commit: da62fc25c5269bad61409b528c7cd456de6f2a9d Author: Rahil Bhimjiani <me <AT> rahil <DOT> rocks> AuthorDate: Fri Mar 22 10:45:37 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Mar 23 08:29:05 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da62fc25
app-containers/buildah: add 1.33.7 and 1.34.3 fix security issues Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502 Bug: https://bugs.gentoo.org/show_bug.cgi?id=927499 Signed-off-by: Rahil Bhimjiani <me <AT> rahil.rocks> Signed-off-by: Sam James <sam <AT> gentoo.org> app-containers/buildah/Manifest | 2 + app-containers/buildah/buildah-1.33.7.ebuild | 122 +++++++++++++++++++++++++++ app-containers/buildah/buildah-1.34.3.ebuild | 122 +++++++++++++++++++++++++++ 3 files changed, 246 insertions(+) diff --git a/app-containers/buildah/Manifest b/app-containers/buildah/Manifest index 1cf183235cf6..7e199a5ae97d 100644 --- a/app-containers/buildah/Manifest +++ b/app-containers/buildah/Manifest @@ -1,4 +1,6 @@ DIST buildah-1.33.5.tar.gz 18579521 BLAKE2B a59bfda3dea1f588a2f77a26b942da6ae02a00f1169008f776a2d7699b6b14f38ab29b46b7d0651e9fff3f007e5f95caed99952cc7585c25ea2a3153402958e9 SHA512 82ddfacd69918fb4ca8110d7d5279f4075385e5db5b64b58cf41a90c47e16093f1e65d8ef20136a4cd8f5c23ea8da7f35fb72581cec6472497b9c5b458023e9c DIST buildah-1.33.6.tar.gz 18585405 BLAKE2B 4a6f6ebfce7799a45b0984b6f9a319becfed87d5acf5f1f784249ff6e5397495ac72c00a22ff0bcc68fd94f1d0a591fa4ac5f0f88bcc9c0a6cdefe117166b4ec SHA512 86eab18af459b0b92361d6e9f56ebe9dab65527d829e7771c13b6c574ef45746a7f53520783ff52978b14aac0d6ee8de32cdabf807666a96dcf46e07e36157e2 +DIST buildah-1.33.7.tar.gz 18604354 BLAKE2B d2788096d8d6fd6cc528e8f33edc577778a2775a561ea3c4a983eb4a6fa1d5b570f6d8dc0f77e464d0c242add5d641e20afce83c9f5157021fbc82a009ea47c9 SHA512 1248ad1dcf0d10608674543caf4d78f5052db7932102226e23b73add5e129bd8c614672f3d06aa8052675dd83fa83ef2742ef08fe1a883037b41df8fde893ea1 DIST buildah-1.34.0.tar.gz 18751419 BLAKE2B 6584c5234e849f9b8cde5e4188791024c8ac5c0ba85859e289f3eb2ec32f97f722ebf25f1291f29e14edf4adc14e19d6a6a76630c820085e9f345736aeb3d4eb SHA512 a3836ce540058f418131969e157d548864727398535e4e99a693d883419b8d764da7166f9b9376c2b9686d8beac101687843c2e93198b16328ef333ad96d55db +DIST buildah-1.34.3.tar.gz 18856476 BLAKE2B c91c995a2ff4be8b4e84a70c581a817cb2f1333b08ca297163d218f80d538905c41718cfc267c03173330234c3476344be44df799eaaac891395a22bc7a020b3 SHA512 26d5c48cb5b056a274c1a9c6820a6076337f625fc6dd6683000db871f3de9d37907bd962ced3400334bfc230718219cda2108e2e984be5f8c76ecfa4a2f1e1ac DIST buildah-1.35.1.tar.gz 19349661 BLAKE2B 31b633f35f937364816dac65e7a801676043630bc3c00ac445ad67afea04142748f76c4aed16690aa990e2c15ed220bdb42b96c6dd9bb0dac9c9d16fc2a27ddc SHA512 3e5af28b3d45e51674d08bef9a92cd64589026d9c6ebee51156738151681395860e372bba2667815e0f90e37984eb9dfdc9b8ad0675b62c8751582b29485d159 diff --git a/app-containers/buildah/buildah-1.33.7.ebuild b/app-containers/buildah/buildah-1.33.7.ebuild new file mode 100644 index 000000000000..8d0698568fd3 --- /dev/null +++ b/app-containers/buildah/buildah-1.33.7.ebuild @@ -0,0 +1,122 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module linux-info + +DESCRIPTION="A tool that facilitates building OCI images" +HOMEPAGE="https://github.com/containers/buildah"; + +# main pkg +LICENSE="Apache-2.0" +# deps +LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" + +SLOT="0" +IUSE="apparmor btrfs +seccomp systemd test" +RESTRICT="test" +DOCS=( + "CHANGELOG.md" + "troubleshooting.md" + "docs/tutorials" +) + +if [[ ${PV} == 9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/containers/buildah.git"; +else + SRC_URI="https://github.com/containers/buildah/archive/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm64" +fi + +RDEPEND=" + systemd? ( sys-apps/systemd ) + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp:= ) + apparmor? ( sys-libs/libapparmor:= ) + app-containers/containers-common + app-crypt/gpgme:= + dev-libs/libgpg-error:= + dev-libs/libassuan:= + sys-apps/shadow:= +" +DEPEND="${RDEPEND}" + +pkg_pretend() { + local CONFIG_CHECK="" + use btrfs && CONFIG_CHECK+=" ~BTRFS_FS" + check_extra_config + + linux_config_exists || ewarn "Cannot determine configuration of your kernel." +} + +src_prepare() { + default + + # ensure all necessary files are there + local file + for file in docs/Makefile hack/libsubid_tag.sh hack/apparmor_tag.sh \ + hack/systemd_tag.sh btrfs_installed_tag.sh btrfs_tag.sh; do + [[ -f "${file}" ]] || die + done + + sed -i -e "s|/usr/local|/usr|g" Makefile docs/Makefile || die + echo -e '#!/usr/bin/env bash\necho libsubid' > hack/libsubid_tag.sh || die + + cat <<-EOF > hack/apparmor_tag.sh || die + #!/usr/bin/env bash + $(usex apparmor 'echo apparmor' echo) + EOF + + use seccomp || { + cat <<-'EOF' > "${T}/disable_seccomp.patch" + --- a/Makefile + +++ b/Makefile + @@ -5 +5 @@ + -SECURITYTAGS ?= seccomp $(APPARMORTAG) + +SECURITYTAGS ?= $(APPARMORTAG) + EOF + eapply "${T}/disable_seccomp.patch" || die + } + + cat <<-EOF > hack/systemd_tag.sh || die + #!/usr/bin/env bash + $(usex systemd 'echo systemd' echo) + EOF + + echo -e "#!/usr/bin/env bash\n echo" > btrfs_installed_tag.sh || die + cat <<-EOF > btrfs_tag.sh || die + #!/usr/bin/env bash + $(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion') + EOF + + use test || { + cat <<-'EOF' > "${T}/disable_tests.patch" + --- a/Makefile + +++ b/Makefile + @@ -54 +54 @@ + -all: bin/buildah bin/imgtype bin/copy bin/tutorial docs + +all: bin/buildah docs + EOF + eapply "${T}/disable_tests.patch" || die + } + +} + +src_compile() { + # For non-live versions, prevent git operations which causes sandbox violations + # https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493 + [[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT="" + + default +} + +src_test() { + emake test-unit +} + +src_install() { + emake DESTDIR="${ED}" install install.completions + einstalldocs +} diff --git a/app-containers/buildah/buildah-1.34.3.ebuild b/app-containers/buildah/buildah-1.34.3.ebuild new file mode 100644 index 000000000000..8d0698568fd3 --- /dev/null +++ b/app-containers/buildah/buildah-1.34.3.ebuild @@ -0,0 +1,122 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module linux-info + +DESCRIPTION="A tool that facilitates building OCI images" +HOMEPAGE="https://github.com/containers/buildah"; + +# main pkg +LICENSE="Apache-2.0" +# deps +LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0" + +SLOT="0" +IUSE="apparmor btrfs +seccomp systemd test" +RESTRICT="test" +DOCS=( + "CHANGELOG.md" + "troubleshooting.md" + "docs/tutorials" +) + +if [[ ${PV} == 9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/containers/buildah.git"; +else + SRC_URI="https://github.com/containers/buildah/archive/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm64" +fi + +RDEPEND=" + systemd? ( sys-apps/systemd ) + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp:= ) + apparmor? ( sys-libs/libapparmor:= ) + app-containers/containers-common + app-crypt/gpgme:= + dev-libs/libgpg-error:= + dev-libs/libassuan:= + sys-apps/shadow:= +" +DEPEND="${RDEPEND}" + +pkg_pretend() { + local CONFIG_CHECK="" + use btrfs && CONFIG_CHECK+=" ~BTRFS_FS" + check_extra_config + + linux_config_exists || ewarn "Cannot determine configuration of your kernel." +} + +src_prepare() { + default + + # ensure all necessary files are there + local file + for file in docs/Makefile hack/libsubid_tag.sh hack/apparmor_tag.sh \ + hack/systemd_tag.sh btrfs_installed_tag.sh btrfs_tag.sh; do + [[ -f "${file}" ]] || die + done + + sed -i -e "s|/usr/local|/usr|g" Makefile docs/Makefile || die + echo -e '#!/usr/bin/env bash\necho libsubid' > hack/libsubid_tag.sh || die + + cat <<-EOF > hack/apparmor_tag.sh || die + #!/usr/bin/env bash + $(usex apparmor 'echo apparmor' echo) + EOF + + use seccomp || { + cat <<-'EOF' > "${T}/disable_seccomp.patch" + --- a/Makefile + +++ b/Makefile + @@ -5 +5 @@ + -SECURITYTAGS ?= seccomp $(APPARMORTAG) + +SECURITYTAGS ?= $(APPARMORTAG) + EOF + eapply "${T}/disable_seccomp.patch" || die + } + + cat <<-EOF > hack/systemd_tag.sh || die + #!/usr/bin/env bash + $(usex systemd 'echo systemd' echo) + EOF + + echo -e "#!/usr/bin/env bash\n echo" > btrfs_installed_tag.sh || die + cat <<-EOF > btrfs_tag.sh || die + #!/usr/bin/env bash + $(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion') + EOF + + use test || { + cat <<-'EOF' > "${T}/disable_tests.patch" + --- a/Makefile + +++ b/Makefile + @@ -54 +54 @@ + -all: bin/buildah bin/imgtype bin/copy bin/tutorial docs + +all: bin/buildah docs + EOF + eapply "${T}/disable_tests.patch" || die + } + +} + +src_compile() { + # For non-live versions, prevent git operations which causes sandbox violations + # https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493 + [[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT="" + + default +} + +src_test() { + emake test-unit +} + +src_install() { + emake DESTDIR="${ED}" install install.completions + einstalldocs +}
