Update debian/ for ECH

defo-project · Aug 4, 2024 · 7df714c · 7df714c
1 parent ed92183
commit 7df714c
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 101 deletions.
diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml
@@ -0,0 +1,82 @@
+name: builder
+
+on:
+  workflow_dispatch:
+  push:
+  schedule:
+    - cron: '30 5 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: merge upstream
+        run: |
+          git remote add upstream https://github.com/curl/curl.git
+          git fetch upstream
+          git -c user.name=Github -c user.email=none merge upstream/master
+
+      - name: Cache ccache
+        uses: actions/cache@v4
+        with:
+          path: /home/runner/.cache/ccache
+          key: ccache
+
+      - name: Prepare build environment
+        run: |
+          sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends sbuild mmdebstrap debian-archive-keyring ccache uidmap
+
+          mkdir -p "$HOME/.cache/sbuild"
+          mmdebstrap --variant=buildd --include=apt,ccache,ca-certificates \
+            --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \
+            --customize-hook='chroot "$1" update-ccache-symlinks' \
+            testing "$HOME/.cache/sbuild/testing-amd64.tar"
+
+          ccache --zero-stats --max-size=10.0G
+          chmod a+X "$HOME" "$HOME/.cache"
+          chmod -R a+rwX "$HOME/.cache/ccache"
+
+          cat << "EOF" > "$HOME/.sbuildrc"
+          $build_environment = { "CCACHE_DIR" => "/build/ccache" };
+          $path = "/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games";
+          $build_path = "/build/package/";
+          $dsc_dir = "package";
+          $unshare_bind_mounts = [ { directory => "$HOME/.cache/ccache", mountpoint => "/build/ccache" } ];
+          $verbose = 1;
+          EOF
+          mkdir "$HOME/apt_repo"
+
+      - name: Run sbuild
+        run: |
+          sed -i "1 s/([^)]*)/($(git describe --tags | sed 's/^[^0-9]*//;s/-/./g;s/_/./g')-$(date -u '+%Y%m%d.%H%M%S%N'))/" debian/changelog
+          sbuild -d testing --chroot-mode=unshare --no-clean-source --no-run-lintian \
+            --extra-repository="deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ ./" \
+            --dpkg-source-opts="-Zgzip -z1 --format=1.0 -sn" --build-dir="$HOME/apt_repo"
+          cd "$HOME/apt_repo"
+          apt-ftparchive packages . > Packages
+          apt-ftparchive release . > Release
+
+      - name: Test packages
+        run: |
+          mmdebstrap --chrooted-customize-hook="curl --ech true --doh-url 'https://1.1.1.1/dns-query' 'https://defo.ie/ech-check.php' | grep 'SSL_ECH_STATUS: success'" \
+            --variant=essential --include=ca-certificates,curl testing /dev/null \
+            "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://deb.debian.org/debian testing main" \
+            "deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ /" \
+            "deb [trusted=yes] copy:/$HOME/apt_repo /"
+
+      - name: Upload apt repository
+        run: |
+          cd "$HOME/apt_repo"
+          BRANCH=packages
+          REPOSITORY="$(printf "%s" "$GITHUB_REPOSITORY" | tr / _)"
+          echo "echo \"deb [trusted=yes] $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/raw/$BRANCH/ /\" | sudo tee /etc/apt/sources.list.d/$REPOSITORY.list" >> README.md
+          git init -b "$BRANCH"
+          git remote add origin "$(echo "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git" | sed "s#https://#https://x-access-token:${{ secrets.GITHUB_TOKEN }}@#")"
+          git add .
+          git -c user.name=Github -c user.email=none commit --message="Generated with $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+          git push --force origin "$BRANCH"
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+curl (8.9.1-2) UNRELEASED; urgency=medium
+
+  * Enable ECH
+
+ -- Jochen Sprickerhof <[email protected]>  Sun, 04 Aug 2024 08:08:13 +0200
+
 curl (8.9.1-1) unstable; urgency=medium
 
   * New upstream version 8.9.1. (Closes: 1077656)

diff --git a/debian/patches/90_gnutls.patch b/debian/patches/90_gnutls.patch
@@ -12,9 +12,8 @@ Last-Update: 2018-05-23
  lib/libcurl.vers.in            |  2 +-
  src/Makefile.am                |  4 ++--
  tests/http/clients/Makefile.am |  4 ++--
- tests/http/clients/Makefile.in | 36 ++++++++++++++++++------------------
  tests/libtest/Makefile.am      |  8 ++++----
- 7 files changed, 50 insertions(+), 50 deletions(-)
+ 6 files changed, 32 insertions(+), 32 deletions(-)
 
 diff --git a/docs/examples/Makefile.am b/docs/examples/Makefile.am
 index 80ccc59..750000e 100644
@@ -135,7 +134,7 @@ index ae978a4..bce5633 100644
    global: curl_*;
    local: *;
 diff --git a/src/Makefile.am b/src/Makefile.am
-index 4ce83c9..a0b3fd3 100644
+index 73fbe80..a468e2c 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
 @@ -68,9 +68,9 @@ CFLAGS += @CURL_CFLAG_EXTRAS@
@@ -166,101 +165,6 @@ index 8fdc190..ddc9be4 100644
  endif
 
  # This might hold -Werror
-diff --git a/tests/http/clients/Makefile.in b/tests/http/clients/Makefile.in
-index 9eb45a0..2a8f8d9 100644
---- a/tests/http/clients/Makefile.in
-+++ b/tests/http/clients/Makefile.in
-@@ -178,9 +178,9 @@ h2_download_SOURCES = h2-download.c
- h2_download_OBJECTS = h2-download.$(OBJEXT)
- h2_download_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@h2_download_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@h2_download_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- AM_V_lt = $(am__v_lt_@AM_V@)
- am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
- am__v_lt_0 = --silent
-@@ -189,51 +189,51 @@ h2_pausing_SOURCES = h2-pausing.c
- h2_pausing_OBJECTS = h2-pausing.$(OBJEXT)
- h2_pausing_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@h2_pausing_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@h2_pausing_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- h2_serverpush_SOURCES = h2-serverpush.c
- h2_serverpush_OBJECTS = h2-serverpush.$(OBJEXT)
- h2_serverpush_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@h2_serverpush_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@h2_serverpush_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- h2_upgrade_extreme_SOURCES = h2-upgrade-extreme.c
- h2_upgrade_extreme_OBJECTS = h2-upgrade-extreme.$(OBJEXT)
- h2_upgrade_extreme_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@h2_upgrade_extreme_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@h2_upgrade_extreme_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- tls_session_reuse_SOURCES = tls-session-reuse.c
- tls_session_reuse_OBJECTS = tls-session-reuse.$(OBJEXT)
- tls_session_reuse_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@tls_session_reuse_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@tls_session_reuse_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- upload_pausing_SOURCES = upload-pausing.c
- upload_pausing_OBJECTS = upload-pausing.$(OBJEXT)
- upload_pausing_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@upload_pausing_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@upload_pausing_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- ws_data_SOURCES = ws-data.c
- ws_data_OBJECTS = ws-data.$(OBJEXT)
- ws_data_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@ws_data_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@ws_data_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- ws_pingpong_SOURCES = ws-pingpong.c
- ws_pingpong_OBJECTS = ws-pingpong.$(OBJEXT)
- ws_pingpong_LDADD = $(LDADD)
- @USE_EXPLICIT_LIB_DEPS_FALSE@ws_pingpong_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@	$(LIBDIR)/libcurl-gnutls.la
- @USE_EXPLICIT_LIB_DEPS_TRUE@ws_pingpong_DEPENDENCIES =  \
--@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_TRUE@	$(LIBDIR)/libcurl-gnutls.la
- AM_V_P = $(am__v_P_@AM_V@)
- am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
- am__v_P_0 = false
-@@ -548,10 +548,10 @@ AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_builddir)/lib \
- 	-I$(top_srcdir)/lib -DCURL_DISABLE_DEPRECATION \
- 	-DCURL_NO_OLDIES $(am__append_1)
- LIBDIR = $(top_builddir)/lib
--@USE_EXPLICIT_LIB_DEPS_FALSE@LDADD = $(LIBDIR)/libcurl.la
-+@USE_EXPLICIT_LIB_DEPS_FALSE@LDADD = $(LIBDIR)/libcurl-gnutls.la
-
- # Dependencies
--@USE_EXPLICIT_LIB_DEPS_TRUE@LDADD = $(LIBDIR)/libcurl.la @LIBCURL_LIBS@
-+@USE_EXPLICIT_LIB_DEPS_TRUE@LDADD = $(LIBDIR)/libcurl-gnutls.la @LIBCURL_LIBS@
- CHECKSRC = $(CS_$(V))
- CS_0 = @echo "  RUN     " $@;
- CS_1 = 
 diff --git a/tests/libtest/Makefile.am b/tests/libtest/Makefile.am
 index eed916e..78918da 100644
 --- a/tests/libtest/Makefile.am

diff --git a/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch b/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch
@@ -17,10 +17,10 @@ Signed-off-by: Simon McVittie <[email protected]>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 1e18b81..6628d01 100644
+index f6c4e16..8eed8a5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1927,7 +1927,8 @@ if test x"$want_gss" = xyes; then
+@@ -1930,7 +1930,8 @@ if test x"$want_gss" = xyes; then
             gss_libs=`$GSSAPI_ROOT/bin/$host_alias-krb5-config --libs gssapi`
             LIBS="$gss_libs $LIBS"
          elif test "$PKGCONFIG" != "no" ; then

diff --git a/debian/rules b/debian/rules
@@ -72,6 +72,7 @@ ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),)
 	./buildconf && \
 	cp ../../ltmain.sh . && \
 	dh_auto_configure ${CONFIGURE_ARGS} --with-openssl \
+	        --enable-ech \
 		--without-ngtcp2 \
 		--without-nghttp3
 endif
@@ -109,6 +110,9 @@ TESTS_FAILS_ON_IPV6_ONLY_MACHINES ?= $(addprefix ~, 300 301 303 304 306 309 310
 
 TESTS_GENERAL_PARAMETERS += $(TESTS_FAILS_ON_IPV6_ONLY_MACHINES)
 
+# ignore ECH symbol
+TESTS_GENERAL_PARAMETERS += ~1014 ~1705
+
 override_dh_auto_test:
 ifeq ($(filter nocheck,$(DEB_BUILD_PROFILES)),)
 ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),)
@@ -181,7 +185,7 @@ endif
 	rm -rfv debian/tmp/usr/share/aclocal/*
 
 override_dh_installchangelogs:
-	dh_installchangelogs CHANGES
+	dh_installchangelogs CHANGES.md
 
 override_dh_compress:
 	dh_compress -X.pdf