search

mirage / qubes-mirage-firewall

A Mirage firewall VM for QubesOS
BSD 2-Clause "Simplified" License
210 stars 28 forks source link

update build script #175

Closed palainp closed 1 year ago

palainp commented 1 year ago

A bad hashsum was reported in the Qubes forum (https://forum.qubes-os.org/t/mirage-firewall-dispvm-template/17881/10). It seems that ubuntu has updated some packages a couple of weeks ago, I checked and found some difference in the output of github actions:

http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libkrb5support0 amd64 1.17-6ubuntu4.2 [31.0 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libk5crypto3 amd64 1.17-6ubuntu4.2 [80.0 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libkrb5-3 amd64 1.17-6ubuntu4.2 [330 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libgssapi-krb5-2 amd64 1.17-6ubuntu4.2 [121 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libcurl3-gnutls amd64 7.68.0-1ubuntu2.16 [232 kB]

vs

http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libkrb5support0 amd64 1.17-6ubuntu4.3 [31.1 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libk5crypto3 amd64 1.17-6ubuntu4.3 [80.2 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libkrb5-3 amd64 1.17-6ubuntu4.3 [330 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libgssapi-krb5-2 amd64 1.17-6ubuntu4.3 [121 kB]
http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libcurl3-gnutls amd64 7.68.0-1ubuntu2.18 [233 kB]

This causes the github actions to fail due to bad resulting hashsum. Not sure why these updates have an impact on the resulting binary.

So I tried to update the build script in respect with #165 (and while at it, I also updated the opam version and the opam-repository commit), does that's what you mean @hannesm? I'm unsure if you have debian builds in ROBUR :( @h01ger does the echo writing over /etc/apt/source.list sounds correct to you, or there is another/better way to do that?

As a final note, if this PR is merged, we probably also need to cut a release as now a salt script is comparing the hashsum of the release to the expected hashsum in build_with_docker.sh (thanks to @100111001: https://github.com/mirage/qubes-mirage-firewall/issues/173#issuecomment-1500458523)

palainp commented 1 year ago

Oh I think this is the wrong way to go (or at least not the correct package repository), the InRelease file has a Valid-Until: Tue, 25 Apr 2023 02:11:25 UTC entry I didn't noticed earlier, which makes the build fail (it's there to avoid obsolete packages, but since we're using the distribution to compile the unikernel, it should only matter if there's a security issue in the build suite: compiler, libraries, etc).

palainp commented 1 year ago

The fix was an easy part :)

However, I now have a more general question about how we can use the reproducible Debian repositories, should we try to have an automatic default release process (e.g. 1/2 releases per year, just updating the hashes of the debian/opam-repository/head qubes-mirage-firewall repositories) + special releases in case of more urgent fixes (like last december)?

hannesm commented 1 year ago

this is fine to merge. the sha has been reproduced on github actions, and also locally. please feel free to merge & cut a release (I added some changes entries)