From 7df714c2e9b75768e9529d9a49f701a0f7fd512f Mon Sep 17 00:00:00 2001 From: Jochen Sprickerhof Date: Thu, 27 Jun 2024 20:27:38 +0200 Subject: [PATCH] Update debian/ for ECH --- .github/workflows/packages.yaml | 82 ++++++++++++++ debian/changelog | 6 ++ debian/patches/90_gnutls.patch | 100 +----------------- ...-gssapi-link-flags-between-LDFLAGS-a.patch | 4 +- debian/rules | 6 +- 5 files changed, 97 insertions(+), 101 deletions(-) create mode 100644 .github/workflows/packages.yaml diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml new file mode 100644 index 00000000000000..e3350d4b9f9568 --- /dev/null +++ b/.github/workflows/packages.yaml @@ -0,0 +1,82 @@ +name: builder + +on: + workflow_dispatch: + push: + schedule: + - cron: '30 5 * * *' + +jobs: + build: + runs-on: ubuntu-24.04 + steps: + - name: Check out the repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: merge upstream + run: | + git remote add upstream https://github.com/curl/curl.git + git fetch upstream + git -c user.name=Github -c user.email=none merge upstream/master + + - name: Cache ccache + uses: actions/cache@v4 + with: + path: /home/runner/.cache/ccache + key: ccache + + - name: Prepare build environment + run: | + sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends sbuild mmdebstrap debian-archive-keyring ccache uidmap + + mkdir -p "$HOME/.cache/sbuild" + mmdebstrap --variant=buildd --include=apt,ccache,ca-certificates \ + --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \ + --customize-hook='chroot "$1" update-ccache-symlinks' \ + testing "$HOME/.cache/sbuild/testing-amd64.tar" + + ccache --zero-stats --max-size=10.0G + chmod a+X "$HOME" "$HOME/.cache" + chmod -R a+rwX "$HOME/.cache/ccache" + + cat << "EOF" > "$HOME/.sbuildrc" + $build_environment = { "CCACHE_DIR" => "/build/ccache" }; + $path = "/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"; + $build_path = "/build/package/"; + $dsc_dir = "package"; + $unshare_bind_mounts = [ { directory => "$HOME/.cache/ccache", mountpoint => "/build/ccache" } ]; + $verbose = 1; + EOF + mkdir "$HOME/apt_repo" + + - name: Run sbuild + run: | + sed -i "1 s/([^)]*)/($(git describe --tags | sed 's/^[^0-9]*//;s/-/./g;s/_/./g')-$(date -u '+%Y%m%d.%H%M%S%N'))/" debian/changelog + sbuild -d testing --chroot-mode=unshare --no-clean-source --no-run-lintian \ + --extra-repository="deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ ./" \ + --dpkg-source-opts="-Zgzip -z1 --format=1.0 -sn" --build-dir="$HOME/apt_repo" + cd "$HOME/apt_repo" + apt-ftparchive packages . > Packages + apt-ftparchive release . > Release + + - name: Test packages + run: | + mmdebstrap --chrooted-customize-hook="curl --ech true --doh-url 'https://1.1.1.1/dns-query' 'https://defo.ie/ech-check.php' | grep 'SSL_ECH_STATUS: success'" \ + --variant=essential --include=ca-certificates,curl testing /dev/null \ + "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://deb.debian.org/debian testing main" \ + "deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ /" \ + "deb [trusted=yes] copy:/$HOME/apt_repo /" + + - name: Upload apt repository + run: | + cd "$HOME/apt_repo" + BRANCH=packages + REPOSITORY="$(printf "%s" "$GITHUB_REPOSITORY" | tr / _)" + echo "echo \"deb [trusted=yes] $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/raw/$BRANCH/ /\" | sudo tee /etc/apt/sources.list.d/$REPOSITORY.list" >> README.md + git init -b "$BRANCH" + git remote add origin "$(echo "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git" | sed "s#https://#https://x-access-token:${{ secrets.GITHUB_TOKEN }}@#")" + git add . + git -c user.name=Github -c user.email=none commit --message="Generated with $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" + git push --force origin "$BRANCH" diff --git a/debian/changelog b/debian/changelog index cb00f66a0e9ebf..fafa2d4faedc62 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +curl (8.9.1-2) UNRELEASED; urgency=medium + + * Enable ECH + + -- Jochen Sprickerhof Sun, 04 Aug 2024 08:08:13 +0200 + curl (8.9.1-1) unstable; urgency=medium * New upstream version 8.9.1. (Closes: 1077656) diff --git a/debian/patches/90_gnutls.patch b/debian/patches/90_gnutls.patch index e338d97d380364..6916319a10317d 100644 --- a/debian/patches/90_gnutls.patch +++ b/debian/patches/90_gnutls.patch @@ -12,9 +12,8 @@ Last-Update: 2018-05-23 lib/libcurl.vers.in | 2 +- src/Makefile.am | 4 ++-- tests/http/clients/Makefile.am | 4 ++-- - tests/http/clients/Makefile.in | 36 ++++++++++++++++++------------------ tests/libtest/Makefile.am | 8 ++++---- - 7 files changed, 50 insertions(+), 50 deletions(-) + 6 files changed, 32 insertions(+), 32 deletions(-) diff --git a/docs/examples/Makefile.am b/docs/examples/Makefile.am index 80ccc59..750000e 100644 @@ -135,7 +134,7 @@ index ae978a4..bce5633 100644 global: curl_*; local: *; diff --git a/src/Makefile.am b/src/Makefile.am -index 4ce83c9..a0b3fd3 100644 +index 73fbe80..a468e2c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -68,9 +68,9 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ @@ -166,101 +165,6 @@ index 8fdc190..ddc9be4 100644 endif # This might hold -Werror -diff --git a/tests/http/clients/Makefile.in b/tests/http/clients/Makefile.in -index 9eb45a0..2a8f8d9 100644 ---- a/tests/http/clients/Makefile.in -+++ b/tests/http/clients/Makefile.in -@@ -178,9 +178,9 @@ h2_download_SOURCES = h2-download.c - h2_download_OBJECTS = h2-download.$(OBJEXT) - h2_download_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@h2_download_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@h2_download_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - AM_V_lt = $(am__v_lt_@AM_V@) - am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) - am__v_lt_0 = --silent -@@ -189,51 +189,51 @@ h2_pausing_SOURCES = h2-pausing.c - h2_pausing_OBJECTS = h2-pausing.$(OBJEXT) - h2_pausing_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@h2_pausing_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@h2_pausing_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - h2_serverpush_SOURCES = h2-serverpush.c - h2_serverpush_OBJECTS = h2-serverpush.$(OBJEXT) - h2_serverpush_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@h2_serverpush_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@h2_serverpush_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - h2_upgrade_extreme_SOURCES = h2-upgrade-extreme.c - h2_upgrade_extreme_OBJECTS = h2-upgrade-extreme.$(OBJEXT) - h2_upgrade_extreme_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@h2_upgrade_extreme_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@h2_upgrade_extreme_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - tls_session_reuse_SOURCES = tls-session-reuse.c - tls_session_reuse_OBJECTS = tls-session-reuse.$(OBJEXT) - tls_session_reuse_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@tls_session_reuse_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@tls_session_reuse_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - upload_pausing_SOURCES = upload-pausing.c - upload_pausing_OBJECTS = upload-pausing.$(OBJEXT) - upload_pausing_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@upload_pausing_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@upload_pausing_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - ws_data_SOURCES = ws-data.c - ws_data_OBJECTS = ws-data.$(OBJEXT) - ws_data_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@ws_data_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@ws_data_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - ws_pingpong_SOURCES = ws-pingpong.c - ws_pingpong_OBJECTS = ws-pingpong.$(OBJEXT) - ws_pingpong_LDADD = $(LDADD) - @USE_EXPLICIT_LIB_DEPS_FALSE@ws_pingpong_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@ $(LIBDIR)/libcurl-gnutls.la - @USE_EXPLICIT_LIB_DEPS_TRUE@ws_pingpong_DEPENDENCIES = \ --@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_TRUE@ $(LIBDIR)/libcurl-gnutls.la - AM_V_P = $(am__v_P_@AM_V@) - am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) - am__v_P_0 = false -@@ -548,10 +548,10 @@ AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_builddir)/lib \ - -I$(top_srcdir)/lib -DCURL_DISABLE_DEPRECATION \ - -DCURL_NO_OLDIES $(am__append_1) - LIBDIR = $(top_builddir)/lib --@USE_EXPLICIT_LIB_DEPS_FALSE@LDADD = $(LIBDIR)/libcurl.la -+@USE_EXPLICIT_LIB_DEPS_FALSE@LDADD = $(LIBDIR)/libcurl-gnutls.la - - # Dependencies --@USE_EXPLICIT_LIB_DEPS_TRUE@LDADD = $(LIBDIR)/libcurl.la @LIBCURL_LIBS@ -+@USE_EXPLICIT_LIB_DEPS_TRUE@LDADD = $(LIBDIR)/libcurl-gnutls.la @LIBCURL_LIBS@ - CHECKSRC = $(CS_$(V)) - CS_0 = @echo " RUN " $@; - CS_1 = diff --git a/tests/libtest/Makefile.am b/tests/libtest/Makefile.am index eed916e..78918da 100644 --- a/tests/libtest/Makefile.am diff --git a/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch b/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch index b6c4d900f8ef33..88cb631d7f5117 100644 --- a/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch +++ b/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch @@ -17,10 +17,10 @@ Signed-off-by: Simon McVittie 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 1e18b81..6628d01 100644 +index f6c4e16..8eed8a5 100644 --- a/configure.ac +++ b/configure.ac -@@ -1927,7 +1927,8 @@ if test x"$want_gss" = xyes; then +@@ -1930,7 +1930,8 @@ if test x"$want_gss" = xyes; then gss_libs=`$GSSAPI_ROOT/bin/$host_alias-krb5-config --libs gssapi` LIBS="$gss_libs $LIBS" elif test "$PKGCONFIG" != "no" ; then diff --git a/debian/rules b/debian/rules index 2e6cb6351d7efa..aed466fe94a1eb 100755 --- a/debian/rules +++ b/debian/rules @@ -72,6 +72,7 @@ ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) ./buildconf && \ cp ../../ltmain.sh . && \ dh_auto_configure ${CONFIGURE_ARGS} --with-openssl \ + --enable-ech \ --without-ngtcp2 \ --without-nghttp3 endif @@ -109,6 +110,9 @@ TESTS_FAILS_ON_IPV6_ONLY_MACHINES ?= $(addprefix ~, 300 301 303 304 306 309 310 TESTS_GENERAL_PARAMETERS += $(TESTS_FAILS_ON_IPV6_ONLY_MACHINES) +# ignore ECH symbol +TESTS_GENERAL_PARAMETERS += ~1014 ~1705 + override_dh_auto_test: ifeq ($(filter nocheck,$(DEB_BUILD_PROFILES)),) ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) @@ -181,7 +185,7 @@ endif rm -rfv debian/tmp/usr/share/aclocal/* override_dh_installchangelogs: - dh_installchangelogs CHANGES + dh_installchangelogs CHANGES.md override_dh_compress: dh_compress -X.pdf