commit: c70dfe8df5ed253df6872e602acc6406d0724b7d Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Wed Jan 28 08:40:18 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Jan 28 08:41:14 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c70dfe8d
net-vpn/tor: fix build w/ glibc-2.43 Closes: https://bugs.gentoo.org/969299 Signed-off-by: Sam James <sam <AT> gentoo.org> net-vpn/tor/files/tor-0.4.8.21-glibc-2.43.patch | 112 +++++++++++++ net-vpn/tor/tor-0.4.8.21-r1.ebuild | 203 ++++++++++++++++++++++++ 2 files changed, 315 insertions(+) diff --git a/net-vpn/tor/files/tor-0.4.8.21-glibc-2.43.patch b/net-vpn/tor/files/tor-0.4.8.21-glibc-2.43.patch new file mode 100644 index 000000000000..774579e8ba8e --- /dev/null +++ b/net-vpn/tor/files/tor-0.4.8.21-glibc-2.43.patch @@ -0,0 +1,112 @@ +https://bugs.gentoo.org/969299 +https://gitlab.torproject.org/tpo/core/tor/-/commit/795ed4df0824349fc94a37efe36d2a1beb5146f7 +https://gitlab.torproject.org/tpo/core/tor/-/commit/1e372424921730a7ebd7d086fc7faa81878f3f51 + +From 795ed4df0824349fc94a37efe36d2a1beb5146f7 Mon Sep 17 00:00:00 2001 +From: mh <[email protected]> +Date: Thu, 27 Nov 2025 10:53:10 +0100 +Subject: [PATCH] Fix #41170 - include signal.h if enabling seccomp + +Newer glibcs (from 6f120faf649f03a261e3e64d5b5991030383c1b3 on) define +`SYS_SECCOMP` to an enum. + +* https://gitlab.torproject.org/tpo/core/tor/-/issues/41170#note_3290238 +* https://github.com/bminor/glibc/commit/6f120faf649f03a261e3e64d5b5991030383c1b3 +--- + src/lib/sandbox/sandbox.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/lib/sandbox/sandbox.h b/src/lib/sandbox/sandbox.h +index 17d32d16de..a43eef12d2 100644 +--- a/src/lib/sandbox/sandbox.h ++++ b/src/lib/sandbox/sandbox.h +@@ -16,6 +16,9 @@ + #include "lib/cc/torint.h" + + #ifndef SYS_SECCOMP ++#ifdef HAVE_SIGNAL_H ++#include <signal.h> ++#endif + + /** + * Used by SIGSYS signal handler to check if the signal was issued due to a +-- +GitLab + +From 1e372424921730a7ebd7d086fc7faa81878f3f51 Mon Sep 17 00:00:00 2001 +From: Sam James <[email protected]> +Date: Tue, 27 Jan 2026 11:14:13 +0000 +Subject: [PATCH] Fix -Wdiscarded-qualifiers with glibc-2.43 + +glibc-2.43 implements C23's const-preserving macros for stdlib functions, +which exposes some -Wdiscarded-qualifiers (missing consts) for us to fix. + +Fixes https://gitlab.torproject.org/tpo/core/tor/-/issues/41198 +--- + src/core/or/versions.c | 2 +- + src/feature/dircommon/directory.c | 2 +- + src/lib/fs/path.c | 3 ++- + src/test/test_util.c | 6 +++--- + 4 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/core/or/versions.c b/src/core/or/versions.c +index b1d31f8c6a..771b2604c8 100644 +--- a/src/core/or/versions.c ++++ b/src/core/or/versions.c +@@ -286,7 +286,7 @@ tor_version_parse(const char *s, tor_version_t *out) + cp += 2; + out->svn_revision = (int) strtol(cp,&eos,10); + } else if (!strcmpstart(cp, "(git-")) { +- char *close_paren = strchr(cp, ')'); ++ const char *close_paren = strchr(cp, ')'); + int hexlen; + char digest[DIGEST_LEN]; + if (! close_paren) +diff --git a/src/feature/dircommon/directory.c b/src/feature/dircommon/directory.c +index 06fbfd8d5d..6b5c38c7c1 100644 +--- a/src/feature/dircommon/directory.c ++++ b/src/feature/dircommon/directory.c +@@ -360,7 +360,7 @@ http_get_header(const char *headers, const char *which) + const char *cp = headers; + while (cp) { + if (!strcasecmpstart(cp, which)) { +- char *eos; ++ const char *eos; + cp += strlen(which); + if ((eos = strchr(cp,'\r'))) + return tor_strndup(cp, eos-cp); +diff --git a/src/lib/fs/path.c b/src/lib/fs/path.c +index 8194d920ab..223bca4d7f 100644 +--- a/src/lib/fs/path.c ++++ b/src/lib/fs/path.c +@@ -108,7 +108,8 @@ expand_filename(const char *filename) + rest = strlen(filename)>=2?(filename+2):""; + } else { + #ifdef HAVE_PWD_H +- char *username, *slash; ++ char *username; ++ const char *slash; + slash = strchr(filename, '/'); + if (slash) + username = tor_strndup(filename+1,slash-filename-1); +diff --git a/src/test/test_util.c b/src/test/test_util.c +index 391c3d07c1..b5452c2cd0 100644 +--- a/src/test/test_util.c ++++ b/src/test/test_util.c +@@ -4173,11 +4173,11 @@ test_util_find_str_at_start_of_line(void *ptr) + "howdy world. how are you? i hope it's fine.\n" + "hello kitty\n" + "third line"; +- char *line2 = strchr(long_string,'\n')+1; +- char *line3 = strchr(line2,'\n')+1; ++ const char *line2 = strchr(long_string,'\n')+1; ++ const char *line3 = strchr(line2,'\n')+1; + const char *short_string = "hello kitty\n" + "second line\n"; +- char *short_line2 = strchr(short_string,'\n')+1; ++ const char *short_line2 = strchr(short_string,'\n')+1; + + (void)ptr; + +-- +GitLab diff --git a/net-vpn/tor/tor-0.4.8.21-r1.ebuild b/net-vpn/tor/tor-0.4.8.21-r1.ebuild new file mode 100644 index 000000000000..0cedb02b795c --- /dev/null +++ b/net-vpn/tor/tor-0.4.8.21-r1.ebuild @@ -0,0 +1,203 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..14} ) +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc +inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig + +MY_PV="$(ver_rs 4 -)" +MY_PF="${PN}-${MY_PV}" +DESCRIPTION="Anonymizing overlay network for TCP" +HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"; + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"; + inherit autotools git-r3 +else + SRC_URI=" + https://www.torproject.org/dist/${MY_PF}.tar.gz + https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz + verify-sig? ( + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc + ) + " + + S="${WORKDIR}/${MY_PF}" + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20250713 )" +fi + +# BSD in general, but for PoW, needs --enable-gpl (GPL-3 per --version) +# We also already had GPL-2 listed here for the init script, but obviously +# that's different from the actual binary. +LICENSE="BSD GPL-2 GPL-3" +SLOT="0" +IUSE="caps doc hardened lzma +man scrypt seccomp selinux +server systemd test zstd" +RESTRICT="!test? ( test )" + +RDEPEND=" + >=dev-libs/libevent-2.1.12-r1:=[ssl] + dev-libs/openssl:=[-bindist(-)] + virtual/zlib:= + caps? ( sys-libs/libcap ) + man? ( app-text/asciidoc ) + lzma? ( app-arch/xz-utils ) + scrypt? ( app-crypt/libscrypt ) + seccomp? ( >=sys-libs/libseccomp-2.4.1 ) + systemd? ( sys-apps/systemd:= ) + zstd? ( app-arch/zstd:= ) +" +DEPEND=" + ${RDEPEND} + test? ( + ${DEPEND} + ${PYTHON_DEPS} + ) +" +RDEPEND+=" + acct-user/tor + acct-group/tor + selinux? ( sec-policy/selinux-tor ) +" +BDEPEND+=" + acct-user/tor + acct-group/tor +" + +DOCS=() + +PATCHES=( + "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch + "${FILESDIR}"/${PN}-0.4.8.21-glibc-2.43.patch +) + +QA_CONFIG_IMPL_DECL_SKIP=( + # test correctly fails because -lnacl fails if not available + # https://bugs.gentoo.org/900092 + crypto_scalarmult_curve25519 +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_unpack() { + if [[ ${PV} == 9999 ]] ; then + git-r3_src_unpack + else + if use verify-sig; then + cd "${DISTDIR}" || die + verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc} + verify-sig_verify_unsigned_checksums \ + ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz + cd "${WORKDIR}" || die + fi + + default + fi +} + +src_prepare() { + default + + # Running shellcheck automagically isn't useful for ebuild testing. + echo "exit 0" > scripts/maint/checkShellScripts.sh || die + + if [[ ${PV} == 9999 ]] ; then + eautoreconf + fi +} + +src_configure() { + use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING ) + + export ac_cv_lib_cap_cap_init=$(usex caps) + export tor_cv_PYTHON="${EPYTHON}" + # Already set by default in profiles for our toolchain + export tor_cv_cflags__fcf_protection_full=no + export tor_cv_cflags__mbranch_protection_standard=no + + local myeconfargs=( + --localstatedir="${EPREFIX}/var" + --disable-all-bugs-are-fatal + --enable-system-torrc + --disable-android + --disable-coverage + --disable-html-manual + --disable-libfuzzer + --enable-missing-doc-warnings + --disable-module-dirauth + --enable-pic + --disable-restart-debugging + + # Unless someone asks & has a compelling reason, just always + # build in GPL mode for pow, given we don't want yet another USE + # flag combination to have to test just for the sake of it. + # (PoW requires GPL.) + --enable-gpl + --enable-module-pow + + $(use_enable hardened gcc-hardening) + $(use_enable hardened linker-hardening) + $(use_enable man asciidoc) + $(use_enable man manpage) + $(use_enable lzma) + $(use_enable scrypt libscrypt) + $(use_enable seccomp) + $(use_enable server module-relay) + $(use_enable systemd) + $(use_enable test unittests) + $(use_enable zstd) + ) + + econf "${myeconfargs[@]}" +} + +src_test() { + local skip_tests=( + # Fails in sandbox + :sandbox/open_filename + :sandbox/openat_filename + ) + + if use arm ; then + skip_tests+=( + # bug #920905 + # https://gitlab.torproject.org/tpo/core/tor/-/issues/40912 + :sandbox/opendir_dirname + :sandbox/openat_filename + :sandbox/chmod_filename + :sandbox/chown_filename + :sandbox/rename_filename + ) + fi + + # The makefile runs these by parallel by chunking them with a script + # but that means we lose verbosity and can't skip individual tests easily + # either. + edo ./src/test/test --verbose "${skip_tests[@]}" +} + +src_install() { + default + readme.gentoo_create_doc + + newconfd "${FILESDIR}"/tor.confd tor + newinitd "${FILESDIR}"/tor.initd-r9 tor + systemd_dounit "${FILESDIR}"/tor.service + + keepdir /var/lib/tor + + fperms 750 /var/lib/tor + fowners tor:tor /var/lib/tor + + insinto /etc/tor/ + newins "${FILESDIR}"/torrc-r2 torrc +}
