-apple-darwin.tar.gz 9a6c886a0bc81e729e3bb50dd972e10c8d4563bcbd917a9ba9c418a6fbe2de71 guix-build-2dcf3e153fbc/output/dist-archive/bitcoin-2dcf3e153fbc.tar.gz 254a11143d61aeb98749cd405ed307cca77e80198d58b7bb669ef9490cc8eaf6 guix-build-2dcf3e153fbc/output/powerpc64-linux-gnu/SHA256SUMS.part 83d7dc51404e328f6965f4d2da0b76fbe0a712d48465d6713348e0c4eb314a0a guix-build-2dcf3e153fbc/output/powerpc64-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64-linux-gnu-debug.tar.gz 522b98c63ab76dac6083a17f6b8f8173e9683f7d79e6f46b0a2e56c48e841a02 guix-build-2dcf3e153fbc/output/powerpc64-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64-linux-gnu.tar.gz 96053b629ba60446f499d19400a25913932a02920bad963aaa12f1b6337b9f6e guix-build-2dcf3e153fbc/output/powerpc64le-linux-gnu/SHA256SUMS.part 147f0b1d07b986879a859e6d6186c339085bcfcac4c5fe30586f94e0ab09ce77 guix-build-2dcf3e153fbc/output/powerpc64le-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64le-linux-gnu-debug.tar.gz c916680e75fb265e4099244cb876c2535c45981fbba9cfef9ad47c3aa58bc60b guix-build-2dcf3e153fbc/output/powerpc64le-linux-gnu/bitcoin-2dcf3e153fbc-powerpc64le-linux-gnu.tar.gz b90329d8531afb450678ec3d0981d3b1542f7b17d2feb0f2630216d0479630ad guix-build-2dcf3e153fbc/output/riscv64-linux-gnu/SHA256SUMS.part c77f02947d57ad2b841d594dca55271c9aecc1ef03f55371e0109ccaa5782aba guix-build-2dcf3e153fbc/output/riscv64-linux-gnu/bitcoin-2dcf3e153fbc-riscv64-linux-gnu-debug.tar.gz 234f54da9df09ef2f330be016d58ab11e81e49644db01b6093050b5fcd5c5c82 guix-build-2dcf3e153fbc/output/riscv64-linux-gnu/bitcoin-2dcf3e153fbc-riscv64-linux-gnu.tar.gz 637f4a77d17493b319fb404e91c949373e0105caff61200f2a62729ca515f6de guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/SHA256SUMS.part 6cbe6c91e0a35df9f92af461f68f823c7d12c37237c33e0169825ba56eb9a7c3 guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/bitcoin-2dcf3e153fbc-x86_64-apple-darwin-unsigned.dmg b9b8cc7317e62a34f2286e07f743d4274b7ad00e93653e281257fc3bc068f30c guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/bitcoin-2dcf3e153fbc-x86_64-apple-darwin-unsigned.tar.gz b846df40c5a956ca02a017fbd2b97bc39caba876f7b6ad080ba1962b9092cb0d guix-build-2dcf3e153fbc/output/x86_64-apple-darwin/bitcoin-2dcf3e153fbc-x86_64-apple-darwin.tar.gz 5260fe7678567af5e73d296bfb115e09cc352e039fa6ae41007a6a93a5d1d6fd guix-build-2dcf3e153fbc/output/x86_64-linux-gnu/SHA256SUMS.part 2ddbf9afe86ff3bcde44a6beb8e1fa2a8b9a35ceae33aa1633878d8c7f611939 guix-build-2dcf3e153fbc/output/x86_64-linux-gnu/bitcoin-2dcf3e153fbc-x86_64-linux-gnu-debug.tar.gz a21eb3ad0671d3f09ce3b1e5263ba6cd9ea56f2c51d849bc39010b9c2b273ebf guix-build-2dcf3e153fbc/output/x86_64-linux-gnu/bitcoin-2dcf3e153fbc-x86_64-linux-gnu.tar.gz 0043277076a16b2baf5dc1957c2e176d5c5d95abe693b3d6bd6dec7ccb9f5481 guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/SHA256SUMS.part c7271c7ee7361c2f3349a00fd444fcfd42b07dbe77905a5570366312ba413fbc guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64-debug.zip 19197d3abd2f422ad860a888578369da453509be3f8cab04cbf80055263b83c9 guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64-setup-unsigned.exe 21bfae266d684e95ebe8bcf40102c3ee8468e3d7364f6d6c5c6dd9dfc06b376a guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64-unsigned.tar.gz 2feb16aab1fb0007670f816b1e25bff031acca01f68e3b5a8b20d13b60542b48 guix-build-2dcf3e153fbc/output/x86_64-w64-mingw32/bitcoin-2dcf3e153fbc-win64.zip ``` ACKs for top commit: laanwj: ACK 2dcf3e1 hebasto: ACK 2dcf3e1 Tree-SHA512: 04dd2fcd731c6370a903bdc4bff493ed3f4b2c853be47da1a1f8838a6f6b69333464181ea945d513247a81fab1c798b3d2ad61aa8b23314890d9bd83b2f55873

Now that we use GCC 10 for release builds, we no-longer need to pass-Wl,-z,noexecstack to get a non-executable stack in RISC-V binaries. This was originally removed in bitcoin#21036, but then re-added in bitcoin#21799, when we reverted to using GCC 8.

* guix: Add guix-verify script * guix-attest: Only use cross-platform flags for find+xargs * guix-attest: Use ascii-armor signatures * guix-attest: Allow skipping GPG signing with NO_SIGN * guix: Minor quoting fix in libexec/build.sh * guix: Construct $OUTDIR in ${DISTSRC}/output While files are being output to $OUTDIR, it will be under ${DISTSRC}/output, and only when everything is done, will ${DISTSRC}/output be moved to the actual $OUTDIR. This makes it so that a Ctrl-C in the middle of a build is less likely to result in a partially-constructed $OUTDIR. In fact, if I understand correctly, if $OUTDIR and $DISTSRC reside on the same filesystem, the move (rename) is likely atomic. Also, since the "working $OUTDIR" is under ${DISTSRC}/output, it will be cleaned properly by the guix-clean script. * guix: Attest to inputs in inputs.SHA256SUMS At build/codesigning-time, hash build inputs and output the digest to ${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS constructed by guix-attest. Example final SHA256SUMS: ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz * guix: Skip attesting to dist-archive We already attest to the relevant dist-archive in inputs.SHA256SUMS, which is recorded at build-time. We use a SKIPATTEST.TAG file to indicate output directories which do not require attestation (much like the CACHEDIR.TAG specification). Generally, it's better to have build scripts declare properties of directories instead of introducing name-based special cases in attest scripts since build scripts have a more detailed context of what is going on. * guix: Consistently use gcc-8 for $HOST * guix-attest: Avoid incomplete sigdirs with ERR traps Sometimes GPG connects to the wrong agent... or you don't have your smartcard handy... * guix: install LIEF in Guix container Co-authored-by: Carl Dong <contact@carldong.me> * build: Makes rcc output always deterministic The Qt Resource Compiler (rcc) has a command-line option `--format-version` which has the default value 2. The only difference from `--format-version 1` is adding a last modified timestamp to the output file. That, in turn, forces us to use `QT_RCC_SOURCE_DATE_OVERRIDE=1` to get deterministic builds. This change makes rcc output always deterministic by using `--format-version 1` option that makes usage of the `QT_RCC_SOURCE_DATE_OVERRIDE` needless. Also it improves interaction with ccache. Co-authored-by: fanquake <fanquake@gmail.com> * guix: Reindent existing manifest.scm * guix: Package codesigning tools * guix: Add codesigning functionality * guix: repro: Sort find output in libtool for gcc-8 Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not be reproducible and end up making the Bitcoin binaries non-reproducible as well. See: https://reproducible-builds.org/docs/archives/#gnu-libtool * guix: Remove dest if OUTDIR mv fails * guix: Check for disk space availability before building * Use latest signapple commit Update gitian and guix to use the same latest signapple commit * Make SHA256SUMS fragment right after build * Rewrite guix-{attest,verify} for new hier * scripts: LIEF 0.11.5 * guix-attest: Error out if SHA256SUMS is unexpected * guix: Rebase toolchain on glibc 2.24 (2.27 for riscv64) Support for riscv64 in glibc landed in 2.27 so it's unavoidable that we use 2.27. Running a Bitcoin build with toolchains based on 2.24 for platforms other than riscv64 seem to produce binaries which do not have 2.17 symbols. So use 2.24 since it's more recent and maintained by Debian Stretch. * guix: Build depends/qt with our platform definition Our 'bitcoin-linux-g++' definition better integrates with our depends system than the stock linux-g++-64 definition. This fixes a bug whereby Guix builds on x86_64 for x86_64 did not produce a QMinimalIntegrationPlugin and led to bitcoin-qt not being built. * guix: Also sort SHA256SUMS.part * guix: no-longer pass --enable-glibc-back-compat to Guix Now that our Guix builds are performed on glibc 2.24 and 2.27 (RISCV), we no-longer need to pass the --enable-glibc-back-compat option. Replace it with --disable-threadlocal, to prevent the usage of symbols from glibc 2.18. None of the binaries produced required symbols later than 2.17, and 2.27 (RISCV). * guix: add additional documentation to patches * Avoid GCC 7.1 ABI change warning in guix build * guix: Patch binutils to add security-related disable flags We use these flags in our test-security-check make target, but they are only available because debian patches them in. We can patch them in for our Guix builds so that we can check the sanity of our security/symbol checking suite before running them. * guix: Test security-check sanity before performing them * guix: Check for a sane services database On bare systems, it is possible to be lacking a services database. Check for basic entries before attempting a build. See the error message in the diff for more context. * guix: Update various check_tools lists * guix: Pin kernel header version - Use 4.19 for riscv64 (earliest LTS release w/ riscv64 support) - Use 4.9 for all others (second-oldest LTS release, released in combination with glibc glibc 2.24 in Debian stretch) * guix: Bump to version-1.3.0 from upstream The chosen commit is the HEAD of Guix's version-1.3.0 branch as of July 15th, 2021. Also fix visual indenting. * guix: Overhaul README - Added detailed Guix bootstrap/installation instructions * guix-attest: Produce and sign normalized documents That way we can easily combine the document and detached signature to produce cleartext signature files for upload during the release process. See subsequent commits which modify doc/release-process.md for more details. * guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting * guix/INSTALL: Guix installs init scripts in libdir * guix: Silence getent(1) invocation * guix/INSTALL: Misc fixups * guix/build: Remove vestigial SKIPATTEST.TAG * guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS * guix: Allow changing the base manifest in guix-verify When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against. * Updated Readme, Corrected the codesign typo * script, doc: guix touchups * guix: Remove extra \r from all.SHA256SUMS line ending guix-attest mistakenly added an extra \r to the line endings in all.SHA256SUMS, causing guix-verify to erroneously fail. Co-Authored-By: Carl Dong <contact@carldong.me> * guix: Ensure EPOCH_SOURCE_DATE does not include GPG information If the user has set log.showSignature=true in their git config, then the git log will always output GPG signature information. Since git log is used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature information in it which causes issues for the build. To avoid this issue, we override the config and force log.showSignature=false. * release: Release with separate SHA256SUMS and sig files This allows us to remove the rfc4880 EOL hacks and release with a SHA256SUMS.asc file that's a combination of all signer signatures. * guix-verify: Non-zero exit code when anything fails Previously, if verification fails, the correct message will be printed, but the exit code would still be 0. * guix: Don't include directory name in SHA256SUMS The SHA256SUMS file can be used in a sha256sum -c command to verify downloaded binaries. However users are likely to download just a single file and not place this file in the correct directory relative to the SHA256SUMS file for the simple verification command to work. By not including the directory name in the SHA256SUMS file, it will be easier for users to verify downloaded binaries. Co-authored-by: Carl Dong <contact@carldong.me> * guix/prelude: Override VERSION with FORCE_VERSION Previously, if the builder exported $VERSION in their environment (as past Gitian-building docs told them to), but their HEAD does not actually point to v$VERSION, their build outputs will differ from those of other builders. This is because the contrib/guix/guix-* scripts only ever act on the current git worktree, and does not try to check out $VERSION if $VERSION is set in the environment. Setting $VERSION only makes the scripts pretend like the current worktree is $VERSION. This problem was seen in jonatack's attestation for all.SHA256SUMS, where only his bitcoin-22.0rc3-osx-signed.dmg differed from everyone else's. Here is my deduced sequence of events: 1. Aug 27th: He guix-builds 22.0rc3 and uploads his attestations up to guix.sigs 2. Aug 30th, sometime after POSIX time 1630310848: he pulls the latest changes from master in the same worktree where he guix-built 22.0rc3 and ends up at 7be143a 3. Aug 30th, sometime before POSIX time 1630315907: With his worktree still on 7be143a, he guix-codesigns. Normally, this would result in outputs going in guix-build-7be143a960e2, but he had VERSION=22.0rc3 in his environment, so the guix-* scripts pretended like he was building 22.0rc3, and used 22.0rc3's guix-build directory to locate un-codesigned outputs and dump codesigned ones. However, our SOURCE_DATE_EPOCH defaults to the POSIX time of HEAD (7be143a), which made all timestamps in the resulting codesigned DMG 1630310848, 7be143a's POSIX timestamp. This differs from the POSIX timestamp of 22.0rc3, which is 1630348517. Note that the windows codesigning procedure does not consider SOURCE_DATE_EPOCH. We resolve this by only allowing VERSION overrides via the FORCE_VERSION environment variable. * build: set OSX_MIN_VERSION to 10.15 This is required to use std::filesystem on macOS as support for it only landed in the libc++ dylib shipped with 10.15. See also: https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes Clang now supports the C++17 <filesystem> library for iOS 13, macOS 10.15, watchOS 6, and tvOS 13. * Enable TLS in links in documentation * Integrate univalue into our buildsystem This addresses issues like the one in bitcoin#12467, where some of our compiler flags end up being dropped during the subconfigure of Univalue. Specifically, we're still using the compiler-default c++ version rather than forcing c++17. We can drop the need subconfigure completely in favor of a tighter build integration, where the sources are listed separately from the build recipes, so that they may be included directly by upstream projects. This is similar to the way leveldb build integration works in Core. Core benefits of this approach include: - Better caching (for ex. ccache and autoconf) - No need for a slow subconfigure - Faster autoconf - No more missing compile flags - Compile only the objects needed There are no benefits to Univalue itself that I can think of. These changes should be a no-op there, and to downstreams as well until they take advantage of the new sources.mk. This also removes the option to use an external univalue to avoid similar ABI issues with mystery binaries. Co-authored-by: fanquake <fanquake@gmail.com> * guix: Fix powerpc64(le) dynamic linker name I used Guix's values for the powerpc64(le) dynamic linkers, and the /lib-prefix seems to be a Guix-ism rather than standard. The standard path for the linker-loaders start with /lib64. I've taken the new loader values from SYSDEP_KNOWN_INTERPRETER_NAMES in glibc's sysdeps/unix/sysv/linux/powerpc/ldconfig.h file. For future reference, loader path values can also be found on glibc's website: https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16 * build: require glibc 2.18+ for release builds From what I can see the only platform this drops support for is CentOS 7. CentOS 7 reached the end of it's "full update" support at the end of 2020. It does receive maintenance updates until 2024, however I don't think supporting glibc 2.17 until 2024 is realistic. Note that anyone wanting to self-compile and target a glibc 2.17 runtime could build with --disable-threadlocal. glibc 2.18 was released in August 2013. https://sourceware.org/legacy-ml/libc-alpha/2013-08/msg00160.html * scripted-diff: Drop Darwin version for better maintainability -BEGIN VERIFY SCRIPT- sed -i 's/darwin19/darwin/g' $(git grep --files-with-matches 'darwin19') -END VERIFY SCRIPT- * test: Make more shell scripts verifiable by the `shellcheck` tool * test: Bump shellcheck version to 0.8.0 * scripted-diff: Insert missed copyright headers -BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py insert contrib/guix/libexec/build.sh ./contrib/devtools/copyright_header.py insert contrib/guix/libexec/codesign.sh ./contrib/devtools/copyright_header.py insert contrib/tracing/log_raw_p2p_msgs.py ./contrib/devtools/copyright_header.py insert contrib/tracing/log_utxocache_flush.py ./contrib/devtools/copyright_header.py insert contrib/tracing/p2p_monitor.py ./contrib/devtools/copyright_header.py insert test/lint/lint-files.sh -END VERIFY SCRIPT- * build: use a static .tiff for macOS .dmg over generating Co-authored-by: Pavol Rusnak <pavol@rusnak.io> * guix: use GCC 10 (over GCC 8) to build releases This currently points to the version-1.4.0 branch. * guix: use uptream nsis-x86_64 Our patch is now used upstream. * build: use python-asn1crypto from upstream It is the exact same package definition. * guix: use upstream python-requests (2.26.0) Upstream python requests is now modern enough to be used as a dependency for signapple. Which requires requests>=2.25.1. * build: Point Guix to the current top of the "version-1.4.0" branch * build: point to latest commit on the master branch The version-1.4.0 branch no-longer exists, and will be branched off master again shortly. * guix: ignore additioanl failing certvalidator test ====================================================================== ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft validate_path(context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path return _validate_path(validation_context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path raise PathValidationError(pretty_message( certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-01-14 12:00:00Z * build: Fix xargs warnings for Guix builds * build: use macOS 11 SDK (Xcode 12.2) This should be sufficient to support building for Apple ARM when cross-compiling. * guix: use autoconf 2.71 This allows for building with newer targets, like arm64-apple-darwin, due to having a newer bundled config.guess and config.sub. * guix: add arm64-apple-darwin triplet * build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix * build: Point Guix to recent commit on the master branch * Replace "can not" with "cannot" in docs, user messages, and tests * guix: use same commit for codesigning time-machine The time machines should be updated in lockstep. * build: Move guix time machine to prelude This deduplicates some code, and enforces consistency of the time machine configuration between scripts. * guix: only use native GCC 7 toolchain for Linux builds The macOS and Windows builds do not require a GCC 7 toolchain, and this is actually causing build issues, i.e bitcoin#24211. So switch to using a GCC 10 native toolchain for both. * guix: use latest upstream python-certvalidator This should also allow re-enabling previously failing tests. * guix: use latest upstream signapple This should improve support for signing for M1 binaries. * guix: Drop unneeded openssl dependency for signapple * guix: use latest signapple * guix: only check for the macOS SDK once If we are building for both macOS HOSTS, there's no need to check and print that the SDK exists two times. * guix: Use $HOST instead of generic osx{64} for macOS artifacts * guix: make it possible to override gpg binary For example on Qubes OS one might want to use qubes-gpg-client-wrapper instead * guix: Drop "-signed" suffix for signed macOS .dmg files This change makes naming of the signed artifacts consistent across different OSes, including Windows. * guix: Use "win64" for Windows artifacts consistently * Update signapple for platform identifier fix * doc, guix: Include arm64-apple-darwin into codesigned archs * guix: point to latest upstream commit * Revert "build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix" This reverts commit 7f2f35f. * macdeploy: remove unused detached-sig-apply Signature application is now done with signapple. * guix: Drop code for the unsupported `i686-linux-gnu` host Now GUIX build for the `i686-linux-gnu` host is broken, and there are no plans to re-add it. * contrib: use LIEF 0.12.0 for symbol and security checks * build: Fix "ERR: Unsigned tarballs do not exist" * guix: fix vmov alignment issues with gcc 10.3.0 & mingw-w64 This introduces a patch to our GCC (10.3.0) mingw-w64 compiler, in Guix, to make it avoid using aligned vmov instructions. This works around a longstanding issue in GCC, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54412, which was recently discovered to be causing issues, see bitcoin#24726. Note that distros like Debian are also patching around this issue, and that is where this patch comes from. This would also explain why we haven't run into this problem earlier, in development builds. See: https://salsa.debian.org/mingw-w64-team/gcc-mingw-w64/-/blob/master/debian/patches/vmov-alignment.patch. Fixes bitcoin#24726. Alternative to bitcoin#24727. See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939559 * build: don't compress macOS DMG * guix: fix GCC 10.3.0 + mingw-w64 setjmp/longjmp issues This commit backports a patch to the GCC 10.3.0 we build for Windows cross-compilation in Guix. The commit has been backported to the GCC releases/gcc-10 branch, but hasn't yet made it into a release. The patch corrects a regression from an earlier GCC commit, see: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=357c4350680bf29f0c7a115424e3da11c53b5582 and https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=074226d5aa86cd3de517014acfe34c7f69a2ccc7, related to the way newer versions of mingw-w64 implement setjmp/longjmp. Ultimately this was causing a crash for us when Windows users were viewing the network traffic tab inside the GUI. After some period, long enough that a buffer would need reallocating, a call into FreeTypes gray_record_cell() would result in a call to ft_longjmp (longjmp), which would then trigger a crash. Fixes: bitcoin-core/gui#582. See also: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e8d1ca7d2c344a411779892616c423e157f4aea8. https://bugreports.qt.io/browse/QTBUG-93476. * guix: Improve error message about missed macOS SDK * guix: consolidate kernel headers to 5.15 Given no reason to use an older version of the kernel headers for the non-RISCV linux builds, consolidate all Linux builds to 5.15.x. Note that using older kernel headers isn't some sort of compatibility "hack", and glibc explicitly recommends against doing so. See: https://sourceware.org/glibc/wiki/FAQ#What_version_of_the_Linux_kernel_headers_should_be_used.3F. * build: include bitcoin.conf in build outputs copy over bitcoin.conf during the build process. this means `contrib/devtools/gen-bitcoin-conf.sh` will need to be run and the generated file committed during the release process. this is the same process used for generating man pages for each release. * guix: bump time-machine to 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681 There are two reasons to perform this bump: * Fixes bitcoin#25082 by bumping to a commit that includes a fix for time-dependent unit tests in libgit2 (f5fe0082abe4547f3fb9f29d8351473cfb3a387b). * Gives us access to clang-toolchain-14 (14.0.3, 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681), which is useful for the Guix portion of bitcoin#21778. Note that with this bump: Linux kernels headers update from 5.15.28 to 5.15.37. * guix: compile glibc without -werror Compiling glibc 2.24 and 2.27 with the new GCC 10 results in a number of new warnings, i.e: ```bash libc-tls.c: In function ‘__libc_setup_tls’: libc-tls.c:208:30: error: array subscript 1 is outside the bounds of an interior zero-length array ‘struct dtv_slotinfo[0]’ [-Werror=zero-length-bounds] 208 | static_slotinfo.si.slotinfo[1].map = main_map; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~ In file included from ../sysdeps/x86_64/ldsodefs.h:54, from ../sysdeps/gnu/ldsodefs.h:46, from ../sysdeps/unix/sysv/linux/ldsodefs.h:25, from libc-tls.c:20: ../sysdeps/generic/ldsodefs.h:398:7: note: while referencing ‘slotinfo’ 398 | } slotinfo[0]; | ^~~~~~~~ ``` While we could try and backport all the patches required to fix these up, it would currently seem easier to disable -Werror, which Guix uses by default when building glibc. * guix: adjust RISC-V __has_include() patch to work with GCC 10 The actual macro is __has_include(), not __has_include__(), using the later would result in build failures when using GCC 10. i.e: ```bash ../sysdeps/unix/sysv/linux/riscv/flush-icache.c:24:5: warning: "__has_include__" is not defined, evaluates to 0 [-Wundef] 24 | #if __has_include__ (<asm/syscalls.h>) ``` Looks like at least someone else has run into the same thing, see: http://lists.busybox.net/pipermail/buildroot/2020-July/590376.html. See also: https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005finclude.html https://clang.llvm.org/docs/LanguageExtensions.html#has-include * guix: fix glibc 2.27 multiple definition warnings with GCC 10 * guix: use -fcommon when building glibc 2.24 GCC 10 started using -fno-common by default, which causes issues with the powerpc builds using gibc 2.24. A patch was commited to glibc to fix the issue, 18363b4f010da9ba459b13310b113ac0647c2fcc but is non-trvial to backport, and was broken in at least one way, see the followup in commit 7650321ce037302bfc2f026aa19e0213b8d02fe6. For now, retain the legacy GCC behaviour by passing -fcommon when building glibc 2.24. https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html. https://sourceware.org/git/?p=glibc.git;a=commit;h=18363b4f010da9ba459b13310b113ac0647c2fcc https://sourceware.org/git/?p=glibc.git;a=commit;h=7650321ce037302bfc2f026aa19e0213b8d02fe6 * guix: native GCC 10 toolchain for Linux builds * guix: re-revert riscv execstack workaround Now that we use GCC 10 for release builds, we no-longer need to pass-Wl,-z,noexecstack to get a non-executable stack in RISC-V binaries. This was originally removed in bitcoin#21036, but then re-added in bitcoin#21799, when we reverted to using GCC 8. * guix: use libtool 2.4.7 As of version 2.4.7, libtool now respects ARFLAGS, which we use, and has changed the default ARFLAGS from cru to cr (which we also do, see configure). This eliminates spammy `ar` output such as: ```bash CXXLD libunivalue.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') AR libbitcoin_zmq.a AR libbitcoin_consensus.a CXXLD crypto/libbitcoin_crypto_base.la CXXLD crypto/libbitcoin_crypto_sse41.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD crypto/libbitcoin_crypto_avx2.la CXXLD crypto/libbitcoin_crypto_x86_shani.la CXXLD leveldb/libleveldb.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD crc32c/libcrc32c.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD leveldb/libmemenv.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') AR libbitcoin_cli.a ``` Libtool 2.4.7 release notes: https://lists.gnu.org/archive/html/autotools-announce/2022-03/msg00000.html * guix: remove explicit glibc stack protector disabling While glibc 2.25 and newer *can* be built with stack-smashing-protection enabled, it isn't used by default, and still isn't, as of glibc 2.35, so I can't see a reason to explicitly disable it. I'd also like to move in the direction of enabling, by default, hardening options for the toolchains we build, so removing the explicit disabling is a step in that direction. Will be following up with some changes based on this PR. * guix: parallelize LIEF build * guix: remove usage of -Wl,-z,noexecstack for PPC64 HOST The PPC64 ABI has a non-executable stack by default, and does not need a GNU_STACK program header. See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/powerpc/include/asm/page_64.h#n92 * guix: use LIEF 0.12.1 * guix: patch LIEF to fix PPC64 NX default This patches our LIEF build using the change merged upstream: lief-project/LIEF#718. This can be dropped the next time we update LIEF. * guix: Map all guix store prefixes to /usr Without ffile-prefix-map, the debug symbols will contain paths for the guix store which will include the hashes of each package. However, the hash for the same package will differ when on different architectures. In order to be reproducible regardless of the architecture used to build the package, map all guix store prefixes to something fixed, e.g. /usr. * guix: Remove guix store paths from glibc Without ffile-prefix-map, the debug symbols will contain paths for the guix store which will include the hashes of each package. However, the hash for the same package will differ when on different architectures. In order to be reproducible regardless of the architecture used to build the package, map all guix store prefixes to something fixed, e.g. /usr. We might be able to drop this in favour of using --with-nonshared-cflags when we being using newer versions of glibc. * guix: use elfesteem 2eb1e5384ff7a220fd1afacd4a0170acff54fe56 Our patch has been merged upstream, see LRGH/elfesteem#3 * guix: patch gcc 10 with pthreads to remap guix store paths * guix: Drop repetition of option's default value * guix: enable SSP for RISC-V glibc (2.27) Pass `--enable-stack-protector=all` when building the glibc used for the RISC-V toolchain, to enable stack smashing protection on all functions, in the glibc code. * guix: pass enable-bind-now to glibc Both glibcs we build support `--enable-bind-now`: Disable lazy binding for installed shared objects and programs. This provides additional security hardening because it enables full RELRO and a read-only global offset table (GOT), at the cost of slightly increased program load times. See: https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html * guix: enable hardening options in GCC Build Pass `--enable-default-pie` and `--enable-default-ssp` when configuring our GCCs. This achieves the following: --enable-default-pie Turn on -fPIE and -pie by default. --enable-default-ssp Turn on -fstack-protector-strong by default. Note that this isn't a replacement for passing hardneing flags ourselves, but introduces some redundency, and there isn't really a reason to not build a more "hardenings enabled" toolchain by default. See also: https://gcc.gnu.org/install/configure.html * guix: ignore additional failing certvalidator test Similar to 8588591. ```bash ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft validate_path(context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path return _validate_path(validation_context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path raise PathValidationError(pretty_message( certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-07-27 12:00:00Z ``` * guix: patch NSIS to remove .reloc sections from install stubs With the release of binutils/ld 2.36, ld swapped to much improved default settings when producing windows binaries with mingw-w64. One of these changes was to stop stripping the .reloc section from binaries, which is required for working ASLR. .reloc section stripping is something we've accounted for previously, see bitcoin#18702. The related upstream discussion is in this thread: https://sourceware.org/bugzilla/show_bug.cgi?id=19011. When we switched to using a newer Guix time-machine in bitcoin#23778, we begun using binutils 2.37 to produce releases. Since then, our windows installer (produced with makensis) has not functioned correctly when run on a Windows system with the "Force randomization for images (Mandatory ASLR)" option enabled. Note that all of our other release binaries, which all contain .reloc sections, function fine under the same option, so it cannot be just the presence of a .reloc section that is the issue. For now, restore makensis to it's pre-binutils-2.36 behaviour, which fixes the produced installer. The underlying issue can be further investigated in future. * doc: minor updates to guix README * build: include share/rpcauth in tarball & installer Fixes bitcoin#19081. * guix: use --build={arch}-guix-linux-gnu in cross toolchain Technically we are always cross-compiling, so make that explicit. Fixes: bitcoin#22458. * guix: consistently use -ffile-prefix-map Aside from being the newer, more comprehensive option, it's what we claim to use in the patch docs, and everywhere else in guix. * guix: use git-minimal over git From the git-minimal package definition: > The size of the closure of 'git-minimal' is two thirds that of 'git'. > Its test suite runs slightly faster and most importantly it doesn't > depend on packages that are expensive to build such as Subversion. We don't need any fancy / additional git functionality above the basics, so switch to git-minimal and save some CPU, while also pruning the greater dependency graph. ```diff -name: git +name: git-minimal version: 2.37.3 outputs: -+ send-email: see Appendix H -+ svn: see Appendix H -+ credential-netrc: see Appendix H -+ credential-libsecret: see Appendix H -+ subtree: see Appendix H -+ gui: see Appendix H + out: everything else -systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux i686-linux armhf-linux powerpc-linux -dependencies: asciidoc@9.1.0 bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 docbook-xsl@1.79.2 expat@2.4.1 gettext-minimal@0.21 glib@2.70.2 libsecret@0.20.4 openssl@1.1.1l pcre2@10.37 perl-authen-sasl@2.16 perl-cgi@4.52 -+ perl-io-socket-ssl@2.068 perl-net-smtp-ssl@1.04 perl-term-readkey@2.38 perl@5.34.0 pkg-config@0.29.2 python@3.9.9 subversion@1.14.1 tcl@8.6.11 tk@8.6.11.1 xmlto@0.0.28 zlib@1.2.11 -location: gnu/packages/version-control.scm:222:2 +systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux riscv64-linux i686-linux armhf-linux powerpc-linux +dependencies: bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 expat@2.4.1 gettext-minimal@0.21 openssl@1.1.1l perl@5.34.0 zlib@1.2.11 +location: gnu/packages/version-control.scm:608:2 homepage: https://git-scm.com/ license: GPL 2 synopsis: Distributed version control system ``` * guix: Drop perl package * Revert "guix: Build depends/qt with our platform definition" This reverts commit dc4137a. * MS: restclient start * MS: bumped c++ version from 14 to 17 * only gitian build for linux x86_64 for now. We can add back aarch64 later when needed. * Testing whether OSX SDK needs to updated for gitian building for c++17 * test if bitcoins last gitian-build method works with unigrid * yaml format error * updated darwin host file for py build gitian * Update depends make to work with latest build * update darwin builder for new gitian * DOWNLOAD_RETRIES:=3 readded for curl * linux host update gitian * check in default depends * upgrade dawrwin to 19 * use focal * remove i686 windows gitian * testing whether jammy has same compile error for osx cctools * switch back to focal * place guix in proper directory * guix util file * guix util file * lief is failing on guix build. try a newer version * change hash for lief * try and downgrade lief * lief hash * update darwin to never xcode version and osx 10.15 minimum * added missing native_clang depends * test jammy build focal cannot find repos * missing some jammy in build.py * build with kinetic * focal appears to be the only docker container that builds correctly * test building with g++9 linux * test if reverting to c++14 builds work * upgrade build.sh to use focal base VM. Remove some uneeded dependencies for linux builds. * use jammy for builds and test building with c++17 or 20 if available * force c++17 * don't check clock_gettime by default * docker still cannot find ubuntu jammy revert to focal * fdelt is required * aarch64 required to compile * disable arm build * test disable glib backward support * darwin builds were missing libtapi. native_cdrkit replaced with xorriso. * change order of native_libtapi * libtapi and clang are split out of cctools * darwin unable to find glibtoolize * upgrading boost and remove references to specific darwin versions * split boost into build/host * boost fail build on linux * define minimum required boost * adding missing required boost libraries after updating boost version * errors building with boost 1.73.0 revert back to 1.71.0 * wrong xcode version in darwin build * up boost version to 1.73.0 * test building with boost 1.80.0 * remove unused dependency and set min boost version * upgrading boost requires more refactoring * test if building osx works with c++11 * c++11 build fails on the rest client test to see if c++17 resolves this error * accidental edit of robin-hood submodule * use 12.2 osx sdk * use 12.2 osx sdk for gitian-builder * proper cheksum of Xcode * checksum was not correct * remove downloaded sdk * attempted build with boost 1.80 * revert to c++14 and downgrade boost * configure.ac set c++14 * Ms restclient (#5) * MS: Updated univalue lib to latest version. Fixed parsing of json from restclient * ms: added -hport as an argument in for unigridd. * ms: added mint class to handel values from hedgehog. did some cleanup. * ms: fixed compilation error * ms: rewrote the rest client so its now working and getting json data from hedgehog * ms: removed auto keyword * ms: changed return type to bool to check if data got tranferd as expected from hedgehog * ms: reverted c++ version to 14 from 17 Co-authored-by: Fim-84 <marcus.stenberg@gmail.com> * set depends to build with c++11 * compile cc++ test update * revert to old method of building boost that worked on OSX * remove native_b2 ref * remove native_cdrkit * build ref for native_libtapi * misisng endif * try bitcoin boost build method * errors compiling openssl with xcode 12.2 revert to 12.1 * test if old gitian build works with rest client update * revert boost to old build * reverting native cc tools build * revert depends make to master * missing cdrkit added * cdrkit in wrong directory * revert darwin host * remove updated gitian build script from this branch. If we decide to stick with gitian this can be pulled from the EG_uposx_12_1 branch. Co-authored-by: Carl Dong <contact@carldong.me> Co-authored-by: fanquake <fanquake@gmail.com> Co-authored-by: W. J. van der Laan <laanwj@protonmail.com> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Co-authored-by: Andrew Chow <achow101-github@achow101.com> Co-authored-by: Pieter Wuille <pieter@wuille.net> Co-authored-by: h <harshit_goyal333@outlook.com> Co-authored-by: jonatack <jon@atack.com> Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc> Co-authored-by: Cory Fields <cory-nospam-@coryfields.com> Co-authored-by: Pavol Rusnak <pavol@rusnak.io> Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com> Co-authored-by: josibake <josibake@protonmail.com> Co-authored-by: Stacie <staciewaleyko@gmail.com> Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

* rest client (#6) * guix: Add guix-verify script * guix-attest: Only use cross-platform flags for find+xargs * guix-attest: Use ascii-armor signatures * guix-attest: Allow skipping GPG signing with NO_SIGN * guix: Minor quoting fix in libexec/build.sh * guix: Construct $OUTDIR in ${DISTSRC}/output While files are being output to $OUTDIR, it will be under ${DISTSRC}/output, and only when everything is done, will ${DISTSRC}/output be moved to the actual $OUTDIR. This makes it so that a Ctrl-C in the middle of a build is less likely to result in a partially-constructed $OUTDIR. In fact, if I understand correctly, if $OUTDIR and $DISTSRC reside on the same filesystem, the move (rename) is likely atomic. Also, since the "working $OUTDIR" is under ${DISTSRC}/output, it will be cleaned properly by the guix-clean script. * guix: Attest to inputs in inputs.SHA256SUMS At build/codesigning-time, hash build inputs and output the digest to ${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS constructed by guix-attest. Example final SHA256SUMS: ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz * guix: Skip attesting to dist-archive We already attest to the relevant dist-archive in inputs.SHA256SUMS, which is recorded at build-time. We use a SKIPATTEST.TAG file to indicate output directories which do not require attestation (much like the CACHEDIR.TAG specification). Generally, it's better to have build scripts declare properties of directories instead of introducing name-based special cases in attest scripts since build scripts have a more detailed context of what is going on. * guix: Consistently use gcc-8 for $HOST * guix-attest: Avoid incomplete sigdirs with ERR traps Sometimes GPG connects to the wrong agent... or you don't have your smartcard handy... * guix: install LIEF in Guix container Co-authored-by: Carl Dong <contact@carldong.me> * build: Makes rcc output always deterministic The Qt Resource Compiler (rcc) has a command-line option `--format-version` which has the default value 2. The only difference from `--format-version 1` is adding a last modified timestamp to the output file. That, in turn, forces us to use `QT_RCC_SOURCE_DATE_OVERRIDE=1` to get deterministic builds. This change makes rcc output always deterministic by using `--format-version 1` option that makes usage of the `QT_RCC_SOURCE_DATE_OVERRIDE` needless. Also it improves interaction with ccache. Co-authored-by: fanquake <fanquake@gmail.com> * guix: Reindent existing manifest.scm * guix: Package codesigning tools * guix: Add codesigning functionality * guix: repro: Sort find output in libtool for gcc-8 Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not be reproducible and end up making the Bitcoin binaries non-reproducible as well. See: https://reproducible-builds.org/docs/archives/#gnu-libtool * guix: Remove dest if OUTDIR mv fails * guix: Check for disk space availability before building * Use latest signapple commit Update gitian and guix to use the same latest signapple commit * Make SHA256SUMS fragment right after build * Rewrite guix-{attest,verify} for new hier * scripts: LIEF 0.11.5 * guix-attest: Error out if SHA256SUMS is unexpected * guix: Rebase toolchain on glibc 2.24 (2.27 for riscv64) Support for riscv64 in glibc landed in 2.27 so it's unavoidable that we use 2.27. Running a Bitcoin build with toolchains based on 2.24 for platforms other than riscv64 seem to produce binaries which do not have 2.17 symbols. So use 2.24 since it's more recent and maintained by Debian Stretch. * guix: Build depends/qt with our platform definition Our 'bitcoin-linux-g++' definition better integrates with our depends system than the stock linux-g++-64 definition. This fixes a bug whereby Guix builds on x86_64 for x86_64 did not produce a QMinimalIntegrationPlugin and led to bitcoin-qt not being built. * guix: Also sort SHA256SUMS.part * guix: no-longer pass --enable-glibc-back-compat to Guix Now that our Guix builds are performed on glibc 2.24 and 2.27 (RISCV), we no-longer need to pass the --enable-glibc-back-compat option. Replace it with --disable-threadlocal, to prevent the usage of symbols from glibc 2.18. None of the binaries produced required symbols later than 2.17, and 2.27 (RISCV). * guix: add additional documentation to patches * Avoid GCC 7.1 ABI change warning in guix build * guix: Patch binutils to add security-related disable flags We use these flags in our test-security-check make target, but they are only available because debian patches them in. We can patch them in for our Guix builds so that we can check the sanity of our security/symbol checking suite before running them. * guix: Test security-check sanity before performing them * guix: Check for a sane services database On bare systems, it is possible to be lacking a services database. Check for basic entries before attempting a build. See the error message in the diff for more context. * guix: Update various check_tools lists * guix: Pin kernel header version - Use 4.19 for riscv64 (earliest LTS release w/ riscv64 support) - Use 4.9 for all others (second-oldest LTS release, released in combination with glibc glibc 2.24 in Debian stretch) * guix: Bump to version-1.3.0 from upstream The chosen commit is the HEAD of Guix's version-1.3.0 branch as of July 15th, 2021. Also fix visual indenting. * guix: Overhaul README - Added detailed Guix bootstrap/installation instructions * guix-attest: Produce and sign normalized documents That way we can easily combine the document and detached signature to produce cleartext signature files for upload during the release process. See subsequent commits which modify doc/release-process.md for more details. * guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting * guix/INSTALL: Guix installs init scripts in libdir * guix: Silence getent(1) invocation * guix/INSTALL: Misc fixups * guix/build: Remove vestigial SKIPATTEST.TAG * guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS * guix: Allow changing the base manifest in guix-verify When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against. * Updated Readme, Corrected the codesign typo * script, doc: guix touchups * guix: Remove extra \r from all.SHA256SUMS line ending guix-attest mistakenly added an extra \r to the line endings in all.SHA256SUMS, causing guix-verify to erroneously fail. Co-Authored-By: Carl Dong <contact@carldong.me> * guix: Ensure EPOCH_SOURCE_DATE does not include GPG information If the user has set log.showSignature=true in their git config, then the git log will always output GPG signature information. Since git log is used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature information in it which causes issues for the build. To avoid this issue, we override the config and force log.showSignature=false. * release: Release with separate SHA256SUMS and sig files This allows us to remove the rfc4880 EOL hacks and release with a SHA256SUMS.asc file that's a combination of all signer signatures. * guix-verify: Non-zero exit code when anything fails Previously, if verification fails, the correct message will be printed, but the exit code would still be 0. * guix: Don't include directory name in SHA256SUMS The SHA256SUMS file can be used in a sha256sum -c command to verify downloaded binaries. However users are likely to download just a single file and not place this file in the correct directory relative to the SHA256SUMS file for the simple verification command to work. By not including the directory name in the SHA256SUMS file, it will be easier for users to verify downloaded binaries. Co-authored-by: Carl Dong <contact@carldong.me> * guix/prelude: Override VERSION with FORCE_VERSION Previously, if the builder exported $VERSION in their environment (as past Gitian-building docs told them to), but their HEAD does not actually point to v$VERSION, their build outputs will differ from those of other builders. This is because the contrib/guix/guix-* scripts only ever act on the current git worktree, and does not try to check out $VERSION if $VERSION is set in the environment. Setting $VERSION only makes the scripts pretend like the current worktree is $VERSION. This problem was seen in jonatack's attestation for all.SHA256SUMS, where only his bitcoin-22.0rc3-osx-signed.dmg differed from everyone else's. Here is my deduced sequence of events: 1. Aug 27th: He guix-builds 22.0rc3 and uploads his attestations up to guix.sigs 2. Aug 30th, sometime after POSIX time 1630310848: he pulls the latest changes from master in the same worktree where he guix-built 22.0rc3 and ends up at 7be143a 3. Aug 30th, sometime before POSIX time 1630315907: With his worktree still on 7be143a, he guix-codesigns. Normally, this would result in outputs going in guix-build-7be143a960e2, but he had VERSION=22.0rc3 in his environment, so the guix-* scripts pretended like he was building 22.0rc3, and used 22.0rc3's guix-build directory to locate un-codesigned outputs and dump codesigned ones. However, our SOURCE_DATE_EPOCH defaults to the POSIX time of HEAD (7be143a), which made all timestamps in the resulting codesigned DMG 1630310848, 7be143a's POSIX timestamp. This differs from the POSIX timestamp of 22.0rc3, which is 1630348517. Note that the windows codesigning procedure does not consider SOURCE_DATE_EPOCH. We resolve this by only allowing VERSION overrides via the FORCE_VERSION environment variable. * build: set OSX_MIN_VERSION to 10.15 This is required to use std::filesystem on macOS as support for it only landed in the libc++ dylib shipped with 10.15. See also: https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes Clang now supports the C++17 <filesystem> library for iOS 13, macOS 10.15, watchOS 6, and tvOS 13. * Enable TLS in links in documentation * Integrate univalue into our buildsystem This addresses issues like the one in bitcoin#12467, where some of our compiler flags end up being dropped during the subconfigure of Univalue. Specifically, we're still using the compiler-default c++ version rather than forcing c++17. We can drop the need subconfigure completely in favor of a tighter build integration, where the sources are listed separately from the build recipes, so that they may be included directly by upstream projects. This is similar to the way leveldb build integration works in Core. Core benefits of this approach include: - Better caching (for ex. ccache and autoconf) - No need for a slow subconfigure - Faster autoconf - No more missing compile flags - Compile only the objects needed There are no benefits to Univalue itself that I can think of. These changes should be a no-op there, and to downstreams as well until they take advantage of the new sources.mk. This also removes the option to use an external univalue to avoid similar ABI issues with mystery binaries. Co-authored-by: fanquake <fanquake@gmail.com> * guix: Fix powerpc64(le) dynamic linker name I used Guix's values for the powerpc64(le) dynamic linkers, and the /lib-prefix seems to be a Guix-ism rather than standard. The standard path for the linker-loaders start with /lib64. I've taken the new loader values from SYSDEP_KNOWN_INTERPRETER_NAMES in glibc's sysdeps/unix/sysv/linux/powerpc/ldconfig.h file. For future reference, loader path values can also be found on glibc's website: https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16 * build: require glibc 2.18+ for release builds From what I can see the only platform this drops support for is CentOS 7. CentOS 7 reached the end of it's "full update" support at the end of 2020. It does receive maintenance updates until 2024, however I don't think supporting glibc 2.17 until 2024 is realistic. Note that anyone wanting to self-compile and target a glibc 2.17 runtime could build with --disable-threadlocal. glibc 2.18 was released in August 2013. https://sourceware.org/legacy-ml/libc-alpha/2013-08/msg00160.html * scripted-diff: Drop Darwin version for better maintainability -BEGIN VERIFY SCRIPT- sed -i 's/darwin19/darwin/g' $(git grep --files-with-matches 'darwin19') -END VERIFY SCRIPT- * test: Make more shell scripts verifiable by the `shellcheck` tool * test: Bump shellcheck version to 0.8.0 * scripted-diff: Insert missed copyright headers -BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py insert contrib/guix/libexec/build.sh ./contrib/devtools/copyright_header.py insert contrib/guix/libexec/codesign.sh ./contrib/devtools/copyright_header.py insert contrib/tracing/log_raw_p2p_msgs.py ./contrib/devtools/copyright_header.py insert contrib/tracing/log_utxocache_flush.py ./contrib/devtools/copyright_header.py insert contrib/tracing/p2p_monitor.py ./contrib/devtools/copyright_header.py insert test/lint/lint-files.sh -END VERIFY SCRIPT- * build: use a static .tiff for macOS .dmg over generating Co-authored-by: Pavol Rusnak <pavol@rusnak.io> * guix: use GCC 10 (over GCC 8) to build releases This currently points to the version-1.4.0 branch. * guix: use uptream nsis-x86_64 Our patch is now used upstream. * build: use python-asn1crypto from upstream It is the exact same package definition. * guix: use upstream python-requests (2.26.0) Upstream python requests is now modern enough to be used as a dependency for signapple. Which requires requests>=2.25.1. * build: Point Guix to the current top of the "version-1.4.0" branch * build: point to latest commit on the master branch The version-1.4.0 branch no-longer exists, and will be branched off master again shortly. * guix: ignore additioanl failing certvalidator test ====================================================================== ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft validate_path(context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path return _validate_path(validation_context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path raise PathValidationError(pretty_message( certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-01-14 12:00:00Z * build: Fix xargs warnings for Guix builds * build: use macOS 11 SDK (Xcode 12.2) This should be sufficient to support building for Apple ARM when cross-compiling. * guix: use autoconf 2.71 This allows for building with newer targets, like arm64-apple-darwin, due to having a newer bundled config.guess and config.sub. * guix: add arm64-apple-darwin triplet * build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix * build: Point Guix to recent commit on the master branch * Replace "can not" with "cannot" in docs, user messages, and tests * guix: use same commit for codesigning time-machine The time machines should be updated in lockstep. * build: Move guix time machine to prelude This deduplicates some code, and enforces consistency of the time machine configuration between scripts. * guix: only use native GCC 7 toolchain for Linux builds The macOS and Windows builds do not require a GCC 7 toolchain, and this is actually causing build issues, i.e bitcoin#24211. So switch to using a GCC 10 native toolchain for both. * guix: use latest upstream python-certvalidator This should also allow re-enabling previously failing tests. * guix: use latest upstream signapple This should improve support for signing for M1 binaries. * guix: Drop unneeded openssl dependency for signapple * guix: use latest signapple * guix: only check for the macOS SDK once If we are building for both macOS HOSTS, there's no need to check and print that the SDK exists two times. * guix: Use $HOST instead of generic osx{64} for macOS artifacts * guix: make it possible to override gpg binary For example on Qubes OS one might want to use qubes-gpg-client-wrapper instead * guix: Drop "-signed" suffix for signed macOS .dmg files This change makes naming of the signed artifacts consistent across different OSes, including Windows. * guix: Use "win64" for Windows artifacts consistently * Update signapple for platform identifier fix * doc, guix: Include arm64-apple-darwin into codesigned archs * guix: point to latest upstream commit * Revert "build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix" This reverts commit 7f2f35f. * macdeploy: remove unused detached-sig-apply Signature application is now done with signapple. * guix: Drop code for the unsupported `i686-linux-gnu` host Now GUIX build for the `i686-linux-gnu` host is broken, and there are no plans to re-add it. * contrib: use LIEF 0.12.0 for symbol and security checks * build: Fix "ERR: Unsigned tarballs do not exist" * guix: fix vmov alignment issues with gcc 10.3.0 & mingw-w64 This introduces a patch to our GCC (10.3.0) mingw-w64 compiler, in Guix, to make it avoid using aligned vmov instructions. This works around a longstanding issue in GCC, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54412, which was recently discovered to be causing issues, see bitcoin#24726. Note that distros like Debian are also patching around this issue, and that is where this patch comes from. This would also explain why we haven't run into this problem earlier, in development builds. See: https://salsa.debian.org/mingw-w64-team/gcc-mingw-w64/-/blob/master/debian/patches/vmov-alignment.patch. Fixes bitcoin#24726. Alternative to bitcoin#24727. See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939559 * build: don't compress macOS DMG * guix: fix GCC 10.3.0 + mingw-w64 setjmp/longjmp issues This commit backports a patch to the GCC 10.3.0 we build for Windows cross-compilation in Guix. The commit has been backported to the GCC releases/gcc-10 branch, but hasn't yet made it into a release. The patch corrects a regression from an earlier GCC commit, see: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=357c4350680bf29f0c7a115424e3da11c53b5582 and https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=074226d5aa86cd3de517014acfe34c7f69a2ccc7, related to the way newer versions of mingw-w64 implement setjmp/longjmp. Ultimately this was causing a crash for us when Windows users were viewing the network traffic tab inside the GUI. After some period, long enough that a buffer would need reallocating, a call into FreeTypes gray_record_cell() would result in a call to ft_longjmp (longjmp), which would then trigger a crash. Fixes: bitcoin-core/gui#582. See also: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e8d1ca7d2c344a411779892616c423e157f4aea8. https://bugreports.qt.io/browse/QTBUG-93476. * guix: Improve error message about missed macOS SDK * guix: consolidate kernel headers to 5.15 Given no reason to use an older version of the kernel headers for the non-RISCV linux builds, consolidate all Linux builds to 5.15.x. Note that using older kernel headers isn't some sort of compatibility "hack", and glibc explicitly recommends against doing so. See: https://sourceware.org/glibc/wiki/FAQ#What_version_of_the_Linux_kernel_headers_should_be_used.3F. * build: include bitcoin.conf in build outputs copy over bitcoin.conf during the build process. this means `contrib/devtools/gen-bitcoin-conf.sh` will need to be run and the generated file committed during the release process. this is the same process used for generating man pages for each release. * guix: bump time-machine to 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681 There are two reasons to perform this bump: * Fixes bitcoin#25082 by bumping to a commit that includes a fix for time-dependent unit tests in libgit2 (f5fe0082abe4547f3fb9f29d8351473cfb3a387b). * Gives us access to clang-toolchain-14 (14.0.3, 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681), which is useful for the Guix portion of bitcoin#21778. Note that with this bump: Linux kernels headers update from 5.15.28 to 5.15.37. * guix: compile glibc without -werror Compiling glibc 2.24 and 2.27 with the new GCC 10 results in a number of new warnings, i.e: ```bash libc-tls.c: In function ‘__libc_setup_tls’: libc-tls.c:208:30: error: array subscript 1 is outside the bounds of an interior zero-length array ‘struct dtv_slotinfo[0]’ [-Werror=zero-length-bounds] 208 | static_slotinfo.si.slotinfo[1].map = main_map; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~ In file included from ../sysdeps/x86_64/ldsodefs.h:54, from ../sysdeps/gnu/ldsodefs.h:46, from ../sysdeps/unix/sysv/linux/ldsodefs.h:25, from libc-tls.c:20: ../sysdeps/generic/ldsodefs.h:398:7: note: while referencing ‘slotinfo’ 398 | } slotinfo[0]; | ^~~~~~~~ ``` While we could try and backport all the patches required to fix these up, it would currently seem easier to disable -Werror, which Guix uses by default when building glibc. * guix: adjust RISC-V __has_include() patch to work with GCC 10 The actual macro is __has_include(), not __has_include__(), using the later would result in build failures when using GCC 10. i.e: ```bash ../sysdeps/unix/sysv/linux/riscv/flush-icache.c:24:5: warning: "__has_include__" is not defined, evaluates to 0 [-Wundef] 24 | #if __has_include__ (<asm/syscalls.h>) ``` Looks like at least someone else has run into the same thing, see: http://lists.busybox.net/pipermail/buildroot/2020-July/590376.html. See also: https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005finclude.html https://clang.llvm.org/docs/LanguageExtensions.html#has-include * guix: fix glibc 2.27 multiple definition warnings with GCC 10 * guix: use -fcommon when building glibc 2.24 GCC 10 started using -fno-common by default, which causes issues with the powerpc builds using gibc 2.24. A patch was commited to glibc to fix the issue, 18363b4f010da9ba459b13310b113ac0647c2fcc but is non-trvial to backport, and was broken in at least one way, see the followup in commit 7650321ce037302bfc2f026aa19e0213b8d02fe6. For now, retain the legacy GCC behaviour by passing -fcommon when building glibc 2.24. https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html. https://sourceware.org/git/?p=glibc.git;a=commit;h=18363b4f010da9ba459b13310b113ac0647c2fcc https://sourceware.org/git/?p=glibc.git;a=commit;h=7650321ce037302bfc2f026aa19e0213b8d02fe6 * guix: native GCC 10 toolchain for Linux builds * guix: re-revert riscv execstack workaround Now that we use GCC 10 for release builds, we no-longer need to pass-Wl,-z,noexecstack to get a non-executable stack in RISC-V binaries. This was originally removed in bitcoin#21036, but then re-added in bitcoin#21799, when we reverted to using GCC 8. * guix: use libtool 2.4.7 As of version 2.4.7, libtool now respects ARFLAGS, which we use, and has changed the default ARFLAGS from cru to cr (which we also do, see configure). This eliminates spammy `ar` output such as: ```bash CXXLD libunivalue.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') AR libbitcoin_zmq.a AR libbitcoin_consensus.a CXXLD crypto/libbitcoin_crypto_base.la CXXLD crypto/libbitcoin_crypto_sse41.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD crypto/libbitcoin_crypto_avx2.la CXXLD crypto/libbitcoin_crypto_x86_shani.la CXXLD leveldb/libleveldb.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD crc32c/libcrc32c.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD leveldb/libmemenv.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') AR libbitcoin_cli.a ``` Libtool 2.4.7 release notes: https://lists.gnu.org/archive/html/autotools-announce/2022-03/msg00000.html * guix: remove explicit glibc stack protector disabling While glibc 2.25 and newer *can* be built with stack-smashing-protection enabled, it isn't used by default, and still isn't, as of glibc 2.35, so I can't see a reason to explicitly disable it. I'd also like to move in the direction of enabling, by default, hardening options for the toolchains we build, so removing the explicit disabling is a step in that direction. Will be following up with some changes based on this PR. * guix: parallelize LIEF build * guix: remove usage of -Wl,-z,noexecstack for PPC64 HOST The PPC64 ABI has a non-executable stack by default, and does not need a GNU_STACK program header. See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/powerpc/include/asm/page_64.h#n92 * guix: use LIEF 0.12.1 * guix: patch LIEF to fix PPC64 NX default This patches our LIEF build using the change merged upstream: lief-project/LIEF#718. This can be dropped the next time we update LIEF. * guix: Map all guix store prefixes to /usr Without ffile-prefix-map, the debug symbols will contain paths for the guix store which will include the hashes of each package. However, the hash for the same package will differ when on different architectures. In order to be reproducible regardless of the architecture used to build the package, map all guix store prefixes to something fixed, e.g. /usr. * guix: Remove guix store paths from glibc Without ffile-prefix-map, the debug symbols will contain paths for the guix store which will include the hashes of each package. However, the hash for the same package will differ when on different architectures. In order to be reproducible regardless of the architecture used to build the package, map all guix store prefixes to something fixed, e.g. /usr. We might be able to drop this in favour of using --with-nonshared-cflags when we being using newer versions of glibc. * guix: use elfesteem 2eb1e5384ff7a220fd1afacd4a0170acff54fe56 Our patch has been merged upstream, see LRGH/elfesteem#3 * guix: patch gcc 10 with pthreads to remap guix store paths * guix: Drop repetition of option's default value * guix: enable SSP for RISC-V glibc (2.27) Pass `--enable-stack-protector=all` when building the glibc used for the RISC-V toolchain, to enable stack smashing protection on all functions, in the glibc code. * guix: pass enable-bind-now to glibc Both glibcs we build support `--enable-bind-now`: Disable lazy binding for installed shared objects and programs. This provides additional security hardening because it enables full RELRO and a read-only global offset table (GOT), at the cost of slightly increased program load times. See: https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html * guix: enable hardening options in GCC Build Pass `--enable-default-pie` and `--enable-default-ssp` when configuring our GCCs. This achieves the following: --enable-default-pie Turn on -fPIE and -pie by default. --enable-default-ssp Turn on -fstack-protector-strong by default. Note that this isn't a replacement for passing hardneing flags ourselves, but introduces some redundency, and there isn't really a reason to not build a more "hardenings enabled" toolchain by default. See also: https://gcc.gnu.org/install/configure.html * guix: ignore additional failing certvalidator test Similar to 8588591. ```bash ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft validate_path(context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path return _validate_path(validation_context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path raise PathValidationError(pretty_message( certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-07-27 12:00:00Z ``` * guix: patch NSIS to remove .reloc sections from install stubs With the release of binutils/ld 2.36, ld swapped to much improved default settings when producing windows binaries with mingw-w64. One of these changes was to stop stripping the .reloc section from binaries, which is required for working ASLR. .reloc section stripping is something we've accounted for previously, see bitcoin#18702. The related upstream discussion is in this thread: https://sourceware.org/bugzilla/show_bug.cgi?id=19011. When we switched to using a newer Guix time-machine in bitcoin#23778, we begun using binutils 2.37 to produce releases. Since then, our windows installer (produced with makensis) has not functioned correctly when run on a Windows system with the "Force randomization for images (Mandatory ASLR)" option enabled. Note that all of our other release binaries, which all contain .reloc sections, function fine under the same option, so it cannot be just the presence of a .reloc section that is the issue. For now, restore makensis to it's pre-binutils-2.36 behaviour, which fixes the produced installer. The underlying issue can be further investigated in future. * doc: minor updates to guix README * build: include share/rpcauth in tarball & installer Fixes bitcoin#19081. * guix: use --build={arch}-guix-linux-gnu in cross toolchain Technically we are always cross-compiling, so make that explicit. Fixes: bitcoin#22458. * guix: consistently use -ffile-prefix-map Aside from being the newer, more comprehensive option, it's what we claim to use in the patch docs, and everywhere else in guix. * guix: use git-minimal over git From the git-minimal package definition: > The size of the closure of 'git-minimal' is two thirds that of 'git'. > Its test suite runs slightly faster and most importantly it doesn't > depend on packages that are expensive to build such as Subversion. We don't need any fancy / additional git functionality above the basics, so switch to git-minimal and save some CPU, while also pruning the greater dependency graph. ```diff -name: git +name: git-minimal version: 2.37.3 outputs: -+ send-email: see Appendix H -+ svn: see Appendix H -+ credential-netrc: see Appendix H -+ credential-libsecret: see Appendix H -+ subtree: see Appendix H -+ gui: see Appendix H + out: everything else -systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux i686-linux armhf-linux powerpc-linux -dependencies: asciidoc@9.1.0 bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 docbook-xsl@1.79.2 expat@2.4.1 gettext-minimal@0.21 glib@2.70.2 libsecret@0.20.4 openssl@1.1.1l pcre2@10.37 perl-authen-sasl@2.16 perl-cgi@4.52 -+ perl-io-socket-ssl@2.068 perl-net-smtp-ssl@1.04 perl-term-readkey@2.38 perl@5.34.0 pkg-config@0.29.2 python@3.9.9 subversion@1.14.1 tcl@8.6.11 tk@8.6.11.1 xmlto@0.0.28 zlib@1.2.11 -location: gnu/packages/version-control.scm:222:2 +systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux riscv64-linux i686-linux armhf-linux powerpc-linux +dependencies: bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 expat@2.4.1 gettext-minimal@0.21 openssl@1.1.1l perl@5.34.0 zlib@1.2.11 +location: gnu/packages/version-control.scm:608:2 homepage: https://git-scm.com/ license: GPL 2 synopsis: Distributed version control system ``` * guix: Drop perl package * Revert "guix: Build depends/qt with our platform definition" This reverts commit dc4137a. * MS: restclient start * MS: bumped c++ version from 14 to 17 * only gitian build for linux x86_64 for now. We can add back aarch64 later when needed. * Testing whether OSX SDK needs to updated for gitian building for c++17 * test if bitcoins last gitian-build method works with unigrid * yaml format error * updated darwin host file for py build gitian * Update depends make to work with latest build * update darwin builder for new gitian * DOWNLOAD_RETRIES:=3 readded for curl * linux host update gitian * check in default depends * upgrade dawrwin to 19 * use focal * remove i686 windows gitian * testing whether jammy has same compile error for osx cctools * switch back to focal * place guix in proper directory * guix util file * guix util file * lief is failing on guix build. try a newer version * change hash for lief * try and downgrade lief * lief hash * update darwin to never xcode version and osx 10.15 minimum * added missing native_clang depends * test jammy build focal cannot find repos * missing some jammy in build.py * build with kinetic * focal appears to be the only docker container that builds correctly * test building with g++9 linux * test if reverting to c++14 builds work * upgrade build.sh to use focal base VM. Remove some uneeded dependencies for linux builds. * use jammy for builds and test building with c++17 or 20 if available * force c++17 * don't check clock_gettime by default * docker still cannot find ubuntu jammy revert to focal * fdelt is required * aarch64 required to compile * disable arm build * test disable glib backward support * darwin builds were missing libtapi. native_cdrkit replaced with xorriso. * change order of native_libtapi * libtapi and clang are split out of cctools * darwin unable to find glibtoolize * upgrading boost and remove references to specific darwin versions * split boost into build/host * boost fail build on linux * define minimum required boost * adding missing required boost libraries after updating boost version * errors building with boost 1.73.0 revert back to 1.71.0 * wrong xcode version in darwin build * up boost version to 1.73.0 * test building with boost 1.80.0 * remove unused dependency and set min boost version * upgrading boost requires more refactoring * test if building osx works with c++11 * c++11 build fails on the rest client test to see if c++17 resolves this error * accidental edit of robin-hood submodule * use 12.2 osx sdk * use 12.2 osx sdk for gitian-builder * proper cheksum of Xcode * checksum was not correct * remove downloaded sdk * attempted build with boost 1.80 * revert to c++14 and downgrade boost * configure.ac set c++14 * Ms restclient (#5) * MS: Updated univalue lib to latest version. Fixed parsing of json from restclient * ms: added -hport as an argument in for unigridd. * ms: added mint class to handel values from hedgehog. did some cleanup. * ms: fixed compilation error * ms: rewrote the rest client so its now working and getting json data from hedgehog * ms: removed auto keyword * ms: changed return type to bool to check if data got tranferd as expected from hedgehog * ms: reverted c++ version to 14 from 17 Co-authored-by: Fim-84 <marcus.stenberg@gmail.com> * set depends to build with c++11 * compile cc++ test update * revert to old method of building boost that worked on OSX * remove native_b2 ref * remove native_cdrkit * build ref for native_libtapi * misisng endif * try bitcoin boost build method * errors compiling openssl with xcode 12.2 revert to 12.1 * test if old gitian build works with rest client update * revert boost to old build * reverting native cc tools build * revert depends make to master * missing cdrkit added * cdrkit in wrong directory * revert darwin host * remove updated gitian build script from this branch. If we decide to stick with gitian this can be pulled from the EG_uposx_12_1 branch. Co-authored-by: Carl Dong <contact@carldong.me> Co-authored-by: fanquake <fanquake@gmail.com> Co-authored-by: W. J. van der Laan <laanwj@protonmail.com> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Co-authored-by: Andrew Chow <achow101-github@achow101.com> Co-authored-by: Pieter Wuille <pieter@wuille.net> Co-authored-by: h <harshit_goyal333@outlook.com> Co-authored-by: jonatack <jon@atack.com> Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc> Co-authored-by: Cory Fields <cory-nospam-@coryfields.com> Co-authored-by: Pavol Rusnak <pavol@rusnak.io> Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com> Co-authored-by: josibake <josibake@protonmail.com> Co-authored-by: Stacie <staciewaleyko@gmail.com> Co-authored-by: Fim-84 <marcus.stenberg@gmail.com> * refactor of masternode to gridnode. Init will check for masternode.conf and rename the file to gridnode.conf on startup. * having issues with the ubuntu bionic installs. try with ubuntu jammy * remove uneeded break as we are not looping through strings anymore * increase GLIBC version for newer OS building * A complete refactor of the repo, to update Unigrid's naming convention of gridnodes instead of masternodes. * refactor additions for gridnodes vs masternodes * spelling error Gridnodeconfig * SPORK_20_UNDONKEY_MNREWARDS refactored :D * set build environment to bionic for gitian Co-authored-by: Carl Dong <contact@carldong.me> Co-authored-by: fanquake <fanquake@gmail.com> Co-authored-by: W. J. van der Laan <laanwj@protonmail.com> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Co-authored-by: Andrew Chow <achow101-github@achow101.com> Co-authored-by: Pieter Wuille <pieter@wuille.net> Co-authored-by: h <harshit_goyal333@outlook.com> Co-authored-by: jonatack <jon@atack.com> Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc> Co-authored-by: Cory Fields <cory-nospam-@coryfields.com> Co-authored-by: Pavol Rusnak <pavol@rusnak.io> Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com> Co-authored-by: josibake <josibake@protonmail.com> Co-authored-by: Stacie <staciewaleyko@gmail.com> Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

c90f6e5 guix: Consistently use gcc-8 for $HOST (Carl Dong) Pull request description: Only non-base commit is the last commit: bitcoin@b5abb07 Right now, here's what we use in Gitian: - Linux: Focal's [`g++-8-<arch>-linux-gnu`](https://packages.ubuntu.com/focal/g++-8-aarch64-linux-gnu) (`8.4.0-3ubuntu1cross1`) - MinGW-w64: Focal's [`g++-mingw-w64`](https://packages.ubuntu.com/focal/g++-mingw-w64) (`9.3.0-7ubuntu1+22~exp1ubuntu4`) In Guix right now we use `gcc-9` across the board. I think it makes more sense to use `gcc-8` across the board, as it doesn't suffer from the `memcmp` bug, and is what debian buster (stable) does, meaning it will be well tested ([`g++-mingw-w64`](https://packages.debian.org/buster/g++-mingw-w64), [`g++-aarch64-linux-gnu`](https://packages.debian.org/buster/g++-aarch64-linux-gnu)). We can accomplish this somewhat easily using Guix as we have tighter control over the toolchain (see: bitcoin@b5abb07). Let me know your thoughts! ACKs for top commit: MarcoFalke: Approach ACK c90f6e5, haven't reviewed laanwj: Code review ACK c90f6e5 hebasto: ACK c90f6e5, I have reviewed the code and it looks OK, I agree it can be merged. Tree-SHA512: 3e5b9297305232273323aa745ec417ed1be2418ead0e432db7742f5d5f45efe6e4a2ed44328731512cff4bfde80e5f2dc350a131b8b8fb9207a2ef66bce27ed2

* try and downgrade lief * lief hash * update darwin to never xcode version and osx 10.15 minimum * MS: Updated univalue lib to latest version. Fixed parsing of json from restclient * added missing native_clang depends * test jammy build focal cannot find repos * missing some jammy in build.py * build with kinetic * ms: added -hport as an argument in for unigridd. * focal appears to be the only docker container that builds correctly * ms: added mint class to handel values from hedgehog. did some cleanup. * test building with g++9 linux * test if reverting to c++14 builds work * upgrade build.sh to use focal base VM. Remove some uneeded dependencies for linux builds. * ms: fixed compilation error * use jammy for builds and test building with c++17 or 20 if available * force c++17 * don't check clock_gettime by default * docker still cannot find ubuntu jammy revert to focal * fdelt is required * aarch64 required to compile * disable arm build * test disable glib backward support * darwin builds were missing libtapi. native_cdrkit replaced with xorriso. * change order of native_libtapi * libtapi and clang are split out of cctools * darwin unable to find glibtoolize * upgrading boost and remove references to specific darwin versions * split boost into build/host * boost fail build on linux * define minimum required boost * adding missing required boost libraries after updating boost version * errors building with boost 1.73.0 revert back to 1.71.0 * wrong xcode version in darwin build * up boost version to 1.73.0 * test building with boost 1.80.0 * remove unused dependency and set min boost version * upgrading boost requires more refactoring * ms: rewrote the rest client so its now working and getting json data from hedgehog * test if building osx works with c++11 * c++11 build fails on the rest client test to see if c++17 resolves this error * ms: removed auto keyword * accidental edit of robin-hood submodule * use 12.2 osx sdk * use 12.2 osx sdk for gitian-builder * proper cheksum of Xcode * ms: changed return type to bool to check if data got tranferd as expected from hedgehog * checksum was not correct * remove downloaded sdk * attempted build with boost 1.80 * ms: reverted c++ version to 14 from 17 * revert to c++14 and downgrade boost * configure.ac set c++14 * ms: rest client done. started work on hadeling locking of tokens * ms: blocks transactions from minted addresses * ms: mint hedgehog supply * Eg refactormasternode (#8) * rest client (#6) * guix: Add guix-verify script * guix-attest: Only use cross-platform flags for find+xargs * guix-attest: Use ascii-armor signatures * guix-attest: Allow skipping GPG signing with NO_SIGN * guix: Minor quoting fix in libexec/build.sh * guix: Construct $OUTDIR in ${DISTSRC}/output While files are being output to $OUTDIR, it will be under ${DISTSRC}/output, and only when everything is done, will ${DISTSRC}/output be moved to the actual $OUTDIR. This makes it so that a Ctrl-C in the middle of a build is less likely to result in a partially-constructed $OUTDIR. In fact, if I understand correctly, if $OUTDIR and $DISTSRC reside on the same filesystem, the move (rename) is likely atomic. Also, since the "working $OUTDIR" is under ${DISTSRC}/output, it will be cleaned properly by the guix-clean script. * guix: Attest to inputs in inputs.SHA256SUMS At build/codesigning-time, hash build inputs and output the digest to ${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS constructed by guix-attest. Example final SHA256SUMS: ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20 inputs/bitcoin-78199266af7b.tar.gz ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21 bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327 bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz * guix: Skip attesting to dist-archive We already attest to the relevant dist-archive in inputs.SHA256SUMS, which is recorded at build-time. We use a SKIPATTEST.TAG file to indicate output directories which do not require attestation (much like the CACHEDIR.TAG specification). Generally, it's better to have build scripts declare properties of directories instead of introducing name-based special cases in attest scripts since build scripts have a more detailed context of what is going on. * guix: Consistently use gcc-8 for $HOST * guix-attest: Avoid incomplete sigdirs with ERR traps Sometimes GPG connects to the wrong agent... or you don't have your smartcard handy... * guix: install LIEF in Guix container Co-authored-by: Carl Dong <contact@carldong.me> * build: Makes rcc output always deterministic The Qt Resource Compiler (rcc) has a command-line option `--format-version` which has the default value 2. The only difference from `--format-version 1` is adding a last modified timestamp to the output file. That, in turn, forces us to use `QT_RCC_SOURCE_DATE_OVERRIDE=1` to get deterministic builds. This change makes rcc output always deterministic by using `--format-version 1` option that makes usage of the `QT_RCC_SOURCE_DATE_OVERRIDE` needless. Also it improves interaction with ccache. Co-authored-by: fanquake <fanquake@gmail.com> * guix: Reindent existing manifest.scm * guix: Package codesigning tools * guix: Add codesigning functionality * guix: repro: Sort find output in libtool for gcc-8 Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not be reproducible and end up making the Bitcoin binaries non-reproducible as well. See: https://reproducible-builds.org/docs/archives/#gnu-libtool * guix: Remove dest if OUTDIR mv fails * guix: Check for disk space availability before building * Use latest signapple commit Update gitian and guix to use the same latest signapple commit * Make SHA256SUMS fragment right after build * Rewrite guix-{attest,verify} for new hier * scripts: LIEF 0.11.5 * guix-attest: Error out if SHA256SUMS is unexpected * guix: Rebase toolchain on glibc 2.24 (2.27 for riscv64) Support for riscv64 in glibc landed in 2.27 so it's unavoidable that we use 2.27. Running a Bitcoin build with toolchains based on 2.24 for platforms other than riscv64 seem to produce binaries which do not have 2.17 symbols. So use 2.24 since it's more recent and maintained by Debian Stretch. * guix: Build depends/qt with our platform definition Our 'bitcoin-linux-g++' definition better integrates with our depends system than the stock linux-g++-64 definition. This fixes a bug whereby Guix builds on x86_64 for x86_64 did not produce a QMinimalIntegrationPlugin and led to bitcoin-qt not being built. * guix: Also sort SHA256SUMS.part * guix: no-longer pass --enable-glibc-back-compat to Guix Now that our Guix builds are performed on glibc 2.24 and 2.27 (RISCV), we no-longer need to pass the --enable-glibc-back-compat option. Replace it with --disable-threadlocal, to prevent the usage of symbols from glibc 2.18. None of the binaries produced required symbols later than 2.17, and 2.27 (RISCV). * guix: add additional documentation to patches * Avoid GCC 7.1 ABI change warning in guix build * guix: Patch binutils to add security-related disable flags We use these flags in our test-security-check make target, but they are only available because debian patches them in. We can patch them in for our Guix builds so that we can check the sanity of our security/symbol checking suite before running them. * guix: Test security-check sanity before performing them * guix: Check for a sane services database On bare systems, it is possible to be lacking a services database. Check for basic entries before attempting a build. See the error message in the diff for more context. * guix: Update various check_tools lists * guix: Pin kernel header version - Use 4.19 for riscv64 (earliest LTS release w/ riscv64 support) - Use 4.9 for all others (second-oldest LTS release, released in combination with glibc glibc 2.24 in Debian stretch) * guix: Bump to version-1.3.0 from upstream The chosen commit is the HEAD of Guix's version-1.3.0 branch as of July 15th, 2021. Also fix visual indenting. * guix: Overhaul README - Added detailed Guix bootstrap/installation instructions * guix-attest: Produce and sign normalized documents That way we can easily combine the document and detached signature to produce cleartext signature files for upload during the release process. See subsequent commits which modify doc/release-process.md for more details. * guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting * guix/INSTALL: Guix installs init scripts in libdir * guix: Silence getent(1) invocation * guix/INSTALL: Misc fixups * guix/build: Remove vestigial SKIPATTEST.TAG * guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS * guix: Allow changing the base manifest in guix-verify When verifying guix attestations, it is useful to set a particular signer's manifest as the base to compare against. * Updated Readme, Corrected the codesign typo * script, doc: guix touchups * guix: Remove extra \r from all.SHA256SUMS line ending guix-attest mistakenly added an extra \r to the line endings in all.SHA256SUMS, causing guix-verify to erroneously fail. Co-Authored-By: Carl Dong <contact@carldong.me> * guix: Ensure EPOCH_SOURCE_DATE does not include GPG information If the user has set log.showSignature=true in their git config, then the git log will always output GPG signature information. Since git log is used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature information in it which causes issues for the build. To avoid this issue, we override the config and force log.showSignature=false. * release: Release with separate SHA256SUMS and sig files This allows us to remove the rfc4880 EOL hacks and release with a SHA256SUMS.asc file that's a combination of all signer signatures. * guix-verify: Non-zero exit code when anything fails Previously, if verification fails, the correct message will be printed, but the exit code would still be 0. * guix: Don't include directory name in SHA256SUMS The SHA256SUMS file can be used in a sha256sum -c command to verify downloaded binaries. However users are likely to download just a single file and not place this file in the correct directory relative to the SHA256SUMS file for the simple verification command to work. By not including the directory name in the SHA256SUMS file, it will be easier for users to verify downloaded binaries. Co-authored-by: Carl Dong <contact@carldong.me> * guix/prelude: Override VERSION with FORCE_VERSION Previously, if the builder exported $VERSION in their environment (as past Gitian-building docs told them to), but their HEAD does not actually point to v$VERSION, their build outputs will differ from those of other builders. This is because the contrib/guix/guix-* scripts only ever act on the current git worktree, and does not try to check out $VERSION if $VERSION is set in the environment. Setting $VERSION only makes the scripts pretend like the current worktree is $VERSION. This problem was seen in jonatack's attestation for all.SHA256SUMS, where only his bitcoin-22.0rc3-osx-signed.dmg differed from everyone else's. Here is my deduced sequence of events: 1. Aug 27th: He guix-builds 22.0rc3 and uploads his attestations up to guix.sigs 2. Aug 30th, sometime after POSIX time 1630310848: he pulls the latest changes from master in the same worktree where he guix-built 22.0rc3 and ends up at 7be143a960e2 3. Aug 30th, sometime before POSIX time 1630315907: With his worktree still on 7be143a960e2, he guix-codesigns. Normally, this would result in outputs going in guix-build-7be143a960e2, but he had VERSION=22.0rc3 in his environment, so the guix-* scripts pretended like he was building 22.0rc3, and used 22.0rc3's guix-build directory to locate un-codesigned outputs and dump codesigned ones. However, our SOURCE_DATE_EPOCH defaults to the POSIX time of HEAD (7be143a960e2), which made all timestamps in the resulting codesigned DMG 1630310848, 7be143a960e2's POSIX timestamp. This differs from the POSIX timestamp of 22.0rc3, which is 1630348517. Note that the windows codesigning procedure does not consider SOURCE_DATE_EPOCH. We resolve this by only allowing VERSION overrides via the FORCE_VERSION environment variable. * build: set OSX_MIN_VERSION to 10.15 This is required to use std::filesystem on macOS as support for it only landed in the libc++ dylib shipped with 10.15. See also: https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes Clang now supports the C++17 <filesystem> library for iOS 13, macOS 10.15, watchOS 6, and tvOS 13. * Enable TLS in links in documentation * Integrate univalue into our buildsystem This addresses issues like the one in #12467, where some of our compiler flags end up being dropped during the subconfigure of Univalue. Specifically, we're still using the compiler-default c++ version rather than forcing c++17. We can drop the need subconfigure completely in favor of a tighter build integration, where the sources are listed separately from the build recipes, so that they may be included directly by upstream projects. This is similar to the way leveldb build integration works in Core. Core benefits of this approach include: - Better caching (for ex. ccache and autoconf) - No need for a slow subconfigure - Faster autoconf - No more missing compile flags - Compile only the objects needed There are no benefits to Univalue itself that I can think of. These changes should be a no-op there, and to downstreams as well until they take advantage of the new sources.mk. This also removes the option to use an external univalue to avoid similar ABI issues with mystery binaries. Co-authored-by: fanquake <fanquake@gmail.com> * guix: Fix powerpc64(le) dynamic linker name I used Guix's values for the powerpc64(le) dynamic linkers, and the /lib-prefix seems to be a Guix-ism rather than standard. The standard path for the linker-loaders start with /lib64. I've taken the new loader values from SYSDEP_KNOWN_INTERPRETER_NAMES in glibc's sysdeps/unix/sysv/linux/powerpc/ldconfig.h file. For future reference, loader path values can also be found on glibc's website: https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16 * build: require glibc 2.18+ for release builds From what I can see the only platform this drops support for is CentOS 7. CentOS 7 reached the end of it's "full update" support at the end of 2020. It does receive maintenance updates until 2024, however I don't think supporting glibc 2.17 until 2024 is realistic. Note that anyone wanting to self-compile and target a glibc 2.17 runtime could build with --disable-threadlocal. glibc 2.18 was released in August 2013. https://sourceware.org/legacy-ml/libc-alpha/2013-08/msg00160.html * scripted-diff: Drop Darwin version for better maintainability -BEGIN VERIFY SCRIPT- sed -i 's/darwin19/darwin/g' $(git grep --files-with-matches 'darwin19') -END VERIFY SCRIPT- * test: Make more shell scripts verifiable by the `shellcheck` tool * test: Bump shellcheck version to 0.8.0 * scripted-diff: Insert missed copyright headers -BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py insert contrib/guix/libexec/build.sh ./contrib/devtools/copyright_header.py insert contrib/guix/libexec/codesign.sh ./contrib/devtools/copyright_header.py insert contrib/tracing/log_raw_p2p_msgs.py ./contrib/devtools/copyright_header.py insert contrib/tracing/log_utxocache_flush.py ./contrib/devtools/copyright_header.py insert contrib/tracing/p2p_monitor.py ./contrib/devtools/copyright_header.py insert test/lint/lint-files.sh -END VERIFY SCRIPT- * build: use a static .tiff for macOS .dmg over generating Co-authored-by: Pavol Rusnak <pavol@rusnak.io> * guix: use GCC 10 (over GCC 8) to build releases This currently points to the version-1.4.0 branch. * guix: use uptream nsis-x86_64 Our patch is now used upstream. * build: use python-asn1crypto from upstream It is the exact same package definition. * guix: use upstream python-requests (2.26.0) Upstream python requests is now modern enough to be used as a dependency for signapple. Which requires requests>=2.25.1. * build: Point Guix to the current top of the "version-1.4.0" branch * build: point to latest commit on the master branch The version-1.4.0 branch no-longer exists, and will be branched off master again shortly. * guix: ignore additioanl failing certvalidator test ====================================================================== ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft validate_path(context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path return _validate_path(validation_context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path raise PathValidationError(pretty_message( certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-01-14 12:00:00Z * build: Fix xargs warnings for Guix builds * build: use macOS 11 SDK (Xcode 12.2) This should be sufficient to support building for Apple ARM when cross-compiling. * guix: use autoconf 2.71 This allows for building with newer targets, like arm64-apple-darwin, due to having a newer bundled config.guess and config.sub. * guix: add arm64-apple-darwin triplet * build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix * build: Point Guix to recent commit on the master branch * Replace "can not" with "cannot" in docs, user messages, and tests * guix: use same commit for codesigning time-machine The time machines should be updated in lockstep. * build: Move guix time machine to prelude This deduplicates some code, and enforces consistency of the time machine configuration between scripts. * guix: only use native GCC 7 toolchain for Linux builds The macOS and Windows builds do not require a GCC 7 toolchain, and this is actually causing build issues, i.e #24211. So switch to using a GCC 10 native toolchain for both. * guix: use latest upstream python-certvalidator This should also allow re-enabling previously failing tests. * guix: use latest upstream signapple This should improve support for signing for M1 binaries. * guix: Drop unneeded openssl dependency for signapple * guix: use latest signapple * guix: only check for the macOS SDK once If we are building for both macOS HOSTS, there's no need to check and print that the SDK exists two times. * guix: Use $HOST instead of generic osx{64} for macOS artifacts * guix: make it possible to override gpg binary For example on Qubes OS one might want to use qubes-gpg-client-wrapper instead * guix: Drop "-signed" suffix for signed macOS .dmg files This change makes naming of the signed artifacts consistent across different OSes, including Windows. * guix: Use "win64" for Windows artifacts consistently * Update signapple for platform identifier fix * doc, guix: Include arm64-apple-darwin into codesigned archs * guix: point to latest upstream commit * Revert "build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix" This reverts commit 7f2f35fe20c7706d547fa22a62521fe926f9c12b. * macdeploy: remove unused detached-sig-apply Signature application is now done with signapple. * guix: Drop code for the unsupported `i686-linux-gnu` host Now GUIX build for the `i686-linux-gnu` host is broken, and there are no plans to re-add it. * contrib: use LIEF 0.12.0 for symbol and security checks * build: Fix "ERR: Unsigned tarballs do not exist" * guix: fix vmov alignment issues with gcc 10.3.0 & mingw-w64 This introduces a patch to our GCC (10.3.0) mingw-w64 compiler, in Guix, to make it avoid using aligned vmov instructions. This works around a longstanding issue in GCC, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54412, which was recently discovered to be causing issues, see #24726. Note that distros like Debian are also patching around this issue, and that is where this patch comes from. This would also explain why we haven't run into this problem earlier, in development builds. See: https://salsa.debian.org/mingw-w64-team/gcc-mingw-w64/-/blob/master/debian/patches/vmov-alignment.patch. Fixes #24726. Alternative to #24727. See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939559 * build: don't compress macOS DMG * guix: fix GCC 10.3.0 + mingw-w64 setjmp/longjmp issues This commit backports a patch to the GCC 10.3.0 we build for Windows cross-compilation in Guix. The commit has been backported to the GCC releases/gcc-10 branch, but hasn't yet made it into a release. The patch corrects a regression from an earlier GCC commit, see: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=357c4350680bf29f0c7a115424e3da11c53b5582 and https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=074226d5aa86cd3de517014acfe34c7f69a2ccc7, related to the way newer versions of mingw-w64 implement setjmp/longjmp. Ultimately this was causing a crash for us when Windows users were viewing the network traffic tab inside the GUI. After some period, long enough that a buffer would need reallocating, a call into FreeTypes gray_record_cell() would result in a call to ft_longjmp (longjmp), which would then trigger a crash. Fixes: https://github.com/bitcoin-core/gui/issues/582. See also: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e8d1ca7d2c344a411779892616c423e157f4aea8. https://bugreports.qt.io/browse/QTBUG-93476. * guix: Improve error message about missed macOS SDK * guix: consolidate kernel headers to 5.15 Given no reason to use an older version of the kernel headers for the non-RISCV linux builds, consolidate all Linux builds to 5.15.x. Note that using older kernel headers isn't some sort of compatibility "hack", and glibc explicitly recommends against doing so. See: https://sourceware.org/glibc/wiki/FAQ#What_version_of_the_Linux_kernel_headers_should_be_used.3F. * build: include bitcoin.conf in build outputs copy over bitcoin.conf during the build process. this means `contrib/devtools/gen-bitcoin-conf.sh` will need to be run and the generated file committed during the release process. this is the same process used for generating man pages for each release. * guix: bump time-machine to 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681 There are two reasons to perform this bump: * Fixes #25082 by bumping to a commit that includes a fix for time-dependent unit tests in libgit2 (f5fe0082abe4547f3fb9f29d8351473cfb3a387b). * Gives us access to clang-toolchain-14 (14.0.3, 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681), which is useful for the Guix portion of #21778. Note that with this bump: Linux kernels headers update from 5.15.28 to 5.15.37. * guix: compile glibc without -werror Compiling glibc 2.24 and 2.27 with the new GCC 10 results in a number of new warnings, i.e: ```bash libc-tls.c: In function ‘__libc_setup_tls’: libc-tls.c:208:30: error: array subscript 1 is outside the bounds of an interior zero-length array ‘struct dtv_slotinfo[0]’ [-Werror=zero-length-bounds] 208 | static_slotinfo.si.slotinfo[1].map = main_map; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~ In file included from ../sysdeps/x86_64/ldsodefs.h:54, from ../sysdeps/gnu/ldsodefs.h:46, from ../sysdeps/unix/sysv/linux/ldsodefs.h:25, from libc-tls.c:20: ../sysdeps/generic/ldsodefs.h:398:7: note: while referencing ‘slotinfo’ 398 | } slotinfo[0]; | ^~~~~~~~ ``` While we could try and backport all the patches required to fix these up, it would currently seem easier to disable -Werror, which Guix uses by default when building glibc. * guix: adjust RISC-V __has_include() patch to work with GCC 10 The actual macro is __has_include(), not __has_include__(), using the later would result in build failures when using GCC 10. i.e: ```bash ../sysdeps/unix/sysv/linux/riscv/flush-icache.c:24:5: warning: "__has_include__" is not defined, evaluates to 0 [-Wundef] 24 | #if __has_include__ (<asm/syscalls.h>) ``` Looks like at least someone else has run into the same thing, see: http://lists.busybox.net/pipermail/buildroot/2020-July/590376.html. See also: https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005finclude.html https://clang.llvm.org/docs/LanguageExtensions.html#has-include * guix: fix glibc 2.27 multiple definition warnings with GCC 10 * guix: use -fcommon when building glibc 2.24 GCC 10 started using -fno-common by default, which causes issues with the powerpc builds using gibc 2.24. A patch was commited to glibc to fix the issue, 18363b4f010da9ba459b13310b113ac0647c2fcc but is non-trvial to backport, and was broken in at least one way, see the followup in commit 7650321ce037302bfc2f026aa19e0213b8d02fe6. For now, retain the legacy GCC behaviour by passing -fcommon when building glibc 2.24. https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html. https://sourceware.org/git/?p=glibc.git;a=commit;h=18363b4f010da9ba459b13310b113ac0647c2fcc https://sourceware.org/git/?p=glibc.git;a=commit;h=7650321ce037302bfc2f026aa19e0213b8d02fe6 * guix: native GCC 10 toolchain for Linux builds * guix: re-revert riscv execstack workaround Now that we use GCC 10 for release builds, we no-longer need to pass-Wl,-z,noexecstack to get a non-executable stack in RISC-V binaries. This was originally removed in #21036, but then re-added in #21799, when we reverted to using GCC 8. * guix: use libtool 2.4.7 As of version 2.4.7, libtool now respects ARFLAGS, which we use, and has changed the default ARFLAGS from cru to cr (which we also do, see configure). This eliminates spammy `ar` output such as: ```bash CXXLD libunivalue.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') AR libbitcoin_zmq.a AR libbitcoin_consensus.a CXXLD crypto/libbitcoin_crypto_base.la CXXLD crypto/libbitcoin_crypto_sse41.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD crypto/libbitcoin_crypto_avx2.la CXXLD crypto/libbitcoin_crypto_x86_shani.la CXXLD leveldb/libleveldb.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD crc32c/libcrc32c.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') CXXLD leveldb/libmemenv.la /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') /root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U') AR libbitcoin_cli.a ``` Libtool 2.4.7 release notes: https://lists.gnu.org/archive/html/autotools-announce/2022-03/msg00000.html * guix: remove explicit glibc stack protector disabling While glibc 2.25 and newer *can* be built with stack-smashing-protection enabled, it isn't used by default, and still isn't, as of glibc 2.35, so I can't see a reason to explicitly disable it. I'd also like to move in the direction of enabling, by default, hardening options for the toolchains we build, so removing the explicit disabling is a step in that direction. Will be following up with some changes based on this PR. * guix: parallelize LIEF build * guix: remove usage of -Wl,-z,noexecstack for PPC64 HOST The PPC64 ABI has a non-executable stack by default, and does not need a GNU_STACK program header. See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/powerpc/include/asm/page_64.h#n92 * guix: use LIEF 0.12.1 * guix: patch LIEF to fix PPC64 NX default This patches our LIEF build using the change merged upstream: https://github.com/lief-project/LIEF/pull/718. This can be dropped the next time we update LIEF. * guix: Map all guix store prefixes to /usr Without ffile-prefix-map, the debug symbols will contain paths for the guix store which will include the hashes of each package. However, the hash for the same package will differ when on different architectures. In order to be reproducible regardless of the architecture used to build the package, map all guix store prefixes to something fixed, e.g. /usr. * guix: Remove guix store paths from glibc Without ffile-prefix-map, the debug symbols will contain paths for the guix store which will include the hashes of each package. However, the hash for the same package will differ when on different architectures. In order to be reproducible regardless of the architecture used to build the package, map all guix store prefixes to something fixed, e.g. /usr. We might be able to drop this in favour of using --with-nonshared-cflags when we being using newer versions of glibc. * guix: use elfesteem 2eb1e5384ff7a220fd1afacd4a0170acff54fe56 Our patch has been merged upstream, see https://github.com/LRGH/elfesteem/pull/3 * guix: patch gcc 10 with pthreads to remap guix store paths * guix: Drop repetition of option's default value * guix: enable SSP for RISC-V glibc (2.27) Pass `--enable-stack-protector=all` when building the glibc used for the RISC-V toolchain, to enable stack smashing protection on all functions, in the glibc code. * guix: pass enable-bind-now to glibc Both glibcs we build support `--enable-bind-now`: Disable lazy binding for installed shared objects and programs. This provides additional security hardening because it enables full RELRO and a read-only global offset table (GOT), at the cost of slightly increased program load times. See: https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html * guix: enable hardening options in GCC Build Pass `--enable-default-pie` and `--enable-default-ssp` when configuring our GCCs. This achieves the following: --enable-default-pie Turn on -fPIE and -pie by default. --enable-default-ssp Turn on -fstack-protector-strong by default. Note that this isn't a replacement for passing hardneing flags ourselves, but introduces some redundency, and there isn't really a reason to not build a more "hardenings enabled" toolchain by default. See also: https://gcc.gnu.org/install/configure.html * guix: ignore additional failing certvalidator test Similar to 85885919656a3f606f3d7f208378aabe95f3f62d. ```bash ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft validate_path(context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path return _validate_path(validation_context, path) File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path raise PathValidationError(pretty_message( certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-07-27 12:00:00Z ``` * guix: patch NSIS to remove .reloc sections from install stubs With the release of binutils/ld 2.36, ld swapped to much improved default settings when producing windows binaries with mingw-w64. One of these changes was to stop stripping the .reloc section from binaries, which is required for working ASLR. .reloc section stripping is something we've accounted for previously, see #18702. The related upstream discussion is in this thread: https://sourceware.org/bugzilla/show_bug.cgi?id=19011. When we switched to using a newer Guix time-machine in #23778, we begun using binutils 2.37 to produce releases. Since then, our windows installer (produced with makensis) has not functioned correctly when run on a Windows system with the "Force randomization for images (Mandatory ASLR)" option enabled. Note that all of our other release binaries, which all contain .reloc sections, function fine under the same option, so it cannot be just the presence of a .reloc section that is the issue. For now, restore makensis to it's pre-binutils-2.36 behaviour, which fixes the produced installer. The underlying issue can be further investigated in future. * doc: minor updates to guix README * build: include share/rpcauth in tarball & installer Fixes #19081. * guix: use --build={arch}-guix-linux-gnu in cross toolchain Technically we are always cross-compiling, so make that explicit. Fixes: #22458. * guix: consistently use -ffile-prefix-map Aside from being the newer, more comprehensive option, it's what we claim to use in the patch docs, and everywhere else in guix. * guix: use git-minimal over git From the git-minimal package definition: > The size of the closure of 'git-minimal' is two thirds that of 'git'. > Its test suite runs slightly faster and most importantly it doesn't > depend on packages that are expensive to build such as Subversion. We don't need any fancy / additional git functionality above the basics, so switch to git-minimal and save some CPU, while also pruning the greater dependency graph. ```diff -name: git +name: git-minimal version: 2.37.3 outputs: -+ send-email: see Appendix H -+ svn: see Appendix H -+ credential-netrc: see Appendix H -+ credential-libsecret: see Appendix H -+ subtree: see Appendix H -+ gui: see Appendix H + out: everything else -systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux i686-linux armhf-linux powerpc-linux -dependencies: asciidoc@9.1.0 bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 docbook-xsl@1.79.2 expat@2.4.1 gettext-minimal@0.21 glib@2.70.2 libsecret@0.20.4 openssl@1.1.1l pcre2@10.37 perl-authen-sasl@2.16 perl-cgi@4.52 -+ perl-io-socket-ssl@2.068 perl-net-smtp-ssl@1.04 perl-term-readkey@2.38 perl@5.34.0 pkg-config@0.29.2 python@3.9.9 subversion@1.14.1 tcl@8.6.11 tk@8.6.11.1 xmlto@0.0.28 zlib@1.2.11 -location: gnu/packages/version-control.scm:222:2 +systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux riscv64-linux i686-linux armhf-linux powerpc-linux +dependencies: bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 expat@2.4.1 gettext-minimal@0.21 openssl@1.1.1l perl@5.34.0 zlib@1.2.11 +location: gnu/packages/version-control.scm:608:2 homepage: https://git-scm.com/ license: GPL 2 synopsis: Distributed version control system ``` * guix: Drop perl package * Revert "guix: Build depends/qt with our platform definition" This reverts commit dc4137a60c99979b89f75d2bddba96d043f387b8. * MS: restclient start * MS: bumped c++ version from 14 to 17 * only gitian build for linux x86_64 for now. We can add back aarch64 later when needed. * Testing whether OSX SDK needs to updated for gitian building for c++17 * test if bitcoins last gitian-build method works with unigrid * yaml format error * updated darwin host file for py build gitian * Update depends make to work with latest build * update darwin builder for new gitian * DOWNLOAD_RETRIES:=3 readded for curl * linux host update gitian * check in default depends * upgrade dawrwin to 19 * use focal * remove i686 windows gitian * testing whether jammy has same compile error for osx cctools * switch back to focal * place guix in proper directory * guix util file * guix util file * lief is failing on guix build. try a newer version * change hash for lief * try and downgrade lief * lief hash * update darwin to never xcode version and osx 10.15 minimum * added missing native_clang depends * test jammy build focal cannot find repos * missing some jammy in build.py * build with kinetic * focal appears to be the only docker container that builds correctly * test building with g++9 linux * test if reverting to c++14 builds work * upgrade build.sh to use focal base VM. Remove some uneeded dependencies for linux builds. * use jammy for builds and test building with c++17 or 20 if available * force c++17 * don't check clock_gettime by default * docker still cannot find ubuntu jammy revert to focal * fdelt is required * aarch64 required to compile * disable arm build * test disable glib backward support * darwin builds were missing libtapi. native_cdrkit replaced with xorriso. * change order of native_libtapi * libtapi and clang are split out of cctools * darwin unable to find glibtoolize * upgrading boost and remove references to specific darwin versions * split boost into build/host * boost fail build on linux * define minimum required boost * adding missing required boost libraries after updating boost version * errors building with boost 1.73.0 revert back to 1.71.0 * wrong xcode version in darwin build * up boost version to 1.73.0 * test building with boost 1.80.0 * remove unused dependency and set min boost version * upgrading boost requires more refactoring * test if building osx works with c++11 * c++11 build fails on the rest client test to see if c++17 resolves this error * accidental edit of robin-hood submodule * use 12.2 osx sdk * use 12.2 osx sdk for gitian-builder * proper cheksum of Xcode * checksum was not correct * remove downloaded sdk * attempted build with boost 1.80 * revert to c++14 and downgrade boost * configure.ac set c++14 * Ms restclient (#5) * MS: Updated univalue lib to latest version. Fixed parsing of json from restclient * ms: added -hport as an argument in for unigridd. * ms: added mint class to handel values from hedgehog. did some cleanup. * ms: fixed compilation error * ms: rewrote the rest client so its now working and getting json data from hedgehog * ms: removed auto keyword * ms: changed return type to bool to check if data got tranferd as expected from hedgehog * ms: reverted c++ version to 14 from 17 Co-authored-by: Fim-84 <marcus.stenberg@gmail.com> * set depends to build with c++11 * compile cc++ test update * revert to old method of building boost that worked on OSX * remove native_b2 ref * remove native_cdrkit * build ref for native_libtapi * misisng endif * try bitcoin boost build method * errors compiling openssl with xcode 12.2 revert to 12.1 * test if old gitian build works with rest client update * revert boost to old build * reverting native cc tools build * revert depends make to master * missing cdrkit added * cdrkit in wrong directory * revert darwin host * remove updated gitian build script from this branch. If we decide to stick with gitian this can be pulled from the EG_uposx_12_1 branch. Co-authored-by: Carl Dong <contact@carldong.me> Co-authored-by: fanquake <fanquake@gmail.com> Co-authored-by: W. J. van der Laan <laanwj@protonmail.com> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Co-authored-by: Andrew Chow <achow101-github@achow101.com> Co-authored-by: Pieter Wuille <pieter@wuille.net> Co-authored-by: h <harshit_goyal333@outlook.com> Co-authored-by: jonatack <jon@atack.com> Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc> Co-authored-by: Cory Fields <cory-nospam-@coryfields.com> Co-authored-by: Pavol Rusnak <pavol@rusnak.io> Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com> Co-authored-by: josibake <josibake@protonmail.com> Co-authored-by: Stacie <staciewaleyko@gmail.com> Co-authored-by: Fim-84 <marcus.stenberg@gmail.com> * refactor of masternode to gridnode. Init will check for masternode.conf and rename the file to gridnode.conf on startup. * having issues with the ubuntu bionic installs. try with ubuntu jammy * remove uneeded break as we are not looping through strings anymore * increase GLIBC version for newer OS building * A complete refactor of the repo, to update Unigrid's naming convention of gridnodes instead of masternodes. * refactor additions for gridnodes vs masternodes * spelling error Gridnodeconfig * SPORK_20_UNDONKEY_MNREWARDS refactored :D * set build environment to bionic for gitian Co-authored-by: Carl Dong <contact@carldong.me> Co-authored-by: fanquake <fanquake@gmail.com> Co-authored-by: W. J. van der Laan <laanwj@protonmail.com> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Co-authored-by: Andrew Chow <achow101-github@achow101.com> Co-authored-by: Pieter Wuille <pieter@wuille.net> Co-authored-by: h <harshit_goyal333@outlook.com> Co-authored-by: jonatack <jon@atack.com> Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc> Co-authored-by: Cory Fields <cory-nospam-@coryfields.com> Co-authored-by: Pavol Rusnak <pavol@rusnak.io> Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com> Co-authored-by: josibake <josibake@protonmail.com> Co-authored-by: Stacie <staciewaleyko@gmail.com> Co-authored-by: Fim-84 <marcus.stenberg@gmail.com> * build environment should be bionic * fix compiler error for unsupported c++ * target is needed here * move CheckIfLockPeriodIsActive where bools are declared * remove {} from return * ms: last check for minted amount added. * remove broken code * ms: changed colleteral amount to 2000. * ms: started working out a way to start a new chain to test * set start time for zerocoin in the future so testnet does not look for it at the start * pass chain height to get best block * remove duplicate regtest * height is a method * missing ) * add echo * log chain height * height is -1 at the start * pass height to assert * assert only if not on genesis * or on assert check * asset if -1 is true * print blockhash * accidental overwrite in last commit * output GetBestBlock * convert best block to string * print cacheCoins * print cacheCoins * tray creating coins view with blockhash -1 * misc * ignore assert for flush if block height -1 * move initialize calls before InitBlockIndex * undo last commit * getting test net working * ms: uncommented stuff * refactor the test file to unigrid * hard code in a testnet seed node * vSeeds needs to clear for testnet * adding two hard coded seed nodes for testnet * refactor all Gridnode names in rpc to gridnode * set testnet to mine up to block 2000 and lower gridnode collateral to 10 * update chainparams with devPubKey and set max coins the same value as mainnnet * set gn amount to 100 * use Params().GridnodeCollateral() for gn collateral * change max money out back to testnet defaults * set max money out at 25000000000 there appears to be a pre-mine on first gridnode reward * set testnet node collateral to the same as mainnnet. Also the max money out. * removing code referencing bitcoin blocks * set mainnet back to current collateral * fix bootstrap download * update download bootstrap check * added a line break as removing the addnodes placed unigridstake on the same line as the rpcpassword * last pow testnet 20 and comment out block rewards for testnet * set downloadBootstrap to false if passed in as the value is never set * switch check flag for download * add some outputs on what is happening with the bootstrap download * reverse download check * set flag for download only true * log nobootstrap arg * only check for bootstrap if not testnet * lower block maturity and increase mining to 30 blocks * ms: got testnet staking * set last POW to 50 as modern cpus will mine the last block too fast * ms: fixed overflow error in amount in mint. * test whether staking still works with gridnodeSync * change addnode to connect. We don't want this test network connecting to the main networks. * script was tring to remove swipp items instead of unigrid * force return of GRIDNODE_SYNC_FINISHED for testnet so we can start staking * skipping this check stakes although it never returns staking is active. It also likely breaks gn payments for testnet. * set nGridnodeCountDrift to 0 on testnet * Keep exact input amount for GN for now. There is another place the daemon checks which breaks them if its the wrong input. * find all other locations collateral is checked * test if this ignores gnsync on testnet * place the gnsync check in the actaul call so all checks determine whether we are testnet or not * test coin control with create transaction * add reference to coinControl * add coincontrol.h to rpc wallet * remove log for return key * print wtx.strFromAccount * comment out destChange * added a call to get local addresses in a map. SOme notes on how to handle locking minted tokens in wallet.cpp * ms: changed how we add the mint to transaction index * checking loadBlockIndex was removed for some reason in an earlier commit * comment out isTimeToMint to test if this is causing a full reindex * add back old assert assert(hashPrevBlock == view.GetBestBlock()) * remove log spam of block info * set hashBlock back to -1 * skip check block to see if the issue is here * broken log * CheckBlock is not the issue * ms: changes in create transactions to lock transactions from minted addresses * disable setting genesis to test mainnet * log loading block from disk * update log * move setbest block to the end * only check GetHash for testnet as mainnet does not need this * added coin control if we are sending to a local address that is locked * ms: added checks to stop transactions from minted addresses * the numbers here cannot change for mainnet as they are required to confirm old blocks * ms: removed log prints that spamed the log. change a if statment to specificly only allow transfers to the minted address from a minted address * two different asserts for main and testnets * test whether syncing works mainnet * set genesis to view if there is a match * add a line break on exception here * ms: fixed shutdown when not finding hedgehog. * ms: small changes to handel when hedgehog dosent have any mint data yet * disable shutdown for test * return true for checktx on lock to test * test getbestblock * only check prev block for testnet as this is interfering with mainnet sync * revert MAIN to old method of checking previous block * redo order in init loading block index * regorg init block index * test InitBlockIndex after pcoin * block index was checking twice * disable shutdown to see if mainnet actually syncs * disable log for waiting to mint * disable spam from calling cli * only output true for time to mint * test if the order here was what causes testnet to not start * remove commented code. if used it breaks testnet starting properly. * MS: changed how no connecting hedgehog workes. it will wait for one minut for connection and if its not getting a connection it will shutdown. if connection is estableched it will processed as it should. * MS: small change to CheckIsLockPeriodIsActive * MS: Done some change to make the daemon play ball with hedgehog * Create a new protocol version for this next release. Check with hedgehog over the rest client whether any new sporks have been created. If yes then we need to force all old protocols off the network. * need to add the restclient object * modify the hasMintingSpork call to use the same method as getdatafromrestserver * try printing the size of the response * adding some debuig logs * test this rest call to hedgehog * skip calling the rest client to see if the error is there * wrap check in a try catch to see if we get an error * MS: removed log prints that fills up the log * MS: changed the mint spork check to handel an emtpty return list. * search for the correct OSX SDK being used * correct osx sdk * min osx version bump * bump boost 1.73 * remove boost test * update from master * remove cclang packages * minimal boost install * clang * have to build boost * place test at end of boost built * min boost ver * attempt to compile using what worked in master * test if this gitian build that works can compile boost 1.73 * fix for boost 1.73 * remove throw error stopping the daemon from shutting down * remove the catch causing a boost error to be thrown * add some debug logs to find where boost is failing * place the log before the trys * see if boost requires this * check if boost 1.73 is the issue * boost 1.73 and dont start a shutdown * skip checking for sporks * re-enable checking for minting sporks as this did not solve the syncing issue * check if the protocol version is causing sync issues * test if check lock period even works * skip checking lock period * check whether commenting out get best block works here * revert * found the sync problem I believe * fix syncing issue that happened from a bad commit at bf89a5f * fixing openssl errors caused by an old version while boost asio is requiring a newer version. * skip checking for sporks as it always returns 3 so will not connect to node. Set correct flag for checking tx for mints. * this one also needs to only return if true * remove debug logs * MS: changed some logic. uncommented checkspork for test. changed test.sh to use the correct port * Working on fix for memory leak * MS: fixed a memory leak in CDataStreams that became apperent when running testnet. * osx gitian failing on boost... again * attempt to build with bjam and toolset * check if the dash build method works any differently * ignore boost tests * darwin toolset * boost 1.71 * boost 1.71 is the same issue * one diff between working and not --------- Co-authored-by: Fim-84 <marcus.stenberg@gmail.com> Co-authored-by: Carl Dong <contact@carldong.me> Co-authored-by: fanquake <fanquake@gmail.com> Co-authored-by: W. J. van der Laan <laanwj@protonmail.com> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> Co-authored-by: Andrew Chow <achow101-github@achow101.com> Co-authored-by: Pieter Wuille <pieter@wuille.net> Co-authored-by: h <harshit_goyal333@outlook.com> Co-authored-by: jonatack <jon@atack.com> Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc> Co-authored-by: Cory Fields <cory-nospam-@coryfields.com> Co-authored-by: Pavol Rusnak <pavol@rusnak.io> Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com> Co-authored-by: josibake <josibake@protonmail.com> Co-authored-by: Stacie <staciewaleyko@gmail.com>

dongcarl mentioned this pull request Apr 28, 2021

Guix Release Transition Plan for 22.0 #21145

Closed

15 tasks

DrahtBot added the Scripts and tools label Apr 28, 2021

DrahtBot mentioned this pull request Apr 29, 2021

guix: Always canonicalize HOST using ./depends/config.sub #21671

Closed

guix: Consistently use gcc-8 for $HOST

c90f6e5

dongcarl force-pushed the 2021-04-guix-gcc-memcmp branch from b5abb07 to c90f6e5 Compare May 3, 2021 18:43

dongcarl marked this pull request as ready for review May 3, 2021 18:43

maflcko added the DrahtBot Guix build requested label May 3, 2021

hebasto reviewed May 3, 2021

View reviewed changes

hebasto approved these changes May 3, 2021

View reviewed changes

laanwj merged commit 00a9b06 into bitcoin:master May 5, 2021

dongcarl deleted the 2021-04-guix-gcc-memcmp branch May 5, 2021 10:26

maflcko removed the DrahtBot Guix build requested label May 5, 2021

gwillen pushed a commit to ElementsProject/elements that referenced this pull request Jun 1, 2022

Merge 00a9b06 into merged_master (Bitcoin PR bitcoin/bitcoin#21799)

2e922f2

fanquake mentioned this pull request Jun 8, 2022

guix: re-revert risc-v execstack workaround #25313

Merged

knst mentioned this pull request Mar 6, 2023

backport: guix related backports dashpay/dash#5237

Merged

3 tasks

bitcoin locked and limited conversation to collaborators Jun 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

guix: Use `gcc-8` across the board #21799

guix: Use `gcc-8` across the board #21799

Uh oh!

dongcarl commented Apr 28, 2021

Uh oh!

hebasto commented Apr 28, 2021

Uh oh!

dongcarl commented Apr 28, 2021

Uh oh!

DrahtBot commented Apr 29, 2021 •

edited

Loading

Uh oh!

maflcko commented Apr 29, 2021

Uh oh!

sipa commented Apr 29, 2021

Uh oh!

dongcarl commented May 3, 2021

Uh oh!

maflcko commented May 3, 2021

Uh oh!

hebasto May 3, 2021

Uh oh!

dongcarl May 3, 2021

Uh oh!

dongcarl May 3, 2021

Uh oh!

laanwj May 4, 2021

Uh oh!

fanquake May 5, 2021

Uh oh!

laanwj May 5, 2021

Uh oh!

hebasto left a comment

Uh oh!

laanwj commented May 5, 2021

Uh oh!

Uh oh!

		powerpc64-linux-*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;
		powerpc64-linux-\|riscv64-linux-) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;

guix: Use gcc-8 across the board #21799

guix: Use gcc-8 across the board #21799

Uh oh!

Conversation

dongcarl commented Apr 28, 2021

Uh oh!

hebasto commented Apr 28, 2021

Uh oh!

dongcarl commented Apr 28, 2021

Uh oh!

DrahtBot commented Apr 29, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Conflicts

Uh oh!

maflcko commented Apr 29, 2021

Uh oh!

sipa commented Apr 29, 2021

Uh oh!

dongcarl commented May 3, 2021

Uh oh!

maflcko commented May 3, 2021

Uh oh!

hebasto May 3, 2021

Choose a reason for hiding this comment

Uh oh!

dongcarl May 3, 2021

Choose a reason for hiding this comment

Uh oh!

dongcarl May 3, 2021

Choose a reason for hiding this comment

Uh oh!

laanwj May 4, 2021

Choose a reason for hiding this comment

Uh oh!

fanquake May 5, 2021

Choose a reason for hiding this comment

Uh oh!

laanwj May 5, 2021

Choose a reason for hiding this comment

Uh oh!

hebasto left a comment

Choose a reason for hiding this comment

Uh oh!

laanwj commented May 5, 2021

Uh oh!

Uh oh!

guix: Use `gcc-8` across the board #21799

guix: Use `gcc-8` across the board #21799

DrahtBot commented Apr 29, 2021 •

edited

Loading