diff options
-rw-r--r-- | bpkg/auth.cxx | 137 | ||||
-rw-r--r-- | bpkg/buildfile | 11 | ||||
-rwxr-xr-x | bpkg/odb.sh | 11 | ||||
-rw-r--r-- | bpkg/pkg-build-collect.cxx | 6 | ||||
-rw-r--r-- | bpkg/version.hxx.in | 8 | ||||
-rw-r--r-- | doc/manual.cli | 94 | ||||
-rw-r--r-- | manifest | 3 | ||||
-rw-r--r-- | repositories.manifest | 12 |
8 files changed, 183 insertions, 99 deletions
diff --git a/bpkg/auth.cxx b/bpkg/auth.cxx index 663054d..191da0a 100644 --- a/bpkg/auth.cxx +++ b/bpkg/auth.cxx @@ -23,15 +23,15 @@ using namespace butl; namespace bpkg { - static const string openssl_version ("version"); - static const string openssl_pkeyutl ("pkeyutl"); - static const string openssl_rsautl ("rsautl"); - static const string openssl_x509 ("x509"); - - const char* openssl_commands[5] = {openssl_version.c_str (), - openssl_pkeyutl.c_str (), - openssl_rsautl.c_str (), - openssl_x509.c_str (), + static const string openssl_version_cmd ("version"); + static const string openssl_pkeyutl_cmd ("pkeyutl"); + static const string openssl_rsautl_cmd ("rsautl"); + static const string openssl_x509_cmd ("x509"); + + const char* openssl_commands[5] = {openssl_version_cmd.c_str (), + openssl_pkeyutl_cmd.c_str (), + openssl_rsautl_cmd.c_str (), + openssl_x509_cmd.c_str (), nullptr}; // Print process command line. @@ -43,9 +43,42 @@ namespace bpkg print_process (args, n); } + // Query the openssl information and return the openssl version. Cache the + // version on the first function call. Fail on the underlying process and IO + // error. Return the 0.0.0 version if unable to parse the openssl stdout. + // + static optional<semantic_version> openssl_ver; + + static const semantic_version& + openssl_version (const common_options& co) + { + const path& openssl_path (co.openssl ()[openssl_version_cmd]); + + if (!openssl_ver) + try + { + optional<openssl_info> oi ( + openssl::info (print_command, 2, openssl_path)); + + openssl_ver = (oi && oi->name == "OpenSSL" + ? move (oi->version) + : semantic_version ()); + } + catch (const process_error& e) + { + fail << "unable to execute " << openssl_path << ": " << e << endf; + } + catch (const io_error& e) + { + fail << "unable to read '" << openssl_path << "' output: " << e + << endf; + } + + return *openssl_ver; + } + // Return true if the openssl version is greater or equal to 3.0.0 and so - // pkeyutl needs to be used instead of rsautl. Cache the result on the first - // function call. + // pkeyutl needs to be used instead of rsautl. // // Note that openssl 3.0.0 deprecates rsautl in favor of pkeyutl. // @@ -54,37 +87,28 @@ namespace bpkg // (see the 'pkeyutl -verifyrecover error "input data too long to be a // hash"' issue report for details). // - static optional<bool> use_pkeyutl; - - static bool + static inline bool use_openssl_pkeyutl (const common_options& co) { - if (!use_pkeyutl) - { - const path& openssl_path (co.openssl ()[openssl_version]); - - try - { - optional<openssl_info> oi ( - openssl::info (print_command, 2, openssl_path)); - - use_pkeyutl = oi && - oi->name == "OpenSSL" && - oi->version >= semantic_version {3, 0, 0}; - } - catch (const process_error& e) - { - fail << "unable to execute " << openssl_path << ": " << e << endf; - } - catch (const io_error& e) - { - fail << "unable to read '" << openssl_path << "' output: " << e - << endf; - } - } + return openssl_version (co) >= semantic_version {3, 0, 0}; + } - return *use_pkeyutl; + // Return true if some openssl commands (openssl x509 -fingerprint, etc) may + // issue the 'Reading certificate from stdin since no -in or -new option is + // given' warning. This is the case for the openssl version in the [3.2.0 + // 3.3.0) range (see GH issue #353 for details). + // + // Note that there is no easy way to suppress this warning on Windows and + // thus we don't define this function there. + // +#ifndef _WIN32 + static inline bool + openssl_warn_stdin (const common_options& co) + { + const semantic_version& v (openssl_version (co)); + return v >= semantic_version {3, 2, 0} && v < semantic_version {3, 3, 0}; } +#endif // Find the repository location prefix that ends with the version component. // We consider all repositories under this location to be related. @@ -190,15 +214,25 @@ namespace bpkg dr << ": " << *e; }; - const path& openssl_path (co.openssl ()[openssl_x509]); - const strings& openssl_opts (co.openssl_option ()[openssl_x509]); + const path& openssl_path (co.openssl ()[openssl_x509_cmd]); + const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]); try { openssl os (print_command, fdstream_mode::text, fdstream_mode::text, 2, - openssl_path, openssl_x509, - openssl_opts, "-sha256", "-noout", "-fingerprint"); + openssl_path, openssl_x509_cmd, + openssl_opts, + "-sha256", + "-noout", + "-fingerprint" +#ifndef _WIN32 + , + (openssl_warn_stdin (co) + ? cstrings ({"-in", "/dev/stdin"}) + : cstrings ()) +#endif + ); os.out << pem; os.out.close (); @@ -288,8 +322,8 @@ namespace bpkg dr << ": " << *e; }; - const path& openssl_path (co.openssl ()[openssl_x509]); - const strings& openssl_opts (co.openssl_option ()[openssl_x509]); + const path& openssl_path (co.openssl ()[openssl_x509_cmd]); + const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]); try { @@ -315,7 +349,7 @@ namespace bpkg openssl os ( print_command, fdstream_mode::text, fdstream_mode::text, 2, - openssl_path, openssl_x509, + openssl_path, openssl_x509_cmd, openssl_opts, "-noout", "-subject", "-dates", "-email", // Previously we have used "RFC2253,sep_multiline" format to display @@ -347,6 +381,13 @@ namespace bpkg // sep_multiline - display field per line. // "-nameopt", "utf8,esc_ctrl,dump_nostr,dump_der,sname,sep_multiline" + +#ifndef _WIN32 + , + (openssl_warn_stdin (co) + ? cstrings ({"-in", "/dev/stdin"}) + : cstrings ()) +#endif ); // We unset failbit to provide the detailed error description (which @@ -877,7 +918,7 @@ namespace bpkg }; bool ku (use_openssl_pkeyutl (co)); - const string& cmd (ku ? openssl_pkeyutl : openssl_rsautl); + const string& cmd (ku ? openssl_pkeyutl_cmd : openssl_rsautl_cmd); const path& openssl_path (co.openssl ()[cmd]); const strings& openssl_opts (co.openssl_option ()[cmd]); @@ -973,8 +1014,8 @@ namespace bpkg }; const string& cmd (use_openssl_pkeyutl (co) - ? openssl_pkeyutl - : openssl_rsautl); + ? openssl_pkeyutl_cmd + : openssl_rsautl_cmd); const path& openssl_path (co.openssl ()[cmd]); const strings& openssl_opts (co.openssl_option ()[cmd]); diff --git a/bpkg/buildfile b/bpkg/buildfile index 0ba60dc..8836712 100644 --- a/bpkg/buildfile +++ b/bpkg/buildfile @@ -15,15 +15,12 @@ import libs = build2%lib{build2} for m: bash bin c cc cli cxx in version import libs += build2%lib{build2-$m} +# @@ TMP we require libsqlite3 to be interface dependency of libbut-odb only +# for the database migrations to schema versions 13 and 14. +# import libs += libbpkg%lib{bpkg} import libs += libbutl%lib{butl} -import libs += libodb%lib{odb} -import libs += libodb-sqlite%lib{odb-sqlite} - -# @@ TMP Only required for the database migrations to schema versions 13 and -# 14. -# -import libs += libsqlite3%lib{sqlite3} +import libs += libbutl%lib{butl-odb} options_topics = \ bpkg-options \ diff --git a/bpkg/odb.sh b/bpkg/odb.sh index 75c6d2d..1387773 100755 --- a/bpkg/odb.sh +++ b/bpkg/odb.sh @@ -16,8 +16,9 @@ if test -d ../.bdep; then sed -r -ne 's#^(@[^ ]+ )?([^ ]+)/ .*default.*$#\2#p')" fi - inc+=("-I$(echo "$cfg"/libodb-[1-9]*/)") - inc+=("-I$(echo "$cfg"/libodb-sqlite-[1-9]*/)") + # Note: there is nothing generated in libbutl-odb. + # + inc+=("-I../../libbutl/libbutl-odb") inc+=("-I$cfg/libbutl") inc+=("-I../../libbutl") @@ -30,11 +31,7 @@ sed -r -ne 's#^(@[^ ]+ )?([^ ]+)/ .*default.*$#\2#p')" else - inc+=("-I$HOME/work/odb/builds/default/libodb-sqlite-default") - inc+=("-I$HOME/work/odb/libodb-sqlite") - - inc+=("-I$HOME/work/odb/builds/default/libodb-default") - inc+=("-I$HOME/work/odb/libodb") + inc+=("-I../../libbutl/libbutl-odb") inc+=(-I.. -I../../libbpkg -I../../libbutl) diff --git a/bpkg/pkg-build-collect.cxx b/bpkg/pkg-build-collect.cxx index 352fa52..6f1195c 100644 --- a/bpkg/pkg-build-collect.cxx +++ b/bpkg/pkg-build-collect.cxx @@ -2962,8 +2962,12 @@ namespace bpkg const strings mods {"cc"}; + // Use the *-no-warnings host/build2 configurations since the + // user has no control over such private configurations and + // they are primarily used for consumption. + // const strings vars { - "config.config.load=~" + type, + "config.config.load=~" + type + "-no-warnings", "config.config.persist+='config.*'@unused=drop"}; dir_path cd (bpkg_dir / dir_path (type)); diff --git a/bpkg/version.hxx.in b/bpkg/version.hxx.in index 22da973..603a5f7 100644 --- a/bpkg/version.hxx.in +++ b/bpkg/version.hxx.in @@ -43,14 +43,6 @@ $libbutl.check(LIBBUTL_VERSION, LIBBUTL_SNAPSHOT)$ $libbpkg.check(LIBBPKG_VERSION, LIBBPKG_SNAPSHOT)$ -#include <odb/version.hxx> - -$libodb.check(LIBODB_VERSION, LIBODB_SNAPSHOT)$ - -#include <odb/sqlite/version.hxx> - -$libodb_sqlite.check(LIBODB_SQLITE_VERSION, LIBODB_SQLITE_SNAPSHOT)$ - // User agent. // #if defined(_WIN32) diff --git a/doc/manual.cli b/doc/manual.cli index 4f057f9..64275ce 100644 --- a/doc/manual.cli +++ b/doc/manual.cli @@ -1085,6 +1085,7 @@ license: <licenses> [; <comment>] [build-exclude]: <config>[/<target>] [; <comment>] [build-auxiliary]: <config> [; <comment>] [build-auxiliary-<name>]: <config> [; <comment>] +[build-bot]: <pub-key> [*-build-config]: <args> [; <comment>] @@ -1093,6 +1094,7 @@ license: <licenses> [; <comment>] [*-build-exclude]: <config>[/<target>] [; <comment>] [*-build-auxiliary]: <config> [; <comment>] [*-build-auxiliary-<name>]: <config> [; <comment>] +[*-build-bot]: <pub-key> [*-build-email]: <email> [; <comment>] [*-build-warning-email]: <email> [; <comment>] @@ -2388,7 +2390,8 @@ values can be used to specify auxiliary configurations that provide additional components which are required for building or testing a package and that are impossible or impractical to provide as part of the build configuration itself. For example, a package may need access to a suitably configured -database, such as PostgreSQL, in order to run its tests. +database, such as PostgreSQL, in order to run its tests. Currently no more +than \c{9} auxiliary configurations can be specified. The \i{config} value is a filesystem wildcard patterns which is matched against the auxiliary configuration names (which are in turn derived from @@ -2438,24 +2441,24 @@ DATABASE_NAME=test \ If the auxiliary configuration is specified as \c{build-auxiliary-<name>}, -then capitalized \i{name}_ is used as a prefix in the environment variables -corresponding to the machine. For example, for the auxiliary configurations -specified as: +then capitalized and sanitized \i{name}_ is used as a prefix in the +environment variables corresponding to the machine. For example, for the +auxiliary configurations specified as: \ -build-auxiliary-pgsql: *-postgresql_* -build-auxiliary-mysql: *-mysql_* +build-auxiliary-pg-sql: *-postgresql_* +build-auxiliary-my-sql: *-mysql_* \ The environment variables could be: \ -PGSQL_DATABASE_HOST=192.168.0.1 -PGSQL_DATABASE_PORT=5432 +PG_SQL_DATABASE_HOST=192.168.0.1 +PG_SQL_DATABASE_PORT=5432 ... -MYSQL_DATABASE_HOST=192.168.0.2 -MYSQL_DATABASE_PORT=3306 +MY_SQL_DATABASE_HOST=192.168.0.2 +MY_SQL_DATABASE_PORT=3306 ... \ @@ -2473,6 +2476,60 @@ config.hello.pgsql_port=$getenv(DATABASE_PORT) \\ \ +\h2#manifest-package-build-bot|\c{build-bot}| + +\ +[build-bot]: <pub-key> +\ + +The common package build custom bot public key (see \l{bbot \c{build2} build +bot manual} for background). Multiple \c{build-bot} values can be specified to +list several custom build bots. If specified, then such custom bots will be +used instead of (note: not in addition to) the default bots to build this +package. Custom bots can be used, for example, to accommodate packages that +have special requirements, such as proprietary dependencies, and which cannot +be fulfilled using the default bots. The public key should be in the PEM +format. For example: + +\ +build-bot: +\\ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw5liP5pyU9ebC/nD3djZ +1H2dlKmUyiX0Z8POvKhLREd0B3rM59bPcnbRB4HMIhj0J0hUBvS8xb4u5udCPToa +x0A/LMWZ6claiivNtJ3CdLV98eklWdNUg5WXOuqq9QDKXw2ZpGbwDwCOh6aHSWVq +98N9AQx0ZMmMWz3qhRyxPfh+GeJ05uj2ohU9FeUJxeqUcgJT/UcMZ3+7KYbwr+Uq +/HCoX1BmN6nvzhQGHvJIZ2IcjvOQ0AUrPmpSZN01Zr3ZEpkHM3hJWNLu3ntJLGBQ +0aT5kG3iqFyr9q3M3c4J8c0AWrnDjvj0qnCyjNwqW+qIpatmCNT43DmgYr9fQLW0 +UHusburz53AbXs12zu3gZzkb0irlShatkMqqQaqaU0/+zw1LnoZ+rvmn2XV97UuK +LFKMKXCnyi2ZG65IZHGkjBVAPuvsX6RgLNyner/QtkDJTbfhktInbG08dCPqv1EF +1OtcYKMTn8I5P2VmMO6SXXDLMSdU8b5DA5EY6Ca6JBB8g06S9sqGqXgQFysAnZs1 +VFgMopf8WZqj23x+DX+9KKT2pVnjbwRvBAntuCDoO75gWoETDnCQXEei/PbyamPq +9+NjNsTDn67iJTGncZbII+eciY2YiFHm6GMzBPsUYlQcxiuO4X36jW6m2rwuw37K +oFDbGI3uY4LnhwmDFLbjtk8CAwEAAQ== +-----END PUBLIC KEY----- +\\ +\ + +Note that such custom build bots must offer the same set of machines (or a +subset thereof) as the default bots. In other words, you cannot invent new +build configuration names (and the corresponding machines) with custom build +bots \- for that you would need to run your own \c{brep} deployment. Note also +that the list of machines offered by custom bots should be consistent with the +build configurations enabled by the package (see \l{#manifest-package-builds +\c{builds}} for details). For example, if the package enables a configuration +that is not offered by any of the custom bots listed, then this configuration +will remain unbuilt forever. + +\N|Note that custom build bot public keys are publicly known and nothing +prevents someone else from specifying your bot's public key in their own +package and thus triggering a build on your bot of a potentially rogue +package. As a result, carefully consider the information that you make +available in your custom machines (which will be easy to exfiltrate) as well +as the environment in which you run your custom bots (which can potentially be +compromised). In the future, \c{bbot} may offer mechanisms to restrict the +names and locations of packages that it is allowed to build.| + \h2#manifest-package-build-config|\c{*-build-config}| @@ -2494,6 +2551,7 @@ config.hello.pgsql_port=$getenv(DATABASE_PORT) [*-build-exclude]: <config>[/<target>] [; <comment>] [*-build-auxiliary]: <config> [; <comment>] [*-build-auxiliary-<name>]: <config> [; <comment>] +[*-build-bot]: <pub-key> [*-build-email]: <email> [; <comment>] [*-build-warning-email]: <email> [; <comment>] @@ -2567,7 +2625,7 @@ Enable load testing. Note that options with values can only be specified using the single argument notation, for example, \c{--verbose=4}. -The package build configuration can also override the common build target +The package build configuration can override the common build target configurations set (specified with \l{#manifest-package-builds \c{builds}} and \l{#manifest-package-include-exclude \c{build-{include, exclude\}}}) by specifying the matching \c{*-builds} and/or \c{*-build-{include, exclude\}} @@ -2582,8 +2640,18 @@ Note that the common build target configurations set is overridden hierarchically meaning that the \c{*-build-{include, exclude\}} overrides don't discard the common \c{builds} values. -The package build configuration can also override the common build -notification email addresses (specified with \l{#manifest-package-build-email +The package build configuration can override the common build auxiliary +machines. Note that the auxiliary machine set is overridden entirely, meaning +that specifying one \c{*-build-auxiliary} value discard all the common +\c{build-auxiliary} values for this package configuration. + +The package build configuration can override the common build custom bots. +Note that the custom bot set is overridden entirely, meaning that specifying +one \c{*-build-bot} value discards all the common \c{build-bot} values for +this package configuration. + +The package build configuration can override the common build notification +email addresses (specified with \l{#manifest-package-build-email \c{build-email}}, \l{#manifest-package-warning-email \c{build-warning-email}}, and \l{#manifest-package-error-email \c{build-error-email}}) by specifying the matching \c{*-build-email} and/or \c{*-build-{warning, error\}-email} values. @@ -18,9 +18,6 @@ depends: * build2 >= 0.16.0- depends: * bpkg >= 0.16.0- # @@ DEP Should probably become conditional dependency. #requires: ? cli ; Only required if changing .cli files. -depends: libodb [2.5.0-b.26.1 2.5.0-b.27) -depends: libodb-sqlite [2.5.0-b.26.1 2.5.0-b.27) -depends: libsqlite3 ^3.21.0 ; ATTACH in transaction depends: libbutl [0.17.0-a.0.1 0.17.0-a.1) depends: libbpkg [0.17.0-a.0.1 0.17.0-a.1) depends: build2 [0.17.0-a.0.1 0.17.0-a.1) diff --git a/repositories.manifest b/repositories.manifest index 29cb1cf..5adbbe4 100644 --- a/repositories.manifest +++ b/repositories.manifest @@ -12,15 +12,3 @@ location: ../libbutl.git##HEAD : role: prerequisite location: ../libbpkg.git##HEAD - -: -role: prerequisite -location: https://git.build2.org/packaging/sqlite/sqlite.git##HEAD - -: -role: prerequisite -location: https://git.codesynthesis.com/odb/libodb.git##HEAD - -: -role: prerequisite -location: https://git.codesynthesis.com/odb/libodb-sqlite.git##HEAD |