Rafal Mileckis staging tree https://git.openwrt.org/openwrt/staging/rmilecki/atom?h=master 2020-12-29T00:07:42Z 2020-12-29T00:07:42Z Jo-Philipp Wich 2020-12-29T00:03:20Z urn:sha1:6a46615f372c02650f290614a8c5351bbadc80ed Invoke bundle-libraries.sh with any buildroot related directory entries removed from $PATH to avoid picking up cross versions of utilities like ldd which will not properly work when used against host executables. This should fix executable bundling for glibc-target imagebuilders. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2020-11-25T00:46:05Z Matthew Gyurgyik 2020-11-13T19:21:29Z urn:sha1:aab36200e7eb539afb18df74476132f4750a9f0b When building images with the imagebuilder, the partition signature never changes. The signature is generated by hashing SOURCE_DATE_EPOCH and LINUX_VERMAGIC which are undefined. Prepopulate these variables, as done by the SDK. Signed-off-by: Matthew Gyurgyik <matthew@gyurgyik.io> 2020-11-23T03:13:46Z Paulo Machado 2020-11-22T14:23:27Z urn:sha1:b19a684f461977f1ff8218b28d5b191ec747c3d5 Remove a syntax error from ImageBuider Makefile Acked-by: Paul Spooren <mail@aparcar.org> Signed-off-by: Paulo Machado <pffmachado@yahoo.com> 2020-11-19T22:15:00Z Paul Spooren 2020-11-02T22:15:05Z urn:sha1:418362b1cc106b9aca3905150199f60548906fff The ImageBuilder downloads pre-built packages and adds them to images. This process uses `opkg` which has the capability to verify package list signatures via `usign`, as enabled per default on running OpenWrt devices. Until now this was disabled for ImageBuilders because neither the `opkg` keys nor the `opkg-add` script was present during first packagelist update. To harden the ImageBuilder against *drive-by-download-attacks* both keys and verification script are added to the ImageBuilder allowing `opkg` to verify downloaded package indices. This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys folder is added to ImageBuilder $TOPDIR to have an obvious place for users to store their own keys. The `option check_signature` is appended to the repositories.conf file. All of the above only happens if the Buildbot runs with the SIGNATURE_CHECK option. The keys stored in the ImageBuilder keys/ are the same as included in the openwrt-keyring package. To avoid the chicken-egg problem of downloading and verifying a package, containing signing keys, the keys are added during the ImageBuilder generation. They are same as in shipped images (stored at `/etc/opkg/keys/`). To allow a local package feed in which the user can add additional packages, a local set of `usign` and `ucert` keys is generated, same as building OpenWrt from source. The private key signs the local repository inside the packages/ folder. The local public key is added to the keys/ folder to be considered by `opkg` when updating repositories. This way a local package feed can be modified while requiring `opkg` to check signatures for remote feed, making HTTPS optional. The new option `ADD_LOCAL_KEY` allows to add the local key inside the created images, adding the advantage that sysupgrades can validate the ImageBuilders local key. Signed-off-by: Paul Spooren <mail@aparcar.org> 2020-11-09T10:54:30Z Paul Spooren 2020-11-02T21:35:39Z urn:sha1:2e282537d00267774526ea5b4386ea3167b69c6a Without an absolute path to staging_dir/host/bin/sstrip the Makefile tries to run a host installed version of sstrip, which is likely not available. Signed-off-by: Paul Spooren <mail@aparcar.org> 2020-10-30T00:39:09Z Paul Spooren 2020-10-17T20:06:03Z urn:sha1:04757f964b9dd4190b27d51914a4c0053d4a38cd With the fix of external kmod feeds it is possible to ship the ImageBuilder without any packages except the pseudo packages kernel and libc. Therefore the local package feeds becomes optional. This commit adds a check to the package_reload function to only run if the local feed is existing. Signed-off-by: Paul Spooren <mail@aparcar.org> 2020-10-30T00:39:09Z Paul Spooren 2020-09-15T22:44:36Z urn:sha1:2999f810ff2c968e6bbe5b2fd32cfbd80f83570a The buildbots generate a kmod archive which should be used instead of a local copy. This is possible due to the introduction of a kernelversion specific feed. This commit adds the ability of using only signed package feeds. Signed-off-by: Paul Spooren <mail@aparcar.org> 2020-09-28T23:06:32Z Paul Spooren 2020-09-27T21:50:40Z urn:sha1:29fd93da1455910d961c0a0e2d081c3620eec4a3 The `libfakeroot` files are currently missing in the ImageBuilder. As `fakeroot` is always built, copy those files unconditionally. Signed-off-by: Paul Spooren <mail@aparcar.org> 2020-08-31T10:18:24Z Paul Spooren 2020-08-21T01:44:51Z urn:sha1:84024e245f346cdf1da955cea4ab4c2c0a0886b2 The package manager `opkg` offers the function `whatdepends` to print packages that depend on a specific package. This feature is useful when used in a CI to not only build an upgraded package but all packages with a dependency. Usage: make whatdepends PACKAGE=libipset The resulting list can be fed into a SDK building all packages and warn if anything fails. Signed-off-by: Paul Spooren <mail@aparcar.org> 2020-08-23T16:55:49Z Paul Spooren 2020-08-13T23:46:43Z urn:sha1:8c9a7881729d82afefc74a8c6e552b20b722b011 Both IB and SDK now use the same logic for packing. This commit add reproducible multithread compression to the SDK and corrects the file mtime for both. Previously all files where just copied over from the build system, generating random mtimes. Signed-off-by: Paul Spooren <mail@aparcar.org>