Skip to content

Commit f155ecf

Browse files
PastaPastaPastaPastaPastaPasta
committed
1edd121 merge bitcoin#29987: build with glibc 2.31 (Kittywhiskers Van Gogh) 0949825 revert: add exception for 32-bit ARM builds which need glibc 2.28 (Kittywhiskers Van Gogh) 0ac2531 merge bitcoin#28328: update time-machine (Kittywhiskers Van Gogh) ef9c4bd merge bitcoin#28324: pre time-machine bump changes (Linux) (Kittywhiskers Van Gogh) b45a127 merge bitcoin#28294: pre time-machine bump changes (Windows) (Kittywhiskers Van Gogh) ed1f7fe merge bitcoin#28069: Remove librt usage from release binaries (Kittywhiskers Van Gogh) 5d51aa9 merge bitcoin#27811: Clean up manifest (Kittywhiskers Van Gogh) d439e46 merge bitcoin#27813: Update `python-lief` package to 0.13.2 (Kittywhiskers Van Gogh) 70e6283 merge bitcoin#27179: use osslsigncode 2.5 (Kittywhiskers Van Gogh) 3799509 merge bitcoin#27296: import/sync python-lief (0.12.3) package definition from upstream (Kittywhiskers Van Gogh) ac8bd5a refactor: move lief definitions to expected location (Kittywhiskers Van Gogh) eb0ae08 merge bitcoin#26470: Clean up `libexec/build.sh` (Kittywhiskers Van Gogh) d3d7a05 merge bitcoin#24031: don't compress macOS DMG (Kittywhiskers Van Gogh) 6a54603 merge bitcoin#27670: remove redundant glibc patches (Kittywhiskers Van Gogh) 0c988f0 merge bitcoin#21089: Add support for powerpc64{,le} (Kittywhiskers Van Gogh) 808d215 fix: set correct locale in guix ci container (UdjinM6) Pull request description: ## Motivation In preparation for migrating to C++20 and bumping our minimum required compiler to ensure that we have access to greater portions of the C++20 spec, this pull request first of two pull requests aiming to upgrade our Guix setup to use GCC 12 (and GCC 11 for the macOS toolchain). Upgrades to the Clang toolchain for macOS and moving to GCC 12 for the macOS toolchain will be addressed in a separate pull request as the latter requires [bitcoin#21778](bitcoin#21778), which is well outside the scope of this PR. ## Additional Notes * Dependency for dashpay#6383 * Newer versions of GCC will not behave as expected with `test-security-check.py` as the stack protector (listed as `Canary` in the test) now behaves as expected and no longer fails. This causes an error when running it as the test expects failure (see below). This isn't an issue upstream as they backported [bitcoin#29987](bitcoin#29987), which gets rid of those tests ([source](bitcoin@b5fc6d4#diff-52aa0cda44721f089e53b128cb1232a876006ef257b211655456b17dfb2ec712)). Therefore, we have backported that pull request as well. <details> <summary>Build failure:</summary> ``` ====================================================================== FAIL: test_ELF (__main__.TestSecurityChecks) ---------------------------------------------------------------------- Traceback (most recent call last): File "/distsrc-base/distsrc-22.0.0-beta.1-70-g7907fab39c17-x86_64-linux-gnu/./contrib/devtools/test-security-check.py", line 61, in test_ELF self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']), AssertionError: Tuples differ: (1, 'test1: failed PIE NX RELRO CONTROL_FLOW') != (1, 'test1: failed PIE NX RELRO Canary CONTROL_FLOW') First differing element 1: 'test1: failed PIE NX RELRO CONTROL_FLOW' 'test1: failed PIE NX RELRO Canary CONTROL_FLOW' - (1, 'test1: failed PIE NX RELRO CONTROL_FLOW') + (1, 'test1: failed PIE NX RELRO Canary CONTROL_FLOW') ? +++++++ ---------------------------------------------------------------------- Ran 1 test in 0.126s FAILED (failures=1) ``` </details> * The backport has the effect of bumping the target glibc version to 2.31, which as the release notes say, cuts off support for RHEL 8 and Ubuntu 18.04 LTS (`bionic`) (i.e. our Guix binaries won't run on these distros anymore, users running those distros will have to compile it themselves). This shouldn't be a problem as full support for RHEL 8 ended May 31, 2024 ([source](https://access.redhat.com/support/policy/updates/errata#Life_Cycle_Dates)) and standard support for `bionic` ended April 2023 ([source](https://ubuntu.com/about/release-cycle)). **Dash Core will still work on Ubuntu 20.04 LTS (`focal`) as it ships with glibc 2.31 ([source](https://packages.ubuntu.com/focal/glibc-doc))** ## Breaking Changes None expected ## Checklist: - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas **(note: N/A)** - [x] I have added or updated relevant unit/integration/functional/e2e tests - [x] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ ACKs for top commit: UdjinM6: utACK 1edd121 Tree-SHA512: 194a35a72ede5fb5488cdc41eb15320df7a5fa1fb8815c7342dd15b3983efff417fb1a525fdf497a98ede91958d0a5ed18f3e5f0f27c5cbc5dc25eb58116dbd5
2 parents a8e2316 + 1edd121 commit f155ecf

28 files changed

+222
-752
lines changed

.gitignore

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,6 @@ libconftest.dylib*
7676
*.log
7777
*.trs
7878
*.dmg
79-
*.iso
8079

8180
*.json.h
8281
*.raw.h

Makefile.am

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ if ENABLE_MAN
1313
SUBDIRS += doc/man
1414
endif
1515
.PHONY: deploy FORCE
16-
.INTERMEDIATE: $(OSX_TEMP_ISO) $(COVERAGE_INFO)
16+
.INTERMEDIATE: $(COVERAGE_INFO)
1717

1818
export PYTHONPATH
1919

@@ -37,7 +37,6 @@ space := $(empty) $(empty)
3737
OSX_APP=Dash-Qt.app
3838
OSX_VOLNAME = $(subst $(space),-,$(PACKAGE_NAME))
3939
OSX_DMG = $(OSX_VOLNAME).dmg
40-
OSX_TEMP_ISO = $(OSX_DMG:.dmg=).temp.iso
4140
OSX_DEPLOY_SCRIPT=$(top_srcdir)/contrib/macdeploy/macdeployqtplus
4241
OSX_INSTALLER_ICONS=$(top_srcdir)/src/qt/res/icons/dash.icns
4342
OSX_PLIST=$(top_builddir)/share/qt/Info.plist #not installed
@@ -127,19 +126,15 @@ deploydir: $(OSX_DMG)
127126
else !BUILD_DARWIN
128127
APP_DIST_DIR=$(top_builddir)/dist
129128

130-
$(OSX_TEMP_ISO): $(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Dash-Qt
129+
$(OSX_DMG): deploydir
131130
$(XORRISOFS) -D -l -V "$(OSX_VOLNAME)" -no-pad -r -dir-mode 0755 -o $@ $(APP_DIST_DIR) -- $(if $(SOURCE_DATE_EPOCH),-volume_date all_file_dates =$(SOURCE_DATE_EPOCH))
132131

133-
$(OSX_DMG): $(OSX_TEMP_ISO)
134-
$(DMG) dmg "$<" "$@"
135-
136132
$(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Dash-Qt: $(OSX_APP_BUILT) $(OSX_PACKAGING)
137133
INSTALLNAMETOOL=$(INSTALLNAMETOOL) OTOOL=$(OTOOL) STRIP=$(STRIP) $(PYTHON) $(OSX_DEPLOY_SCRIPT) $(OSX_APP) $(OSX_VOLNAME) -translations-dir=$(QT_TRANSLATION_DIR)
138134

139135
deploydir: $(APP_DIST_DIR)/$(OSX_APP)/Contents/MacOS/Dash-Qt
140136
endif !BUILD_DARWIN
141137

142-
appbundle: $(OSX_APP_BUILT)
143138
deploy: $(OSX_DMG)
144139
endif
145140

configure.ac

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -846,7 +846,6 @@ case $host in
846846
AC_PATH_TOOL([INSTALLNAMETOOL], [install_name_tool], install_name_tool)
847847
AC_PATH_TOOL([OTOOL], [otool], otool)
848848
AC_PATH_PROGS([XORRISOFS], [xorrisofs], xorrisofs)
849-
AC_PATH_PROGS([DMG], [dmg], dmg)
850849

851850
dnl libtool will try to strip the static lib, which is a problem for
852851
dnl cross-builds because strip attempts to call a hard-coded ld,
@@ -960,8 +959,6 @@ if test x$ac_cv_sys_large_files != x &&
960959
CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
961960
fi
962961

963-
AC_SEARCH_LIBS([clock_gettime],[rt])
964-
965962
if test "x$enable_gprof" = xyes; then
966963
dnl -pg is incompatible with -pie. Since hardening and profiling together doesn't make sense,
967964
dnl we simply make them mutually exclusive here. Additionally, hardened toolchains may force

contrib/containers/ci/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ RUN pip3 install \
7676
codespell==1.17.1 \
7777
flake8==3.8.3 \
7878
jinja2 \
79-
lief==0.12.1 \
79+
lief==0.13.2 \
8080
pyzmq \
8181
vulture==2.3 \
8282
mypy==0.781 \

contrib/containers/guix/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ ENV PATH="/usr/local/bin:/usr/local/guix/current/bin:$PATH"
3131
# Application Setup
3232
# https://guix.gnu.org/manual/en/html_node/Application-Setup.html
3333
ENV GUIX_LOCPATH="/usr/local/guix/profile" \
34-
LC_ALL="C"
34+
LC_ALL="en_US.UTF-8"
3535

3636
RUN guix_file_name=guix-binary-${guix_version}.$(uname -m)-linux.tar.xz && \
3737
eval "guix_checksum=\${guix_checksum_$(uname -m)}" && \

contrib/devtools/security-check.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ def check_ELF_control_flow(binary) -> bool:
113113
main = binary.get_function_address('main')
114114
content = binary.get_content_from_virtual_address(main, 4, lief.Binary.VA_TYPES.AUTO)
115115

116-
if content == [243, 15, 30, 250]: # endbr64
116+
if content.tolist() == [243, 15, 30, 250]: # endbr64
117117
return True
118118
return False
119119

@@ -142,7 +142,7 @@ def check_PE_control_flow(binary) -> bool:
142142

143143
content = binary.get_content_from_virtual_address(virtual_address, 4, lief.Binary.VA_TYPES.VA)
144144

145-
if content == [243, 15, 30, 250]: # endbr64
145+
if content.tolist() == [243, 15, 30, 250]: # endbr64
146146
return True
147147
return False
148148

@@ -190,7 +190,7 @@ def check_MACHO_control_flow(binary) -> bool:
190190
'''
191191
content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
192192

193-
if content == [243, 15, 30, 250]: # endbr64
193+
if content.tolist() == [243, 15, 30, 250]: # endbr64
194194
return True
195195
return False
196196

contrib/devtools/symbol-check.py

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -15,20 +15,20 @@
1515

1616
import lief
1717

18-
# Debian 11 (Bullseye) EOL: est. 2026 https://wiki.debian.org/LTS
18+
# Debian 11 (Bullseye) EOL: 2026. https://wiki.debian.org/LTS
1919
#
20-
# - libgcc version 10.2.1 (https://packages.debian.org/search?suite=bullseye&arch=any&searchon=names&keywords=libgcc-s1)
21-
# - libc version 2.31 (https://packages.debian.org/search?suite=bullseye&arch=any&searchon=names&keywords=libc6)
20+
# - libgcc version 10.2.1 (https://packages.debian.org/bullseye/libgcc-s1)
21+
# - libc version 2.31 (https://packages.debian.org/source/bullseye/glibc)
2222
#
2323
# Ubuntu 20.04 (Focal) EOL: 2030. https://wiki.ubuntu.com/ReleaseTeam
2424
#
25-
# - libgcc version 10.3.0 (https://packages.ubuntu.com/focal/libgcc1)
25+
# - libgcc version 10.5.0 (https://packages.ubuntu.com/focal/libgcc1)
2626
# - libc version 2.31 (https://packages.ubuntu.com/focal/libc6)
2727
#
28-
# CentOS Stream 9 EOL: est. 2027 https://www.centos.org/cl-vs-cs
28+
# CentOS Stream 9 EOL: 2027. https://www.centos.org/cl-vs-cs/#end-of-life
2929
#
30-
# - libgcc version 12.2.1 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages)
31-
# - libc version 2.34 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages)
30+
# - libgcc version 12.2.1 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
31+
# - libc version 2.34 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
3232
#
3333
# See https://gcc.gnu.org/onlinedocs/libstdc++/manual/abi.html for more info.
3434

@@ -101,7 +101,6 @@
101101
'libc.so.6', # C library
102102
'libpthread.so.0', # threading
103103
'libm.so.6', # math library
104-
'librt.so.1', # real-time (clock)
105104
'libatomic.so.1',
106105
'ld-linux-x86-64.so.2', # 64-bit dynamic linker
107106
'ld-linux.so.2', # 32-bit dynamic linker

contrib/devtools/test-security-check.py

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -58,32 +58,32 @@ def test_ELF(self):
5858
arch = get_arch(cc, source, executable)
5959

6060
if arch == lief.ARCHITECTURES.X86:
61-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
62-
(1, executable+': failed PIE NX RELRO Canary CONTROL_FLOW'))
63-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
64-
(1, executable+': failed PIE RELRO Canary CONTROL_FLOW'))
65-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
61+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
62+
(1, executable+': failed PIE NX RELRO CONTROL_FLOW'))
63+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
6664
(1, executable+': failed PIE RELRO CONTROL_FLOW'))
67-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
65+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
66+
(1, executable+': failed PIE RELRO CONTROL_FLOW'))
67+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
6868
(1, executable+': failed RELRO CONTROL_FLOW'))
69-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
69+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
7070
(1, executable+': failed separate_code CONTROL_FLOW'))
71-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
71+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
7272
(1, executable+': failed CONTROL_FLOW'))
73-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
73+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
7474
(0, ''))
7575
else:
76-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
77-
(1, executable+': failed PIE NX RELRO Canary'))
78-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
79-
(1, executable+': failed PIE RELRO Canary'))
80-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
76+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
77+
(1, executable+': failed PIE NX RELRO'))
78+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
79+
(1, executable+': failed PIE RELRO'))
80+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
8181
(1, executable+': failed PIE RELRO'))
82-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
82+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
8383
(1, executable+': failed RELRO'))
84-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
84+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
8585
(1, executable+': failed separate_code'))
86-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
86+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
8787
(0, ''))
8888

8989
clean_files(source, executable)

contrib/devtools/test-symbol-check.py

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,6 @@ def test_ELF(self):
3838
executable = 'test1'
3939
cc = determine_wellknown_cmd('CC', 'gcc')
4040

41-
# there's no way to do this test for ARM at the moment; we build for
42-
# ARM in a glibc 2.31 envinonment and we allow all symbols from 2.28.
43-
if 'arm' in get_machine(cc):
44-
self.skipTest("test not available for 32-bit ARM")
45-
4641
# -lutil is part of the libc6 package so a safe bet that it's installed
4742
# it's also out of context enough that it's unlikely to ever become a real dependency
4843
source = 'test2.c'

contrib/guix/guix-build

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ mkdir -p "$VERSION_BASE"
7474
################
7575

7676
# Default to building for all supported HOSTs (overridable by environment)
77-
export HOSTS="${HOSTS:-x86_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu riscv64-linux-gnu
77+
export HOSTS="${HOSTS:-x86_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu riscv64-linux-gnu powerpc64-linux-gnu powerpc64le-linux-gnu
7878
x86_64-w64-mingw32
7979
x86_64-apple-darwin arm64-apple-darwin}"
8080

0 commit comments

Comments
 (0)