diff options
Diffstat (limited to 'eclass')
32 files changed, 1178 insertions, 205 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz Binary files differindex e8223df8633f..c002fc2790ad 100644 --- a/eclass/Manifest.gz +++ b/eclass/Manifest.gz diff --git a/eclass/ada.eclass b/eclass/ada.eclass index 9206bfcc42ca..3d22dd5d2a61 100644 --- a/eclass/ada.eclass +++ b/eclass/ada.eclass @@ -282,7 +282,7 @@ ada_export() { debug-print "${FUNCNAME}: GNATBIND = ${GNATBIND}" ;; GNATMAKE) - export GNATMAKE=${EPREFIX}/usr/bin/gnatmake-${gcc_pv} + export GNATMAKE=${EPREFIX}/usr/bin/${CHOST}-gnatmake-${gcc_pv} debug-print "${FUNCNAME}: GNATMAKE = ${GNATMAKE}" ;; GNATLS) diff --git a/eclass/cargo.eclass b/eclass/cargo.eclass index b1285e13a5b2..0bc24feea222 100644 --- a/eclass/cargo.eclass +++ b/eclass/cargo.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: cargo.eclass @@ -527,6 +527,12 @@ cargo_src_unpack() { done < <(sha256sum -z "${crates[@]}" || die) popd >/dev/null || die + + if [[ ${#crates[@]} -ge 300 ]]; then + eqawarn "This package uses a very large number of CRATES. Please provide" + eqawarn "a crate tarball instead and fetch it via SRC_URI. You can use" + eqawarn "'pycargoebuild --crate-tarball' to create one." + fi fi cargo_gen_config diff --git a/eclass/dist-kernel-utils.eclass b/eclass/dist-kernel-utils.eclass index 210c586c8c29..3d7315e9e94e 100644 --- a/eclass/dist-kernel-utils.eclass +++ b/eclass/dist-kernel-utils.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: dist-kernel-utils.eclass @@ -82,12 +82,33 @@ dist-kernel_install_kernel() { local success= # not an actual loop but allows error handling with 'break' while true; do + if [[ -n ${ROOT} ]] && in_iuse initramfs && use initramfs; then + if ! in_iuse generic-uki || ! use generic-uki; then + eerror + eerror "ROOT is set, and (re-)generation of an initramfs is requested" + eerror "via the USE=initramfs flag. However, this is currently not" + eerror "supported via the sys-kernel/installkernel mechanism." + eerror + if in_iuse generic-uki && ! use generic-uki; then + eerror "Generation and installation of a generic initramfs and/or" + eerror "Unified Kernel Image is possible via portage by enabling the" + eerror "USE=generic-uki flag. Please enable the generic-uki flag, or" + eerror "chroot into: ROOT=${ROOT}" + else + eerror "Please chroot into: ROOT=${ROOT}" + fi + break + fi + fi + nonfatal mount-boot_check_status || break + mkdir -p "${EROOT}/boot" || break ebegin "Installing the kernel via installkernel" # note: .config is taken relatively to System.map; # initrd relatively to bzImage - ARCH=$(tc-arch-kernel) installkernel "${version}" "${image}" "${map}" || break + ARCH=$(tc-arch-kernel) installkernel "${version}" "${image}" "${map}" \ + "${EROOT}/boot" || break eend ${?} || die -n "Installing the kernel failed" success=1 diff --git a/eclass/dotnet-pkg-base.eclass b/eclass/dotnet-pkg-base.eclass index d9abff3859f6..b266c1b5dffc 100644 --- a/eclass/dotnet-pkg-base.eclass +++ b/eclass/dotnet-pkg-base.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: dotnet-pkg-base.eclass @@ -32,6 +32,23 @@ _DOTNET_PKG_BASE_ECLASS=1 inherit edo multiprocessing nuget +# @ECLASS_VARIABLE: DOTNET_VERBOSITY +# @USER_VARIABLE +# @DESCRIPTION: +# Controls verbosity of the dotnet restore/build/test processes. +# +# Defaults to "minimal" - this only reports which projects are being built +# and warnings/errors, if any. All the possible values are: "quiet", "minimal", +# "normal", "detailed" and "diagnostic". For more information on verbosity +# levels, see the official .NET SDK documentation on: +# * https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet +# * https://learn.microsoft.com/en-us/dotnet/api/microsoft.build.framework.loggerverbosity +# +# This variable can be used to debug package build process (by selecting +# anything above "minimal") but generally warnings/errors provide all +# the necessary info. +: "${DOTNET_VERBOSITY:=minimal}" + # @ECLASS_VARIABLE: DOTNET_PKG_COMPAT # @REQUIRED # @PRE_INHERIT @@ -385,6 +402,7 @@ dotnet-pkg-base_restore() { local -a restore_args=( --runtime "${DOTNET_PKG_RUNTIME}" --source "${NUGET_PACKAGES}" + --verbosity "${DOTNET_VERBOSITY}" -maxCpuCount:$(makeopts_jobs) "${@}" ) @@ -407,6 +425,7 @@ dotnet-pkg-base_restore-tools() { local -a tool_restore_args=( --add-source "${NUGET_PACKAGES}" + --verbosity "${DOTNET_VERBOSITY}" ) if [[ -n "${1}" ]] ; then @@ -447,6 +466,7 @@ dotnet-pkg-base_build() { --no-self-contained --output "${DOTNET_PKG_OUTPUT}" --runtime "${DOTNET_PKG_RUNTIME}" + --verbosity "${DOTNET_VERBOSITY}" -maxCpuCount:$(makeopts_jobs) ) @@ -482,6 +502,7 @@ dotnet-pkg-base_test() { local -a test_args=( --configuration "${DOTNET_PKG_CONFIGURATION}" --no-restore + --verbosity "${DOTNET_VERBOSITY}" -maxCpuCount:$(makeopts_jobs) "${@}" ) diff --git a/eclass/elisp.eclass b/eclass/elisp.eclass index 1fa8aab29753..e2f629edf132 100644 --- a/eclass/elisp.eclass +++ b/eclass/elisp.eclass @@ -139,7 +139,7 @@ elisp_src_configure() { :; } elisp_src_compile() { elisp-compile *.el if [[ -n ${ELISP_TEXINFO} ]]; then - makeinfo ${ELISP_TEXINFO} || die + makeinfo --no-split ${ELISP_TEXINFO} || die fi } diff --git a/eclass/frameworks.kde.org.eclass b/eclass/frameworks.kde.org.eclass index e1dc77c93561..522211a23ab2 100644 --- a/eclass/frameworks.kde.org.eclass +++ b/eclass/frameworks.kde.org.eclass @@ -46,15 +46,14 @@ SLOT=6 if ver_test ${PV} -lt 5.240; then SLOT=5 fi -if [[ ${PN} == extra-cmake-modules ]]; then - SLOT=0 -else - if [[ ${KDE_BUILD_TYPE} == release ]]; then +case ${PN} in + extra-cmake-modules|kapidox) + SLOT=0 + ;; + *) SLOT=${SLOT}/${KDE_CATV} - else - SLOT=${SLOT}/9999 - fi -fi + ;; +esac # @ECLASS_VARIABLE: KDE_ORG_SCHEDULE_URI # @INTERNAL diff --git a/eclass/gstreamer-meson.eclass b/eclass/gstreamer-meson.eclass index 937c86a0f15b..15b0a6390a42 100644 --- a/eclass/gstreamer-meson.eclass +++ b/eclass/gstreamer-meson.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: gstreamer-meson.eclass @@ -38,11 +38,6 @@ esac PYTHON_COMPAT=( python3_{10..12} ) [[ ${EAPI} == 8 ]] && inherit python-any-r1 -# TODO: Remove after all older versions are gone from tree -if ver_test ${PV} -lt 1.22.10 ; then - inherit virtualx -fi - # multilib-minimal goes last inherit meson multilib toolchain-funcs xdg-utils multilib-minimal @@ -133,10 +128,7 @@ gstreamer_system_package() { pc=${tuple#*:}-${SLOT} sed -e "1i${dependency} = dependency('${pc}', required : true)" \ -i "${pdir}"/meson.build || die - # TODO: Remove conditional applying once older versions are all gone - if ver_test ${PV} -gt 1.22.5 ; then - sed -e "/meson\.override_dependency[(]pkg_name, ${dependency}[)]/d" -i "${S}"/gst-libs/gst/*/meson.build || die - fi + sed -e "/meson\.override_dependency[(]pkg_name, ${dependency}[)]/d" -i "${S}"/gst-libs/gst/*/meson.build || die done done } @@ -207,8 +199,14 @@ S="${WORKDIR}/${GST_ORG_MODULE}-${PV}" LICENSE="GPL-2" SLOT="1.0" +if ver_test ${GST_ORG_PVP} -ge 1.24 ; then + GLIB_VERSION=2.64.0 +else + GLIB_VERSION=2.62.0 +fi + RDEPEND=" - >=dev-libs/glib-2.40.0:2[${MULTILIB_USEDEP}] + >=dev-libs/glib-${GLIB_VERSION}:2[${MULTILIB_USEDEP}] " BDEPEND=" virtual/pkgconfig diff --git a/eclass/guile-utils.eclass b/eclass/guile-utils.eclass index b0660dcfd1ce..d066013486ed 100644 --- a/eclass/guile-utils.eclass +++ b/eclass/guile-utils.eclass @@ -84,10 +84,14 @@ guile_check_compat # @FUNCTION: guile_set_common_vars # @DESCRIPTION: # Sets common variables that apply to all Guile packages, namely, -# QA_PREBUILT. +# GUILE_AUTO_COMPILE and QA_PREBUILT. guile_set_common_vars() { debug-print-function ${FUNCNAME} "$@" + # We don't want Guile making decisions based on the system cache + # files. Always recompile so we're deterministic. + export GUILE_AUTO_COMPILE=fresh + # These aren't strictly speaking prebuilt. but they do generated a # nonstandard ELF object. if [[ -z ${QA_PREBUILT} ]]; then diff --git a/eclass/java-pkg-2.eclass b/eclass/java-pkg-2.eclass index eebdec584ccc..0b35490e0365 100644 --- a/eclass/java-pkg-2.eclass +++ b/eclass/java-pkg-2.eclass @@ -1,4 +1,4 @@ -# Copyright 2004-2024 Gentoo Authors +# Copyright 2004-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: java-pkg-2.eclass @@ -6,7 +6,7 @@ # java@gentoo.org # @AUTHOR: # Thomas Matthijs <axxo@gentoo.org> -# @SUPPORTED_EAPIS: 7 8 +# @SUPPORTED_EAPIS: 8 # @PROVIDES: java-utils-2 # @BLURB: Eclass for Java Packages # @DESCRIPTION: @@ -17,7 +17,7 @@ if [[ -z ${_JAVA_PKG_2_ECLASS} ]] ; then _JAVA_PKG_2_ECLASS=1 case ${EAPI} in - 7|8) ;; + 8) ;; *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; esac diff --git a/eclass/java-pkg-simple.eclass b/eclass/java-pkg-simple.eclass index 5ed7e3e5b78e..ce4a62f048da 100644 --- a/eclass/java-pkg-simple.eclass +++ b/eclass/java-pkg-simple.eclass @@ -6,7 +6,7 @@ # java@gentoo.org # @AUTHOR: # Java maintainers <java@gentoo.org> -# @SUPPORTED_EAPIS: 7 8 +# @SUPPORTED_EAPIS: 8 # @BLURB: Eclass for packaging Java software with ease. # @DESCRIPTION: # This class is intended to build pure Java packages from Java sources @@ -17,7 +17,7 @@ # directory before calling the src_compile function of this eclass. case ${EAPI} in - 7|8) ;; + 8) ;; *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; esac diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index 831027216321..65433d9fc9c0 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: kernel-build.eclass @@ -108,10 +108,14 @@ IUSE="+strip" # @ECLASS_VARIABLE: KERNEL_GENERIC_UKI_CMDLINE # @USER_VARIABLE # @DESCRIPTION: -# If KERNEL_IUSE_GENERIC_UKI is set, this variable allows setting the -# built-in kernel command line for the UKI. If unset, the default is -# root=/dev/gpt-auto-root ro -: "${KERNEL_GENERIC_UKI_CMDLINE:="root=/dev/gpt-auto-root ro"}" +# If KERNEL_IUSE_GENERIC_UKI is set, and this variable is not +# empty, then the contents are used as the first kernel cmdline +# option of the multi-profile generic UKI. Supplementing the four +# standard options of: +# - root=/dev/gpt-auto-root ro +# - root=/dev/gpt-auto-root ro quiet splash +# - root=/dev/gpt-auto-root ro lockdown=integrity +# - root=/dev/gpt-auto-root ro quiet splash lockdown=integrity if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then IUSE+=" modules-sign" @@ -133,6 +137,9 @@ fi kernel-build_pkg_setup() { python-any-r1_pkg_setup if [[ ${KERNEL_IUSE_MODULES_SIGN} && ${MERGE_TYPE} != binary ]]; then + # inherits linux-info to check config values for keys + # ensure KV_FULL will not be set globally, that breaks configure + local KV_FULL secureboot_pkg_setup if use modules-sign && [[ -n ${MODULES_SIGN_KEY} ]]; then @@ -440,6 +447,11 @@ kernel-build_src_install() { # Copy built key/certificate files cp -p build/certs/* "${ED}${kernel_dir}/certs/" || die + # If a key was generated, exclude it from the binpkg + local generated_key=${ED}${kernel_dir}/certs/signing_key.pem + if [[ -r ${generated_key} ]]; then + mv "${generated_key}" "${T}/signing_key.pem" || die + fi # building modules fails with 'vmlinux has no symtab?' if stripped use ppc64 && dostrip -x "${kernel_dir}/${image_path}" @@ -497,10 +509,10 @@ kernel-build_src_install() { local dracut_modules=( base bash btrfs cifs crypt crypt-gpg crypt-loop dbus dbus-daemon - dm dmraid dracut-systemd fido2 i18n fs-lib kernel-modules + dm dmraid dracut-systemd drm fido2 i18n fs-lib kernel-modules kernel-network-modules kernel-modules-extra lunmask lvm nbd mdraid modsign network network-manager nfs nvdimm nvmf pcsc - pkcs11 qemu qemu-net resume rngd rootfs-block shutdown + pkcs11 plymouth qemu qemu-net resume rngd rootfs-block shutdown systemd systemd-ac-power systemd-ask-password systemd-initrd systemd-integritysetup systemd-pcrphase systemd-sysusers systemd-udevd systemd-veritysetup terminfo tpm2-tss udev-rules @@ -526,7 +538,7 @@ kernel-build_src_install() { --ro-mnt --modules "${dracut_modules[*]}" # Pulls in huge firmware files - --omit-drivers "nfp" + --omit-drivers "amdgpu i915 nfp nouveau nvidia xe" ) # Tries to update ld cache @@ -534,29 +546,81 @@ kernel-build_src_install() { dracut "${dracut_args[@]}" "${image%/*}/initrd" || die "Failed to generate initramfs" + # Note, we cannot use an associative array here because those are + # not ordered. + local profiles=() + local cmdlines=() + + # If defined, make the user entry the first and default + if [[ -n ${KERNEL_GENERIC_UKI_CMDLINE} ]]; then + profiles+=( + $'TITLE=User specified at build time\nID=user' + ) + cmdlines+=( "${KERNEL_GENERIC_UKI_CMDLINE}" ) + fi + + profiles+=( + $'TITLE=Default\nID=default' + $'TITLE=Default with splash\nID=splash' + $'TITLE=Default with lockdown\nID=lockdown' + $'TITLE=Default with splash and lockdown\nID=splash-lockdown' + ) + + cmdlines+=( + "root=/dev/gpt-auto-root ro" + "root=/dev/gpt-auto-root ro quiet splash" + "root=/dev/gpt-auto-root ro lockdown=integrity" + "root=/dev/gpt-auto-root ro quiet splash lockdown=integrity" + ) + local ukify_args=( --linux="${image}" --initrd="${image%/*}/initrd" - --cmdline="${KERNEL_GENERIC_UKI_CMDLINE}" --uname="${KV_FULL}" --output="${image%/*}/uki.efi" - ) + --profile="${profiles[0]}" + --cmdline="${cmdlines[0]}" + ) # 0th profile is default + + # Additional profiles have to be added with --join-profile + local i + for (( i=1; i<"${#profiles[@]}"; i++ )); do + ukify build \ + --profile="${profiles[i]}" \ + --cmdline="${cmdlines[i]}" \ + --output="${T}/profile${i}.efi" || + die "Failed to create profile ${i}" + + ukify_args+=( --join-profile="${T}/profile${i}.efi" ) + done if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use secureboot; then + # --pcrpkey is appended as is. If the certificate and key + # are in the same file, we could accidentally leak the key + # into the UKI. Pass the certificate through openssl to ensure + # that it truly contains *only* the certificate. + openssl x509 \ + -in "${SECUREBOOT_SIGN_CERT}" -inform PEM \ + -out "${T}/pcrpkey.pem" -outform PEM || + die "Failed to extract certificate" ukify_args+=( - --signtool=sbsign --secureboot-private-key="${SECUREBOOT_SIGN_KEY}" --secureboot-certificate="${SECUREBOOT_SIGN_CERT}" + --pcrpkey="${T}/pcrpkey.pem" + --measure ) if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then ukify_args+=( --signing-engine="pkcs11" + --pcr-private-key="${SECUREBOOT_SIGN_KEY}" + --pcr-public-key="${SECUREBOOT_SIGN_CERT}" + --phases="enter-initrd" + --pcr-private-key="${SECUREBOOT_SIGN_KEY}" + --pcr-public-key="${SECUREBOOT_SIGN_CERT}" + --phases="enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit enter-initrd:leave-initrd:sysinit:ready" ) else - # Sytemd-measure does not currently support pkcs11 ukify_args+=( - --measure - --pcrpkey="${ED}${kernel_dir}/certs/signing_key.x509" --pcr-private-key="${SECUREBOOT_SIGN_KEY}" --phases="enter-initrd" --pcr-private-key="${SECUREBOOT_SIGN_KEY}" @@ -565,9 +629,7 @@ kernel-build_src_install() { fi fi - # systemd<255 does not install ukify in /usr/bin - PATH="${PATH}:${BROOT}/usr/lib/systemd:${BROOT}/lib/systemd" \ - ukify build "${ukify_args[@]}" || die "Failed to generate UKI" + ukify build "${ukify_args[@]}" || die "Failed to generate UKI" # Overwrite unnecessary image types to save space > "${image}" || die @@ -597,7 +659,6 @@ kernel-build_pkg_postinst() { ewarn "MODULES_SIGN_KEY was not set, this means the kernel build system" ewarn "automatically generated the signing key. This key was installed" ewarn "in ${EROOT}/usr/src/linux-${KV_FULL}/certs" - ewarn "and will also be included in any binary packages." ewarn "Please take appropriate action to protect the key!" ewarn ewarn "Recompiling this package causes a new key to be generated. As" diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass index a341dd9426ff..cf34007844a8 100644 --- a/eclass/kernel-install.eclass +++ b/eclass/kernel-install.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: kernel-install.eclass @@ -162,9 +162,10 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then ["sys-apps/rng-tools"]="GPL-2" ["sys-apps/sed"]="GPL-3+" ["sys-apps/shadow"]="BSD GPL-2" - ["sys-apps/systemd[boot(-),cryptsetup,pkcs11,policykit,tpm,ukify(-)]"]="GPL-2 LGPL-2.1 MIT public-domain" + [">=sys-apps/systemd-257[boot(-),cryptsetup,pkcs11,policykit,tpm,ukify(-)]"]="GPL-2 LGPL-2.1 MIT public-domain" ["sys-apps/util-linux"]="GPL-2 GPL-3 LGPL-2.1 BSD-4 MIT public-domain" ["sys-auth/polkit"]="LGPL-2" + ["sys-boot/plymouth[drm,systemd(+),udev]"]="GPL-2+" ["sys-block/nbd"]="GPL-2" ["sys-devel/gcc"]="GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.3+" ["sys-fs/btrfs-progs"]="GPL-2" @@ -190,6 +191,7 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then ["sys-libs/readline"]="GPL-3+" ["sys-libs/zlib"]="ZLIB" ["sys-process/procps"]="GPL-2+ LGPL-2+ LGPL-2.1+" + ["x11-libs/libdrm"]="MIT" ["amd64? ( sys-firmware/intel-microcode )"]="amd64? ( intel-ucode )" ["x86? ( sys-firmware/intel-microcode )"]="x86? ( intel-ucode )" ) @@ -202,6 +204,7 @@ if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then " IDEPEND=" generic-uki? ( + app-crypt/sbsigntools >=sys-kernel/installkernel-14[-dracut(-),-ugrd(-),-ukify(-)] ) !generic-uki? ( @@ -605,6 +608,15 @@ kernel-install_pkg_preinst() { [[ ! -d ${kernel_dir} ]] && die "Kernel directory ${kernel_dir} not installed!" + # We moved this in order to omit it from the binpkg, move it back + if [[ -r "${T}/signing_key.pem" ]]; then + # cp instead of mv to set owner to root in one go + ( + umask 066 && + cp "${T}/signing_key.pem" "${kernel_dir}/certs/signing_key.pem" + ) || die + fi + # perform the version check for release ebuilds only if [[ ${PV} != *9999 ]]; then local expected_ver=$(dist-kernel_PV_to_KV "${PV}") @@ -649,13 +661,65 @@ kernel-install_extract_from_uki() { local extract_type=${1} local uki=${2} local out=${3} + local out_temp=${T}/${extract_type}-section-dumped # objcopy overwrites input if there is no output, dump the output in T. # We unfortunately cannot use /dev/null here $(tc-getOBJCOPY) "${uki}" "${T}/dump.efi" \ - --dump-section ".${extract_type}=${out}" || - die "Failed to extract ${extract_type}" - chmod 644 "${out}" || die + --dump-section ".${extract_type}=${out_temp}" || + die "Failed to extract ${extract_type}" + + # Sanity checks for kernel images + if [[ ${extract_type} == linux ]] && + { ! in_iuse secureboot || use secureboot ;} + then + # Extract the used SECUREBOOT_SIGN_CERT to verify the kernel image + local cert=${T}/pcrpkey + kernel-install_extract_from_uki pcrpkey "${uki}" "${cert}" + if [[ $(head -n1 "${cert}") != "-----BEGIN CERTIFICATE-----" ]]; then + # This is a DER format certificate, convert it to PEM + openssl x509 \ + -inform DER -in "${cert}" \ + -outform PEM -out "${cert}" || + die "Failed to convert pcrpkey to PEM format" + fi + + # Check if the signature on the UKI is valid + sbverify --cert "${cert}" "${uki}" || + die "ERROR: UKI signature is invalid" + + # Check if the signature on the kernel image is valid + local sbverify_err=$( + sbverify --cert "${cert}" "${out_temp}" 2>&1 >/dev/null + ) + + # Check if there was a padding warning + if [[ ${sbverify_err} == "warning: data remaining"*": gaps between PE/COFF sections?"* ]] + then + # https://github.com/systemd/systemd/issues/35851 + local proper_size=${sbverify_err#"warning: data remaining["} + proper_size=${proper_size%" vs"*} + # Strip the padding + head "${out_temp}" --bytes "${proper_size}" \ + >"${out_temp}_trimmed" || die + # Check if the signature verifies now + sbverify_err=$( + sbverify --cert "${cert}" "${out_temp}_trimmed" 2>&1 >/dev/null + ) + [[ -z ${sbverify_err} ]] && out_temp=${out_temp}_trimmed + fi + + # Something has gone wrong, stop here to prevent installing a kernel + # with an invalid signature or a completely broken kernel image. + if [[ -n ${sbverify_err} ]]; then + eerror "${sbverify_err}" + die "ERROR: Kernel image signature is invalid" + else + einfo "Signature verification OK" + fi + fi + + install -m 644 "${out_temp}" "${out}" || die } # @FUNCTION: kernel-install_install_all @@ -714,9 +778,7 @@ kernel-install_pkg_postinst() { dist-kernel_compressed_module_cleanup \ "${EROOT}/lib/modules/${KV_FULL}" - if [[ -z ${ROOT} ]]; then - kernel-install_install_all "${KV_FULL}" - fi + kernel-install_install_all "${KV_FULL}" if [[ ${KERNEL_IUSE_GENERIC_UKI} ]] && use generic-uki; then ewarn "The prebuilt initramfs and unified kernel image are highly experimental!" @@ -738,9 +800,9 @@ kernel-install_pkg_postinst() { kernel-install_pkg_postrm() { debug-print-function ${FUNCNAME} "$@" - if [[ -z ${ROOT} && ! ${KERNEL_IUSE_GENERIC_UKI} ]]; then - local kernel_dir=${EROOT}/usr/src/linux-${KV_FULL} - local image_path=$(dist-kernel_get_image_path) + local kernel_dir=${EROOT}/usr/src/linux-${KV_FULL} + local image_path=$(dist-kernel_get_image_path) + if [[ ! ${KERNEL_IUSE_GENERIC_UKI} && -d ${kernel_dir} ]]; then ebegin "Removing initramfs" rm -f "${kernel_dir}/${image_path%/*}"/{initrd,uki.efi} && find "${kernel_dir}" -depth -type d -empty -delete @@ -752,8 +814,6 @@ kernel-install_pkg_postrm() { # @DESCRIPTION: # Rebuild the initramfs and reinstall the kernel. kernel-install_pkg_config() { - [[ -z ${ROOT} ]] || die "ROOT!=/ not supported currently" - if [[ -z ${KV_FULL} ]]; then KV_FULL=${PV}${KV_LOCALVERSION} fi diff --git a/eclass/linux-mod-r1.eclass b/eclass/linux-mod-r1.eclass index 4e5b17548b04..16c280219ef8 100644 --- a/eclass/linux-mod-r1.eclass +++ b/eclass/linux-mod-r1.eclass @@ -1,4 +1,4 @@ -# Copyright 2023-2024 Gentoo Authors +# Copyright 2023-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: linux-mod-r1.eclass @@ -333,7 +333,7 @@ linux-mod-r1_pkg_setup() { _MODULES_GLOBAL[ran:pkg_setup]=1 _modules_check_function ${#} 0 0 || return 0 - if [[ -z ${ROOT} && ${MODULES_INITRAMFS_IUSE} ]] && + if [[ ${MODULES_INITRAMFS_IUSE} ]] && use dist-kernel && use ${MODULES_INITRAMFS_IUSE#+} then # Check, but don't die because we can fix the problem and then @@ -508,7 +508,7 @@ linux-mod-r1_pkg_postinst() { dist-kernel_compressed_module_cleanup "${EROOT}/lib/modules/${KV_FULL}" _modules_update_depmod - if [[ -z ${ROOT} && ${MODULES_INITRAMFS_IUSE} ]] && + if [[ ${MODULES_INITRAMFS_IUSE} ]] && use dist-kernel && use ${MODULES_INITRAMFS_IUSE#+} then dist-kernel_reinstall_initramfs "${KV_DIR}" "${KV_FULL}" diff --git a/eclass/llvm-r1.eclass b/eclass/llvm-r1.eclass index 7326e3a6b271..e59bd9c317b9 100644 --- a/eclass/llvm-r1.eclass +++ b/eclass/llvm-r1.eclass @@ -14,8 +14,10 @@ # in a matching slot. To use the eclass: # # 1. Set LLVM_COMPAT to the list of supported LLVM slots. +# # 2. Use llvm_gen_dep and/or LLVM_USEDEP to add appropriate # dependencies. +# # 3. Use llvm-r1_pkg_setup, get_llvm_prefix or LLVM_SLOT. # # The eclass sets IUSE and REQUIRED_USE. The flag corresponding diff --git a/eclass/llvm-r2.eclass b/eclass/llvm-r2.eclass new file mode 100644 index 000000000000..4dda9aedc7c6 --- /dev/null +++ b/eclass/llvm-r2.eclass @@ -0,0 +1,476 @@ +# Copyright 2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: llvm-r2.eclass +# @MAINTAINER: +# Michał Górny <mgorny@gentoo.org> +# @AUTHOR: +# Michał Górny <mgorny@gentoo.org> +# @SUPPORTED_EAPIS: 8 +# @PROVIDES: llvm-utils +# @BLURB: Provide LLVM_SLOT to build against slotted LLVM +# @DESCRIPTION: +# An eclass to reliably depend on a set of LLVM-related packages +# in a matching slot. To use the eclass: +# +# 1. Set LLVM_COMPAT to the list of supported LLVM slots. +# +# 2. Use llvm_gen_dep and/or LLVM_USEDEP to add appropriate +# dependencies. +# +# 3. Use llvm-r2_pkg_setup, llvm_chost_setup, llvm_cbuild_setup, +# get_llvm_prefix or LLVM_SLOT. +# +# The eclass sets IUSE and REQUIRED_USE. The flag corresponding +# to the newest supported stable LLVM slot (or the newest testing, +# if no stable slots are supported) is enabled by default. +# +# Note that the eclass aims for a best-effort support of CHOST builds +# (i.e. compiling/linking against LLVM) and CBUILD use (i.e. calling +# LLVM tools at build time). You need to determine what the package +# in question needs, and put the appropriate packages in DEPEND and/or +# BDEPEND appropriately. +# +# Example: +# @CODE +# LLVM_COMPAT=( {16..18} ) +# +# inherit llvm-r2 +# +# DEPEND=" +# dev-libs/libfoo[${LLVM_USEDEP}] +# $(llvm_gen_dep ' +# llvm-core/clang:${LLVM_SLOT}= +# llvm-core/llvm:${LLVM_SLOT}= +# ') +# " +# @CODE + +case ${EAPI} in + 8) ;; + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; +esac + +if [[ -z ${_LLVM_R2_ECLASS} ]]; then +_LLVM_R2_ECLASS=1 + +inherit llvm-utils + +# == internal control knobs == + +# @ECLASS_VARIABLE: _LLVM_OLDEST_SLOT +# @INTERNAL +# @DESCRIPTION: +# Oldest supported LLVM slot. This is used to automatically filter out +# unsupported LLVM_COMPAT values. +_LLVM_OLDEST_SLOT=15 + +# @ECLASS_VARIABLE: _LLVM_NEWEST_STABLE +# @INTERNAL +# @DESCRIPTION: +# The newest stable LLVM version. Versions newer than that won't +# be automatically enabled via USE defaults. +_LLVM_NEWEST_STABLE=19 + +# == control variables == + +# @ECLASS_VARIABLE: LLVM_COMPAT +# @PRE_INHERIT +# @REQUIRED +# @DESCRIPTION: +# A list of LLVM slots supported by the package, oldest to newest. +# +# Example: +# @CODE +# LLVM_COMPAT=( {15..17} ) +# @CODE + +# @ECLASS_VARIABLE: LLVM_OPTIONAL +# @PRE_INHERIT +# @DEFAULT_UNSET +# @DESCRIPTION: +# If set to a non-empty value, disables setting REQUIRED_USE +# and exporting pkg_setup. You have to add LLVM_REQUIRED_USE and call +# pkg_setup manually, with appropriate USE conditions. + +# == global metadata == + +# @ECLASS_VARIABLE: LLVM_REQUIRED_USE +# @OUTPUT_VARIABLE +# @DESCRIPTION: +# An eclass-generated REQUIRED_USE string that enforces selecting +# exactly one slot. It LLVM_OPTIONAL is set, it needs to be copied +# into REQUIRED_USE, under appropriate USE conditions. Otherwise, +# it is added automatically. + +# @ECLASS_VARIABLE: LLVM_USEDEP +# @OUTPUT_VARIABLE +# @DESCRIPTION: +# An eclass-generated USE dependency string that can be applied to other +# packages using the same eclass, to enforce a LLVM slot match. + +_llvm_set_globals() { + debug-print-function ${FUNCNAME} "$@" + + if [[ ${LLVM_COMPAT@a} != *a* ]]; then + die "LLVM_COMPAT must be set to an array before inheriting ${ECLASS}" + fi + + local stable=() unstable=() + local x + for x in "${LLVM_COMPAT[@]}"; do + if [[ ${x} -gt ${_LLVM_NEWEST_STABLE} ]]; then + unstable+=( "${x}" ) + elif [[ ${x} -ge ${_LLVM_OLDEST_SLOT} ]]; then + stable+=( "${x}" ) + fi + done + + _LLVM_SLOTS=( "${stable[@]}" "${unstable[@]}" ) + if [[ ! ${_LLVM_SLOTS[@]} ]]; then + die "LLVM_COMPAT does not contain any valid versions (all older than ${_LLVM_OLDEST_SLOT}?)" + fi + + if [[ ${stable[@]} ]]; then + # If there is at least one stable slot supported, then enable + # the newest stable slot by default. + IUSE="+llvm_slot_${stable[-1]}" + unset 'stable[-1]' + else + # Otherwise, enable the "oldest" ~arch slot. We really only + # expect a single ~arch version, so this primarily prevents + # defaulting to non-keyworded slots. + IUSE="+llvm_slot_${unstable[0]}" + unset 'unstable[0]' + fi + local nondefault=( "${stable[@]}" "${unstable[@]}" ) + IUSE+=" ${nondefault[*]/#/llvm_slot_}" + + local flags=( "${_LLVM_SLOTS[@]/#/llvm_slot_}" ) + LLVM_REQUIRED_USE="^^ ( ${flags[*]} )" + local usedep_flags=${flags[*]/%/(-)?} + LLVM_USEDEP=${usedep_flags// /,} + readonly LLVM_REQUIRED_USE LLVM_USEDEP + + if [[ ! ${LLVM_OPTIONAL} ]]; then + REQUIRED_USE=${LLVM_REQUIRED_USE} + fi +} +_llvm_set_globals +unset -f _llvm_set_globals + +# == metadata helpers == + +# @FUNCTION: llvm_gen_dep +# @USAGE: <dependency> +# @DESCRIPTION: +# Output a dependency block, repeating "<dependency>" conditionally +# to all llvm_slot_* USE flags. Any occurences of '${LLVM_SLOT}' +# within the block will be substituted for the respective slot. +# +# Example: +# @CODE +# DEPEND=" +# $(llvm_gen_dep ' +# llvm-core/clang:${LLVM_SLOT}= +# llvm-core/llvm:${LLVM_SLOT}= +# ') +# " +# @CODE +llvm_gen_dep() { + debug-print-function ${FUNCNAME} "$@" + + [[ ${#} -ne 1 ]] && die "Usage: ${FUNCNAME} <dependency>" + + local dep=${1} + + local slot + for slot in "${_LLVM_SLOTS[@]}"; do + echo "llvm_slot_${slot}? ( ${dep//\$\{LLVM_SLOT\}/${slot}} )" + done +} + +# == ebuild helpers == + +# @FUNCTION: get_llvm_prefix +# @USAGE: [-b|-d] +# @DESCRIPTION: +# Output the path to the selected LLVM slot. +# +# With no option or "-d", the path is prefixed by ESYSROOT. LLVM +# dependencies should be in DEPEND then. +# +# With "-b" option, the path is prefixed by BROOT. LLVM dependencies +# should be in BDEPEND then. +get_llvm_prefix() { + debug-print-function ${FUNCNAME} "$@" + + [[ ${#} -gt 1 ]] && die "Usage: ${FUNCNAME} [-b|-d]" + + local prefix + case ${1--d} in + -d) + prefix=${ESYSROOT} + ;; + -b) + prefix=${BROOT} + ;; + *) + die "${FUNCNAME}: invalid option: ${1}" + ;; + esac + + echo "${prefix}/usr/lib/llvm/${LLVM_SLOT}" +} + +# @FUNCTION: generate_llvm_config +# @DESCRIPTION: +# Output a llvm-config compatible script that yields paths specific +# to the requested LLVM version. +generate_llvm_config() { + debug-print-function ${FUNCNAME} "$@" + + local bindir=$(get_llvm_prefix -b)/bin + [[ ! -d ${bindir} ]] && bindir= + + local prefix=$(get_llvm_prefix -d) + local includedir=${prefix}/include + local libdir=${prefix}/$(get_libdir) + local cmake_conf=${libdir}/cmake/llvm/LLVMConfig.cmake + if [[ ! -f ${cmake_conf} ]]; then + cat <<-EOF + #!/usr/bin/env sh + echo "LLVM ${LLVM_SLOT} not installed for ABI=${ABI}" >&2 + exit 127 + EOF + return + fi + + local version=$( + sed -ne 's:set(LLVM_PACKAGE_VERSION \(.*\)):\1:p' "${cmake_conf}" || die + ) + [[ -n ${version} ]] || die + local cppdefs=$( + sed -ne 's:set(LLVM_DEFINITIONS "\(.*\)"):\1:p' "${cmake_conf}" || die + ) + [[ -n ${cppdefs} ]] || die + local targets=$( + sed -ne 's:set(LLVM_TARGETS_TO_BUILD \(.*\)):\1:p' "${cmake_conf}" || die + ) + [[ -n ${targets} ]] || die + local libs=$( + sed -ne 's:set(LLVM_AVAILABLE_LIBS \(.*\)):\1:p' "${cmake_conf}" || die + ) + [[ -n ${libs} ]] || die + local target_triple=$( + sed -ne 's:set(LLVM_TARGET_TRIPLE "\(.*\)"):\1:p' "${cmake_conf}" || die + ) + [[ -n ${target_triple} ]] || die + + readarray -d';' -t targets <<<"${targets}" + readarray -d';' -t libs <<<"${libs}" + # easier than parsing CMake booleans + local assertions=OFF + [[ ${cppdefs} == *-D_DEBUG* ]] && assertions=ON + # major + suffix + local shlib_name=LLVM-${version%%.*} + [[ ${version} == *git* ]] && shlib_name+="git${version##*git}" + + local components=( + "${libs[@]#LLVM}" "${targets[@]}" + # special component groups (grep for add_llvm_component_group) + all all-targets engine native nativecodegen + ) + + cat <<-EOF + #!/usr/bin/env sh + + echo "\${0} \${*}" >> "${T}/llvm-config-calls.txt" + + do_echo() { + echo " \${*}" >> "${T}/llvm-config-calls.txt" + echo "\${@}" + } + + for arg; do + case \${arg} in + --assertion-mode) + do_echo "${assertions}" + ;; + --bindir) + if [ -n "${bindir}" ]; then + do_echo "${bindir}" + else + do_echo "CBUILD LLVM not available" >&2 + exit 1 + fi + ;; + --build-mode) + do_echo RelWithDebInfo + ;; + --build-system) + do_echo cmake + ;; + --cflags|--cppflags) + do_echo "-I${includedir} ${cppdefs[*]}" + ;; + --cmakedir) + do_echo "${libdir}/cmake/llvm" + ;; + --components) + do_echo "${components[*],,}" + ;; + --cxxflags) + do_echo "-I${includedir} -std=c++17 ${cppdefs[*]}" + ;; + --has-rtti) + do_echo YES + ;; + --host-target) + do_echo "${target_triple}" + ;; + --ignore-libllvm) + # ignored + ;; + --includedir) + do_echo "${includedir}" + ;; + --ldflags) + do_echo "-L${libdir}" + ;; + --libdir) + do_echo "${libdir}" + ;; + --libfiles) + do_echo "${libdir}/lib${shlib_name}.so" + ;; + --libnames) + do_echo lib${shlib_name}.so + ;; + --libs) + do_echo "-l${shlib_name}" + ;; + --link-shared|--link-static) + # ignored + ;; + --obj-root|--prefix) + do_echo "${prefix}" + ;; + --shared-mode) + do_echo shared + ;; + --system-libs) + do_echo + ;; + --targets-built) + do_echo "${targets[*]}" + ;; + --version) + do_echo "${version}" + ;; + -*) + do_echo "Unsupported option: \${arg}" >&2 + exit 1 + ;; + *) + # ignore components, we always return the dylib + ;; + esac + done + EOF +} +# @FUNCTION: llvm_cbuild_setup +# @DESCRIPTION: +# Prepend the PATH for selected LLVM version in CBUILD. +# +# This function is meant to be used when the package in question uses +# LLVM tools at build time. It is called automatically +# by llvm-r2_pkg_setup if LLVM is found installed in BROOT. +# +# Note that llvm-config from this path must not be used to build against +# LLVM, as that will break cross-compilation. +llvm_cbuild_setup() { + debug-print-function ${FUNCNAME} "$@" + + local broot_prefix=$(get_llvm_prefix -b) + einfo "Using ${broot_prefix} for CBUILD LLVM ${LLVM_SLOT}" + [[ -d ${broot_prefix}/bin ]] || + die "LLVM ${LLVM_SLOT} not found installed in BROOT (expected: ${broot_prefix}/bin)" + + llvm_fix_clang_version CC CPP CXX + # keep in sync with profiles/features/llvm/make.defaults! + llvm_fix_tool_path ADDR2LINE AR AS LD NM OBJCOPY OBJDUMP RANLIB + llvm_fix_tool_path READELF STRINGS STRIP + llvm_prepend_path -b "${LLVM_SLOT}" +} + +# @FUNCTION: llvm_chost_setup +# @DESCRIPTION: +# Set the environment for finding selected LLVM slot installed +# for CHOST. Create llvm-config wrappers to satisfy legacy lookups. +# +# This function is meant to be used when the package in question uses +# LLVM compiles against and links to LLVM. It is called automatically +# by llvm-r2_pkg_setup if LLVM is found installed in ESYSROOT. +# +# Note that the generated llvm-config may refer to CBUILD installation +# of LLVM via --bindir, if it is found available. +llvm_chost_setup() { + debug-print-function ${FUNCNAME} "$@" + + local esysroot_prefix=$(get_llvm_prefix -d) + einfo "Using ${esysroot_prefix} for CHOST LLVM ${LLVM_SLOT}" + [[ -d ${esysroot_prefix} ]] || + die "LLVM ${LLVM_SLOT} not found installed in ESYSROOT (expected: ${esysroot_prefix})" + + # satisfies find_package() in CMake + export LLVM_ROOT="${esysroot_prefix}" + export Clang_ROOT="${esysroot_prefix}" + export LLD_ROOT="${esysroot_prefix}" + export MLIR_ROOT="${esysroot_prefix}" + export Polly_ROOT="${esysroot_prefix}" + + # satisfies llvm-config calls, e.g. from meson + export PATH="${T}/llvm-bin:${PATH}" + mkdir "${T}"/llvm-bin || die + # we need to generate it per-ABI, since libdir changes + local ABI + for ABI in $(get_all_abis); do + local path="${T}/llvm-bin/$(get_abi_CHOST)-llvm-config" + generate_llvm_config > "${path}" || die + chmod +x "${path}" || die + done + ln -s "$(get_abi_CHOST)-llvm-config" "${T}/llvm-bin/llvm-config" || die +} + +# @FUNCTION: llvm-r2_pkg_setup +# @DESCRIPTION: +# Handle all supported setup actions automatically. If LLVM is found +# installed for CBUILD, call llvm_cbuild_setup. If it is found +# installed for CHOST, call llvm_chost_setup. +# +# This function is a no-op when installing a binary package. +# +# Note that this function is not exported if LLVM_OPTIONAL is set. +# In that case, it needs to be called manually. +llvm-r2_pkg_setup() { + debug-print-function ${FUNCNAME} "$@" + + if [[ ${MERGE_TYPE} != binary ]]; then + [[ -z ${LLVM_SLOT} ]] && die "LLVM_SLOT unset (broken USE_EXPAND?)" + + if [[ -d $(get_llvm_prefix -b)/bin ]]; then + llvm_cbuild_setup + fi + + if [[ -d $(get_llvm_prefix -d) ]]; then + llvm_chost_setup + fi + fi +} + +fi + +if [[ ! ${LLVM_OPTIONAL} ]]; then + EXPORT_FUNCTIONS pkg_setup +fi diff --git a/eclass/llvm-utils.eclass b/eclass/llvm-utils.eclass index 1ae3295484c8..b105e169fbc4 100644 --- a/eclass/llvm-utils.eclass +++ b/eclass/llvm-utils.eclass @@ -113,17 +113,38 @@ llvm_fix_tool_path() { } # @FUNCTION: llvm_prepend_path -# @USAGE: <slot> +# @USAGE: [-b|-d] <slot> # @DESCRIPTION: # Prepend the path to the specified LLVM slot to PATH variable, # and reexport it. +# +# With no option or "-d", the path is prefixed by ESYSROOT. LLVM +# dependencies should be in DEPEND then. +# +# With "-b" option, the path is prefixed by BROOT. LLVM dependencies +# should be in BDEPEND then. llvm_prepend_path() { debug-print-function ${FUNCNAME} "$@" - [[ ${#} -ne 1 ]] && die "Usage: ${FUNCNAME} <slot>" + local prefix + case ${1--d} in + -d) + prefix=${ESYSROOT} + shift + ;; + -b) + prefix=${BROOT} + shift + ;; + -*) + die "${FUNCNAME}: invalid option: ${1}" + ;; + esac + + [[ ${#} -ne 1 ]] && die "Usage: ${FUNCNAME} [-b|-d] <slot>" local slot=${1} - local llvm_path=${ESYSROOT}/usr/lib/llvm/${slot}/bin + local llvm_path=${prefix}/usr/lib/llvm/${slot}/bin local IFS=: local split_path=( ${PATH} ) local new_path=() diff --git a/eclass/llvm.org.eclass b/eclass/llvm.org.eclass index 6a68bde89a46..a810027f74f5 100644 --- a/eclass/llvm.org.eclass +++ b/eclass/llvm.org.eclass @@ -1,4 +1,4 @@ -# Copyright 2019-2024 Gentoo Authors +# Copyright 2019-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: llvm.org.eclass @@ -72,14 +72,14 @@ if [[ -z ${_LLVM_SOURCE_TYPE+1} ]]; then _LLVM_SOURCE_TYPE=snapshot case ${PV} in - 20.0.0_pre20241215) - EGIT_COMMIT=49a5ad8e5714fd404210279303acc97b495d66d0 + 20.0.0_pre20250111) + EGIT_COMMIT=8af4d206e0f979f68925a08f9dffd60a98ce97e2 ;; - 20.0.0_pre20241207) - EGIT_COMMIT=32f7f0010bca99ee4bd917f57272733fb2bf3bd9 + 20.0.0_pre20250104) + EGIT_COMMIT=2529a8df53af9bc6cecfd6c83404ffa5e89e3370 ;; - 20.0.0_pre20241130) - EGIT_COMMIT=a348f223cab54b21a7b1c38dec7bc6aa2f81c949 + 20.0.0_pre20241227) + EGIT_COMMIT=ccfe0de0e1e37ed369c9bf89dd0188ba0afb2e9a ;; *) die "Unknown snapshot: ${PV}" diff --git a/eclass/mono-env.eclass b/eclass/mono-env.eclass index 5415a7043fed..2e19c0b744ee 100644 --- a/eclass/mono-env.eclass +++ b/eclass/mono-env.eclass @@ -4,7 +4,7 @@ # @ECLASS: mono-env.eclass # @MAINTAINER: # maintainer-needed@gentoo.org -# @SUPPORTED_EAPIS: 7 +# @SUPPORTED_EAPIS: 7 8 # @BLURB: Set environment variables commonly used by dotnet packages. # @DESCRIPTION: # Set environment variables commonly used by dotnet packages. diff --git a/eclass/mount-boot-utils.eclass b/eclass/mount-boot-utils.eclass index e24b4e0c0826..72b4c9ccd14a 100644 --- a/eclass/mount-boot-utils.eclass +++ b/eclass/mount-boot-utils.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: mount-boot-utils.eclass @@ -16,6 +16,18 @@ # This eclass provides the functions used by mount-boot.eclass in an "inherit- # safe" way. This allows these functions to be used in other eclasses cleanly. +# @ECLASS_VARIABLE: DONT_MOUNT_BOOT +# @USER_VARIABLE +# @DESCRIPTION: +# May be set by the user or an ebuild to completely disable mount checking +# of the /boot partition and the EFI System Partition. + +# @ECLASS_VARIABLE: DONT_MOUNT_ESP +# @USER_VARIABLE +# @DESCRIPTION: +# May be set by the user or an ebuild to disable mount checking of the +# EFI System Partition only. + case ${EAPI} in 7|8) ;; *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; @@ -62,7 +74,7 @@ mount-boot_check_status() { local candidates=( /boot ) # If system is booted with UEFI, check for ESP as well - if [[ -d /sys/firmware/efi ]]; then + if [[ -d /sys/firmware/efi && -z ${DONT_MOUNT_ESP} ]]; then # Use same candidates for ESP as installkernel and eclean-kernel candidates+=( /efi /boot/efi /boot/EFI ) fi diff --git a/eclass/optfeature.eclass b/eclass/optfeature.eclass index c8b4911320d3..b82ac893addd 100644 --- a/eclass/optfeature.eclass +++ b/eclass/optfeature.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: optfeature.eclass @@ -79,7 +79,7 @@ optfeature_header() { # @CODE # pkg_postinst() { # optfeature "foo support" app-misc/foo -# optfeature "bar support" app-misc/bar app-misc/baz[bar] +# optfeature "bar support" app-misc/bar "app-misc/baz[bar]" # optfeature "alphabet support" "app-misc/a app-misc/b" app-misc/c # } # @CODE diff --git a/eclass/qt6-build.eclass b/eclass/qt6-build.eclass index f8161447074a..ca6c63081053 100644 --- a/eclass/qt6-build.eclass +++ b/eclass/qt6-build.eclass @@ -1,4 +1,4 @@ -# Copyright 2021-2024 Gentoo Authors +# Copyright 2021-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: qt6-build.eclass @@ -296,7 +296,7 @@ _qt6-build_sanitize_cpu_flags() { # extras only needed by chromium in qtwebengine # (see also chromium's ebuild wrt bug #530248,#544702,#546984,#853646) [[ ${PN} == qtwebengine ]] && cpuflags+=( - mmx xop + avx512vnni mmx xop # unclear if these two are really needed given (current) chromium # does not pass these flags, albeit it may side-disable something diff --git a/eclass/ruby-fakegem.eclass b/eclass/ruby-fakegem.eclass index fc78428be714..c358015902bb 100644 --- a/eclass/ruby-fakegem.eclass +++ b/eclass/ruby-fakegem.eclass @@ -624,7 +624,7 @@ each_fakegem_install() { ruby_fakegem_install_gemspec local _gemlibdirs="${RUBY_FAKEGEM_EXTRAINSTALL}" - for directory in "${RUBY_FAKEGEM_BINDIR}" lib; do + for directory in "${RUBY_FAKEGEM_BINDIR}" lib sig; do [[ -d ${directory} ]] && _gemlibdirs="${_gemlibdirs} ${directory}" done diff --git a/eclass/ruby-utils.eclass b/eclass/ruby-utils.eclass index 29b9ab396b87..4bd3e6ba1292 100644 --- a/eclass/ruby-utils.eclass +++ b/eclass/ruby-utils.eclass @@ -36,14 +36,14 @@ esac RUBY_TARGETS_PREFERENCE="ruby32 ruby31 " # All other active ruby targets -RUBY_TARGETS_PREFERENCE+="ruby33" +RUBY_TARGETS_PREFERENCE+="ruby33 ruby34" _ruby_implementation_depend() { local rubypn= local rubyslot= case $1 in - ruby1[89]|ruby2[0-7]|ruby3[0-3]) + ruby1[89]|ruby2[0-7]|ruby3[0-4]) rubypn="dev-lang/ruby" rubyslot=":${1:4:1}.${1:5}" ;; diff --git a/eclass/rust.eclass b/eclass/rust.eclass index eb14ca2329b5..0630d5973854 100644 --- a/eclass/rust.eclass +++ b/eclass/rust.eclass @@ -1,4 +1,4 @@ -# Copyright 2024 Gentoo Authors +# Copyright 2024-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: rust.eclass @@ -67,6 +67,7 @@ fi # @DESCRIPTION: # Definitive list of Rust slots and the associated LLVM slot, newest first. declare -A -g -r _RUST_LLVM_MAP=( + ["1.84.0"]=19 ["1.83.0"]=19 ["1.82.0"]=19 ["1.81.0"]=18 @@ -88,6 +89,7 @@ declare -A -g -r _RUST_LLVM_MAP=( # While _RUST_LLVM_MAP stores useful info about the relationship between Rust and LLVM slots, # this array is used to store the Rust slots in a more convenient order for iteration. declare -a -g -r _RUST_SLOTS_ORDERED=( + "1.84.0" "1.83.0" "1.82.0" "1.81.0" @@ -286,7 +288,8 @@ unset -f _rust_set_globals # @USAGE: [-b|-d] # @DESCRIPTION: # Find the newest Rust install that is acceptable for the package, -# and print its version number (i.e. SLOT) and type (source or bin[ary]). +# and export its version (i.e. SLOT) and type (source or bin[ary]) +# as RUST_SLOT and RUST_TYPE. # # If -b is specified, the checks are performed relative to BROOT, # and BROOT-path is returned. -b is the default. @@ -363,10 +366,13 @@ _get_rust_slot() { # If we're in LLVM mode we can skip any slots that don't match the selected USE if [[ -n "${RUST_NEEDS_LLVM}" ]]; then if [[ "${llvm_slot}" != "${llvm_r1_slot}" ]]; then + einfo "Skipping Rust ${slot} as it does not match llvm_slot_${llvm_r1_slot}" continue fi fi + einfo "Checking whether Rust ${slot} is suitable ..." + if declare -f rust_check_deps >/dev/null; then local RUST_SLOT="${slot}" local LLVM_SLOT="${_RUST_LLVM_MAP[${slot}]}" @@ -396,11 +402,13 @@ _get_rust_slot() { esac local _pkg for _pkg in "${rust_pkgs[@]}"; do + einfo " Checking for ${_pkg} ..." if has_version "${hv_switch}" "${_pkg}"; then + export RUST_SLOT="${slot}" if [[ "${_pkg}" == "dev-lang/rust:${slot}${usedep}" ]]; then - echo "${slot} source" + export RUST_TYPE="source" else - echo "${slot} binary" + export RUST_TYPE="binary" fi return fi @@ -418,7 +426,12 @@ _get_rust_slot() { die "${FUNCNAME}: invalid max_slot=${max_slot}" fi - die "No Rust slot${1:+ <= ${1}} satisfying the package's dependencies found installed!" + local requirement_msg="" + [[ -n "${RUST_MAX_VER}" ]] && requirement_msg+="<= ${RUST_MAX_VER} " + [[ -n "${RUST_MIN_VER}" ]] && requirement_msg+=">= ${RUST_MIN_VER} " + [[ -n "${RUST_REQ_USE}" ]] && requirement_msg+="with USE=${RUST_REQ_USE}" + requirement_msg="${requirement_msg% }" + die "No Rust matching requirements${requirement_msg:+ (${requirement_msg})} found installed!" } # @FUNCTION: get_rust_path @@ -460,9 +473,8 @@ get_rust_prefix() { local prefix=${BROOT} [[ ${1} == -d ]] && prefix=${ESYSROOT} - local slot rust_type - read -r slot rust_type <<< $(_get_rust_slot "$@") - get_rust_path "${prefix}" "${slot}" "${rust_type}" + _get_rust_slot "$@" + get_rust_path "${prefix}" "${RUST_SLOT}" "${RUST_TYPE}" } # @FUNCTION: rust_prepend_path @@ -500,7 +512,7 @@ rust_pkg_setup() { debug-print-function ${FUNCNAME} "$@" if [[ ${MERGE_TYPE} != binary ]]; then - read -r RUST_SLOT RUST_TYPE <<< $(_get_rust_slot -b) + _get_rust_slot -b rust_prepend_path "${RUST_SLOT}" "${RUST_TYPE}" local prefix=$(get_rust_path "${BROOT}" "${RUST_SLOT}" "${RUST_TYPE}") CARGO="${prefix}bin/cargo" diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass index a854061719a9..7361465ee2d3 100644 --- a/eclass/secureboot.eclass +++ b/eclass/secureboot.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: secureboot.eclass @@ -57,6 +57,13 @@ BDEPEND=" # @DESCRIPTION: # Used with USE=secureboot. Should be set to the path of the private # key in PEM format to use, or a PKCS#11 URI. +# If unspecified the following locations are tried in order: +# - /etc/portage/secureboot.pem +# - /var/lib/sbctl/keys/db/db.{key,pem} (from app-crypt/sbctl) +# - the MODULES_SIGN_KEY (and MODULES_SIGN_CERT if set) +# - the contents of CONFIG_MODULE_SIG_KEY in the current kernel +# If none of these exist, a new key will be generated at +# /etc/portage/secureboot.pem. # @ECLASS_VARIABLE: SECUREBOOT_SIGN_CERT # @USER_VARIABLE @@ -64,36 +71,13 @@ BDEPEND=" # @DESCRIPTION: # Used with USE=secureboot. Should be set to the path of the public # key certificate in PEM format to use. +# If unspecified the SECUREBOOT_SIGN_KEY is assumed to also contain the +# certificate belonging to it. if [[ -z ${_SECUREBOOT_ECLASS} ]]; then _SECUREBOOT_ECLASS=1 -# @FUNCTION: _secureboot_die_if_unset -# @INTERNAL -# @DESCRIPTION: -# If USE=secureboot is enabled die if the required user variables are unset -# and die if the keys can't be found. -_secureboot_die_if_unset() { - debug-print-function ${FUNCNAME} "$@" - use secureboot || return - - if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then - die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or SECUREBOOT_SIGN_CERT not set." - fi - - # Sanity check: fail early if key/cert in DER format or does not exist - local openssl_args=( - -inform PEM -in "${SECUREBOOT_SIGN_CERT}" - -noout -nocert - ) - if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then - openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" ) - else - openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" ) - fi - openssl x509 "${openssl_args[@]}" || - die "Secure Boot signing certificate or key not found or not PEM format." -} +inherit linux-info # @FUNCTION: secureboot_pkg_setup # @DESCRIPTION: @@ -105,7 +89,114 @@ secureboot_pkg_setup() { # If we are merging a binary then the files in this binary # are already signed, no need to check the variables. if [[ ${MERGE_TYPE} != binary ]]; then - _secureboot_die_if_unset + if [[ -z ${SECUREBOOT_SIGN_KEY} ]]; then + # No key specified, try some usual suspects + linux-info_pkg_setup + local module_sig_key= + if linux_config_exists MODULE_SIG_KEY; then + : "$(linux_chkconfig_string MODULE_SIG_KEY)" + module_sig_key=${_//\"} + # Convert to absolute path if required + if [[ ${module_sig_key} != pkcs11:* && + ${module_sig_key} != /* ]] + then + module_sig_key=${KV_OUT_DIR}/${module_sig_key} + fi + fi + + # Check both the SYSROOT and ROOT, like linux-info.eclass + ewarn "No Secure Boot signing key specified." + if [[ -r ${SYSROOT}/etc/portage/secureboot.pem ]]; then + ewarn "Using ${SYSROOT}/etc/portage/secureboot.pem as signing key" + export SECUREBOOT_SIGN_KEY=${SYSROOT}/etc/portage/secureboot.pem + export SECUREBOOT_SIGN_CERT=${SYSROOT}/etc/portage/secureboot.pem + elif [[ -r ${ROOT}/etc/portage/secureboot.pem ]]; then + ewarn "Using ${ROOT}/etc/portage/secureboot.pem as signing key" + export SECUREBOOT_SIGN_KEY=${ROOT}/etc/portage/secureboot.pem + export SECUREBOOT_SIGN_CERT=${ROOT}/etc/portage/secureboot.pem + elif [[ -r ${SYSROOT}/var/lib/sbctl/keys/db/db.key && + -r ${SYSROOT}/var/lib/sbctl/keys/db/db.pem ]] + then + ewarn "Using keys maintained by app-crypt/sbctl" + export SECUREBOOT_SIGN_KEY=${SYSROOT}/var/lib/sbctl/keys/db/db.key + export SECUREBOOT_SIGN_CERT=${SYSROOT}/var/lib/sbctl/keys/db/db.pem + elif [[ -r ${ROOT}/var/lib/sbctl/keys/db/db.key && + -r ${ROOT}/var/lib/sbctl/keys/db/db.pem ]] + then + ewarn "Using keys maintained by app-crypt/sbctl" + export SECUREBOOT_SIGN_KEY=${ROOT}/var/lib/sbctl/keys/db/db.key + export SECUREBOOT_SIGN_CERT=${ROOT}/var/lib/sbctl/keys/db/db.pem + elif [[ -r ${MODULES_SIGN_KEY} ]]; then + ewarn "Using the kernel module signing key" + export SECUREBOOT_SIGN_KEY=${MODULES_SIGN_KEY} + if [[ -r ${MODULES_SIGN_CERT} ]]; then + export SECUREBOOT_SIGN_CERT=${MODULES_SIGN_CERT} + else + export SECUREBOOT_SIGN_CERT=${MODULES_SIGN_KEY} + fi + elif [[ -r ${KV_OUT_DIR}/certs/signing_key.x509 ]] && + [[ -r ${module_sig_key} || ${module_sig_key} == pkcs11:* ]] + then + ewarn "Using keys maintained by the kernel" + openssl x509 \ + -in "${KV_OUT_DIR}/certs/signing_key.x509" -inform DER \ + -out "${T}/secureboot.pem" -outform PEM || + die "Failed to convert kernel certificate to PEM format" + export SECUREBOOT_SIGN_KEY=${module_sig_key} + export SECUREBOOT_SIGN_CERT=${T}/secureboot.pem + else + ewarn "No candidate keys found, generating a new key" + local openssl_gen_args=( + req -new -batch -nodes -utf8 -sha256 -days 36500 -x509 + -outform PEM -out "${SYSROOT}/etc/portage/secureboot.pem" + -keyform PEM -keyout "${SYSROOT}/etc/portage/secureboot.pem" + ) + if [[ -r ${KV_OUT_DIR}/certs/x509.genkey ]]; then + openssl_gen_args+=( + -config "${KV_OUT_DIR}/certs/x509.genkey" + ) + elif [[ -r ${KV_OUT_DIR}/certs/default_x509.genkey ]]; then + openssl_gen_args+=( + -config "${KV_OUT_DIR}/certs/default_x509.genkey" + ) + else + openssl_gen_args+=( + -subj '/CN=Build time autogenerated kernel key' + ) + fi + ( + umask 066 + openssl "${openssl_gen_args[@]}" || + die "Failed to generate new signing key" + # Generate DER format key as well for easy inclusion in + # either the UEFI dB or MOK list. + openssl x509 \ + -in "${SYSROOT}/etc/portage/secureboot.pem" -inform PEM \ + -out "${ROOT}/etc/portage/secureboot.x509" -outform DER || + die "Failed to convert signing certificate to DER format" + ) + export SECUREBOOT_SIGN_KEY=${SYSROOT}/etc/portage/secureboot.pem + export SECUREBOOT_SIGN_CERT=${SYSROOT}/etc/portage/secureboot.pem + fi + elif [[ -z ${SECUREBOOT_SIGN_CERT} ]]; then + ewarn "A SECUREBOOT_SIGN_KEY was specified but no SECUREBOOT_SIGN_CERT" + ewarn "was set. Assuming the certificate is in the same file as the key." + export SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_KEY} + fi + + # Sanity check: fail early if key/cert in DER format or does not exist + local openssl_args=( + -inform PEM -in "${SECUREBOOT_SIGN_CERT}" + -noout -nocert + ) + if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then + openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${SECUREBOOT_SIGN_KEY}" ) + else + openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" ) + fi + + openssl x509 "${openssl_args[@]}" || + die "Secure Boot signing certificate or key not found or not PEM format." fi } @@ -123,8 +214,6 @@ secureboot_sign_efi_file() { local input_file=${1} local output_file=${2:-${1}} - _secureboot_die_if_unset - ebegin "Signing ${input_file}" local return=1 if sbverify "${input_file}" --cert "${SECUREBOOT_SIGN_CERT}" &> /dev/null; then diff --git a/eclass/tests/llvm-r1.sh b/eclass/tests/llvm-r1.sh index 892b773a08c9..d4657815465d 100755 --- a/eclass/tests/llvm-r1.sh +++ b/eclass/tests/llvm-r1.sh @@ -54,7 +54,7 @@ test_gen_dep() { local value=$(llvm_gen_dep "${arg}") if [[ ${value} != ${expected} ]]; then - eerror "python_get_usedep ${arg}" + eerror "llvm_gen_dep ${arg}" eerror "gave:" eerror " ${value}" eerror "expected:" @@ -63,67 +63,9 @@ test_gen_dep() { tend ${?} } -test_fix_clang_version() { - local var=${1} - local tool=${2} - local version=${3} - local expected=${4} - - eval "${tool}() { - cat <<-EOF - clang version ${version} - Target: x86_64-pc-linux-gnu - Thread model: posix - InstalledDir: /usr/lib/llvm/17/bin - Configuration file: /etc/clang/x86_64-pc-linux-gnu-clang.cfg - EOF - }" - - declare -g ${var}=${tool} - tbegin "llvm_fix_clang_version ${var}=${tool} for ${version}" - llvm_fix_clang_version "${var}" - if [[ ${!var} != ${expected} ]]; then - eerror "llvm_fix_clang_version ${var}" - eerror " gave: ${!var}" - eerror "expected: ${expected}" - fi - tend ${?} -} - -test_fix_tool_path() { - local var=${1} - local tool=${2} - local expected_subst=${3} - local expected=${tool} - - tbegin "llvm_fix_tool_path ${1}=${2} (from llvm? ${expected_subst})" - - local matches=( "${BROOT}"/usr/lib/llvm/*/bin/"${tool}" ) - if [[ ${expected_subst} == 1 ]]; then - if [[ ! -x ${matches[0]} ]]; then - ewarn "- skipping, test requires ${tool}" - return - fi - - expected=${matches[0]} - local -x PATH=${matches[0]%/*} - else - local -x PATH= - fi - - declare -g ${var}=${tool} - llvm_fix_tool_path "${var}" - if [[ ${!var} != ${expected} ]]; then - eerror "llvm_fix_tool_path ${var}" - eerror " gave: ${!var}" - eerror "expected: ${expected}" - fi - tend ${?} -} - # full range test_globals '14 15 16 17 18 19' \ - "+llvm_slot_18 llvm_slot_15 llvm_slot_16 llvm_slot_17 llvm_slot_19" \ + "+llvm_slot_19 llvm_slot_15 llvm_slot_16 llvm_slot_17 llvm_slot_18" \ "^^ ( llvm_slot_15 llvm_slot_16 llvm_slot_17 llvm_slot_18 llvm_slot_19 )" \ "llvm_slot_15(-)?,llvm_slot_16(-)?,llvm_slot_17(-)?,llvm_slot_18(-)?,llvm_slot_19(-)?" test_globals '14 15 16 17 18' \ @@ -136,10 +78,10 @@ test_globals '14 15 16' \ "^^ ( llvm_slot_15 llvm_slot_16 )" \ "llvm_slot_15(-)?,llvm_slot_16(-)?" # old + newer than current stable -test_globals '15 19' \ - "+llvm_slot_15 llvm_slot_19" \ - "^^ ( llvm_slot_15 llvm_slot_19 )" \ - "llvm_slot_15(-)?,llvm_slot_19(-)?" +test_globals '15 20' \ + "+llvm_slot_15 llvm_slot_20" \ + "^^ ( llvm_slot_15 llvm_slot_20 )" \ + "llvm_slot_15(-)?,llvm_slot_20(-)?" # newer than current stable test_globals '19' \ "+llvm_slot_19" \ diff --git a/eclass/tests/llvm-r2.sh b/eclass/tests/llvm-r2.sh new file mode 100755 index 000000000000..fde76d2d682e --- /dev/null +++ b/eclass/tests/llvm-r2.sh @@ -0,0 +1,188 @@ +#!/bin/bash +# Copyright 2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +source tests-common.sh || exit + +EAPI=8 + +test_globals() { + local compat=${1} + local expected_iuse=${2} + local expected_required_use=${3} + local expected_usedep=${4} + local x + + tbegin "LLVM_COMPAT=( ${compat} )" + + ( + local fail=0 + local LLVM_COMPAT=( ${compat} ) + + inherit llvm-r2 + + if [[ ${IUSE%% } != ${expected_iuse} ]]; then + eerror " IUSE: ${IUSE%% }" + eerror "does not match: ${expected_iuse}" + fail=1 + fi + + if [[ ${REQUIRED_USE} != ${expected_required_use} ]]; then + eerror " REQUIRED_USE: ${REQUIRED_USE}" + eerror "does not match: ${expected_required_use}" + fail=1 + fi + + if [[ ${LLVM_USEDEP} != ${expected_usedep} ]]; then + eerror " LLVM_USEDEP: ${LLVM_USEDEP}" + eerror "does not match: ${expected_usedep}" + fail=1 + fi + + exit "${fail}" + ) + + tend "${?}" +} + +test_gen_dep() { + local arg=${1} + local expected + read -r -d '' expected + + tbegin "llvm_gen_dep ${arg}" + local value=$(llvm_gen_dep "${arg}") + + if [[ ${value} != ${expected} ]]; then + eerror "llvm_gen_dep ${arg}" + eerror "gave:" + eerror " ${value}" + eerror "expected:" + eerror " ${expected}" + fi + tend ${?} +} + +LLVM_CONFIG_OPTIONS=( + --assertion-mode + --bindir + --build-mode + --build-system + --cflags + --cmakedir + --components + --cppflags + --cxxflags + --has-rtti + --host-target + --ignore-libllvm + --includedir + --ldflags + --libdir + --libfiles + --libnames + --libs + --link-shared + --link-static + --obj-root + --prefix + --shared-mode + --system-libs + --targets-built + --version +) + +normalize_list() { + "${@}" | + sed -e 's:\s\+:\n:g' | + sed -e '/^$/d' | + sort + local ps=${PIPESTATUS[*]} + [[ ${ps} == '0 0 0 0' ]] || die "normalize_list pipe failed: ${ps}" +} + +test_llvm_config() { + einfo "llvm-config for slot ${LLVM_SLOT}, libdir ${LLVM_LIBDIR}" + eindent + + generate_llvm_config > "${TMP}/llvm-config" || die + local triple=$(sh "${TMP}/llvm-config" --host-target || die) + local llvm_config=/usr/lib/llvm/${LLVM_SLOT}/bin/${triple}-llvm-config + + local option res + for option in "${LLVM_CONFIG_OPTIONS[@]}"; do + tbegin "${option}" + + normalize_list sh "${TMP}/llvm-config" "${option}" > "${TMP}/our" + normalize_list "${llvm_config}" "${option}" > "${TMP}/upstream" + case ${option} in + --components) + # our components are a superset of what llvm-config yields + res=$(comm -13 "${TMP}/our" "${TMP}/upstream") + ;; + *) + # expect all elements to match + res=$(comm -3 "${TMP}/our" "${TMP}/upstream") + ;; + esac + + if [[ -z ${res} ]]; then + tend 0 + else + eerror "$(diff -u "${TMP}/our" "${TMP}/upstream")" + tend 1 + fi + done + + eoutdent +} + +# full range +test_globals '14 15 16 17 18 19' \ + "+llvm_slot_19 llvm_slot_15 llvm_slot_16 llvm_slot_17 llvm_slot_18" \ + "^^ ( llvm_slot_15 llvm_slot_16 llvm_slot_17 llvm_slot_18 llvm_slot_19 )" \ + "llvm_slot_15(-)?,llvm_slot_16(-)?,llvm_slot_17(-)?,llvm_slot_18(-)?,llvm_slot_19(-)?" +test_globals '14 15 16 17 18' \ + "+llvm_slot_18 llvm_slot_15 llvm_slot_16 llvm_slot_17" \ + "^^ ( llvm_slot_15 llvm_slot_16 llvm_slot_17 llvm_slot_18 )" \ + "llvm_slot_15(-)?,llvm_slot_16(-)?,llvm_slot_17(-)?,llvm_slot_18(-)?" +# older than stable +test_globals '14 15 16' \ + "+llvm_slot_16 llvm_slot_15" \ + "^^ ( llvm_slot_15 llvm_slot_16 )" \ + "llvm_slot_15(-)?,llvm_slot_16(-)?" +# old + newer than current stable +test_globals '15 20' \ + "+llvm_slot_15 llvm_slot_20" \ + "^^ ( llvm_slot_15 llvm_slot_20 )" \ + "llvm_slot_15(-)?,llvm_slot_20(-)?" +# newer than current stable +test_globals '19' \ + "+llvm_slot_19" \ + "^^ ( llvm_slot_19 )" \ + "llvm_slot_19(-)?" + +LLVM_COMPAT=( {14..18} ) +inherit llvm-r2 + +test_gen_dep 'llvm-core/llvm:${LLVM_SLOT} llvm-core/clang:${LLVM_SLOT}' <<-EOF + llvm_slot_15? ( llvm-core/llvm:15 llvm-core/clang:15 ) + llvm_slot_16? ( llvm-core/llvm:16 llvm-core/clang:16 ) + llvm_slot_17? ( llvm-core/llvm:17 llvm-core/clang:17 ) + llvm_slot_18? ( llvm-core/llvm:18 llvm-core/clang:18 ) +EOF + +TMP=$(mktemp -d || die) +trap 'rm -rf \"${TMP}\"' EXIT +get_libdir() { echo "${LLVM_LIBDIR}"; } + +for installed_llvm_cmake in /usr/lib/llvm/*/lib*/cmake; do + installed_llvm_libdir=${installed_llvm_cmake%/*} + LLVM_LIBDIR=${installed_llvm_libdir##*/} + installed_llvm=${installed_llvm_libdir%/*} + LLVM_SLOT=${installed_llvm##*/} + + test_llvm_config +done + +texit diff --git a/eclass/toolchain.eclass b/eclass/toolchain.eclass index 602f99437145..7068fc452dbe 100644 --- a/eclass/toolchain.eclass +++ b/eclass/toolchain.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: toolchain.eclass @@ -688,6 +688,11 @@ toolchain_src_prepare() { eapply_user + # Workaround -march=native not working for stage1 with non-GCC (bug #933772). + if ! tc-is-gcc && [[ "${CFLAGS}${CXXFLAGS}" == *-march=native* ]] ; then + CLANG_DISABLE_CET_HACK=1 + fi + if ! use vanilla ; then tc_enable_hardened_gcc fi @@ -716,7 +721,7 @@ toolchain_src_prepare() { gnuconfig_update - if ! use prefix-guest && [[ -n ${EPREFIX} ]] ; then + if ! is_crosscompile && ! use prefix-guest && [[ -n ${EPREFIX} ]] ; then einfo "Prefixifying dynamic linkers..." for f in gcc/config/*/*linux*.h ; do ebegin " Updating ${f}" @@ -1178,11 +1183,6 @@ toolchain_src_configure() { export ac_cv_std_swap_in_utility=no fi - # Workaround -march=native not working for stage1 with non-GCC (bug #933772). - if ! tc-is-gcc && [[ "${CFLAGS}${CXXFLAGS}" == *-march=native* ]] ; then - CLANG_DISABLE_CET_HACK=1 - fi - local flag for flag in $(all-flag-vars) ; do einfo "${flag}=\"${!flag}\"" @@ -1804,7 +1804,7 @@ toolchain_src_configure() { fi case ${CBUILD}-${CHOST}-${CTARGET} in - *i686-w64-mingw32*|*x86_64-w64-mingw32*) + *-w*-mingw*) # config/i386/t-cygming requires fixincludes (bug #925204) GCC_RUN_FIXINCLUDES=1 ;; @@ -2641,7 +2641,7 @@ toolchain_src_install() { # - "${D}${LIBPATH}" # As dostrip does not specify host to override ${CHOST} tools just skip # non-native binary stripping. - is_crosscompile && dostrip -x "${LIBPATH}" + is_crosscompile && dostrip -x "${LIBPATH#"${EPREFIX}"}" cd "${S}" || die if is_crosscompile; then @@ -2961,6 +2961,12 @@ toolchain_pkg_postrm() { rm -f "${EROOT}"/usr/bin/${CTARGET}-{gcc,{g,c}++}{,32,64} fi return 0 + else + # Removed the last GCC installed (bug #906040) + if ! has_version "sys-devel/gcc" && has_version "sys-devel/clang" ; then + einfo "Last GCC version removed. Cleaning up ${EROOT}/etc/clang/gentoo-gcc-install.cfg." + echo > "${EROOT}"/etc/clang/gentoo-gcc-install.cfg + fi fi # gcc stopped installing .la files fixer in June 2020. @@ -3153,15 +3159,16 @@ toolchain_death_notice() { pushd "${WORKDIR}" >/dev/null (echo '' | $(tc-getCC ${CTARGET}) ${CFLAGS} -v -E - 2>&1) > "${dir}"/gccinfo.log [[ -e "${T}"/build.log ]] && cp "${T}"/build.log "${dir}" - tar -arf "${WORKDIR}"/gcc-build-logs.tar.xz \ - "${dir#${WORKDIR}/}"/gccinfo.log "${dir#${WORKDIR}/}"/build.log $(find -name "${dir}"/config.log) - rm "${dir}"/gccinfo.log "${dir}"/build.log + tar -arf "${WORKDIR}"/gcc-build-logs.tar \ + "${dir#${WORKDIR}/}"/gccinfo.log "${dir#${WORKDIR}/}"/build.log $(find -name "${dir#${WORKDIR}/}"/config.log) + rm "${dir#${WORKDIR}/}"/gccinfo.log "${dir#${WORKDIR}/}"/build.log eerror eerror "Please include ${WORKDIR}/gcc-build-logs.tar.xz in your bug report." eerror popd >/dev/null fi done + xz -9e "${WORKDIR}"/gcc-build-logs.tar.xz } fi diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index 0e6b9b43e557..12b689f0f4b2 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -1,4 +1,4 @@ -# Copyright 2020-2024 Gentoo Authors +# Copyright 2020-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: verify-sig.eclass @@ -48,6 +48,8 @@ esac if [[ -z ${_VERIFY_SIG_ECLASS} ]]; then _VERIFY_SIG_ECLASS=1 +inherit eapi9-pipestatus + IUSE="verify-sig" # @ECLASS_VARIABLE: VERIFY_SIG_METHOD @@ -423,6 +425,36 @@ verify-sig_verify_signed_checksums() { esac } +# @FUNCTION: verify-sig_uncompress_verify_unpack +# @USAGE: <compressed-tar> <sig-file> [<key-file>] +# @DESCRIPTION: +# Uncompress the <compressed-tar> tarball, verify the uncompressed +# archive against the signature in <sig-file> and unpack it. This is +# useful for kernel.org packages that sign the uncompressed tarball +# instead of the compressed archive. <key-file> can either be passed +# directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH. The function +# dies if verification or any of the unpacking steps fail. +verify-sig_uncompress_verify_unpack() { + local file=${1} + local unpacker + + # TODO: integrate with unpacker.eclass somehow? + case ${file} in + *.tar.xz) + unpacker=( xz -cd ) + ;; + *) + die "${FUNCNAME}: only .tar.xz archives are supported at the moment" + ;; + esac + + einfo "Unpacking ${file} ..." + verify-sig_verify_detached - "${@:2}" < <( + "${unpacker[@]}" "${file}" | tee >(tar -xf - || die) + pipestatus || die + ) +} + # @FUNCTION: verify-sig_src_unpack # @DESCRIPTION: # Default src_unpack override that verifies signatures for all diff --git a/eclass/zig-utils.eclass b/eclass/zig-utils.eclass index ca72e89ed6ea..5502d997935e 100644 --- a/eclass/zig-utils.eclass +++ b/eclass/zig-utils.eclass @@ -1,4 +1,4 @@ -# Copyright 2024 Gentoo Authors +# Copyright 2024-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: zig-utils.eclass @@ -54,6 +54,14 @@ inherit edo flag-o-matic linux-info # and most likely changed to more common in other eclasses ZIG_MIN/ # ZIG_MAX form. +# @ECLASS_VARIABLE: ZIG_NEEDS_LLVM +# @PRE_INHERIT +# @DEFAULT_UNSET +# @DESCRIPTION: +# If set to a non-empty value, the package will BDEPEND on a Zig package +# with LLVM enabled. This is currently required for packages that require +# C/C++ source files to be compiled with Zig. + # @ECLASS_VARIABLE: ZIG_OPTIONAL # @PRE_INHERIT # @DEFAULT_UNSET @@ -69,9 +77,15 @@ inherit edo flag-o-matic linux-info # For zig.eclass users: see documentation in zig.eclass # instead. if [[ ! ${ZIG_OPTIONAL} ]]; then + _ZIG_USEDEP="" + if [[ ${ZIG_NEEDS_LLVM} ]]; then + _ZIG_USEDEP="[llvm(+)]" + fi + + # NOTE: zig-bin is always built with LLVM support, so no USE needed. BDEPEND=" || ( - dev-lang/zig:${ZIG_SLOT} + dev-lang/zig:${ZIG_SLOT}${_ZIG_USEDEP} dev-lang/zig-bin:${ZIG_SLOT} ) " @@ -440,6 +454,10 @@ zig-utils_find_installation() { local base_path="${BROOT}/usr/bin" + local -x ZIG_GLOBAL_CACHE_DIR="${T}/zig-detect" + mkdir -p "${ZIG_GLOBAL_CACHE_DIR}" || die + touch "${ZIG_GLOBAL_CACHE_DIR}/empty.zig" || die + local selected_path selected_ver for selected_ver in "${zig_supported_versions[@]}"; do # Check if candidate satisfies ZIG_SLOT condition. @@ -451,6 +469,9 @@ zig-utils_find_installation() { local candidate_path for candidate_path in "${base_path}"/zig{,-bin}-"${selected_ver}"; do if [[ -x "${candidate_path}" ]]; then + if [[ ${ZIG_NEEDS_LLVM} ]]; then + "${candidate_path}" test -fllvm -OReleaseSmall "${ZIG_GLOBAL_CACHE_DIR}/empty.zig" &> /dev/null || continue + fi selected_path="${candidate_path}" break 2 fi diff --git a/eclass/zig.eclass b/eclass/zig.eclass index e838616ef72a..2a0178e66d71 100644 --- a/eclass/zig.eclass +++ b/eclass/zig.eclass @@ -520,9 +520,10 @@ zig_src_test() { # by whitespaces is not enough for some cases. # We probably need something like "--list-steps names_only". # In practice, almost nobody sets such names. + # Ignore failures like rare random "error.BrokenPipe" here. + # If they are real, they would appear in "ezig build test" anyway. if grep -q '^[ ]*test[ ]' < <( - nonfatal ezig build --list-steps "${args[@]}" || - die "ZBS: listing steps failed" + nonfatal ezig build --list-steps "${args[@]}" ); then einfo "ZBS: testing with: ${args[@]}" nonfatal ezig build test "${args[@]}" || |