auto/config

   1 #! /bin/sh
   2 # automatically run by "lb config"
   3
   4 set -e
   5 set -u
   6 set -x
   7
   8 . "$(dirname "$0")/scripts/utils.sh"
   9
  10 . config/variables
  11
  12 if [ -n "${SOURCE_DATE_EPOCH}" ]; then
  13     CURRENT_EPOCH="$(date --utc +%s)"
  14     if [ "${SOURCE_DATE_EPOCH}" -gt "${CURRENT_EPOCH}" ]; then
  15         fatal "SOURCE_DATE_EPOCH is set before the current time. Exiting."
  16     fi
  17 else
  18     fatal "SOURCE_DATE_EPOCH is not set. Exiting."
  19 fi
  20
  21 if [ -n "${FEATURE_BRANCH_GIT_COMMIT:-}" ]; then
  22     GIT_SHORT_ID="$(git rev-parse --short=10 "${FEATURE_BRANCH_GIT_COMMIT}")"
  23     GIT_COMMIT="${FEATURE_BRANCH_GIT_COMMIT}"
  24 else
  25     GIT_SHORT_ID="$(git_current_commit --short=10)"
  26     GIT_COMMIT="$(git_current_commit)"
  27 fi
  28
  29
  30 # get git branch or tag so we can set the basename appropriately.
  31 GIT_BRANCH="$(git_current_branch)"
  32 GIT_BASE_BRANCH_COMMIT="$(git rev-parse --verify "$(git_base_branch_head)")"
  33 GIT_BASE_BRANCH_SHORT_ID="$(git rev-parse --verify --short=10 "$(git_base_branch_head)")"
  34 if [ -n "${GIT_BRANCH}" ]; then
  35     CLEAN_GIT_BRANCH=$(echo "$GIT_BRANCH" | sed 's,/,_,g')
  36     BASE_BRANCH_PART=''
  37     if [ "${GIT_BRANCH}" != "$(base_branch)" ]; then
  38         CLEAN_GIT_BASE_BRANCH=$(base_branch | sed 's,/,_,g')
  39         BASE_BRANCH_PART="+${CLEAN_GIT_BASE_BRANCH}@${GIT_BASE_BRANCH_SHORT_ID}"
  40     fi
  41     BUILD_BASENAME="tails-amd64-${CLEAN_GIT_BRANCH}@${GIT_SHORT_ID}${BASE_BRANCH_PART}-${DATETIME_NOW}"
  42 else
  43     if git_on_a_tag; then
  44         CLEAN_GIT_TAG=$(git_current_tag | tr '/-' '_~')
  45         BUILD_BASENAME="tails-amd64-${CLEAN_GIT_TAG}"
  46     else
  47         # this shouldn't reasonably happen (e.g. only if you checkout a
  48         # tag, remove the tag and then build)
  49         fatal "Neither a Git branch nor a tag, exiting."
  50     fi
  51 fi
  52
  53 # save variables that lb build needs
  54 mkdir -p tmp
  55 echo "BUILD_BASENAME='${BUILD_BASENAME}'" > tmp/build_environment
  56
  57 # sanity checks
  58 if grep -qs -E '^Pin:\s+release\s+.*a=' config/chroot_apt/preferences ; then
  59     fatal "Found unsupported a= syntax in config/chroot_apt/preferences," \
  60           "use n= instead. Exiting."
  61 fi
  62 if grep -qs -E '^Pin:\s+release\s+.*o=Debian Backports' \
  63         config/chroot_apt/preferences ; then
  64     fatal "Found unsupported 'o=Debian Backports' syntax," \
  65           "in config/chroot_apt/preferences. Use o=Debian instead. Exiting."
  66 fi
  67 if [ "$(dpkg --print-architecture)" != amd64 ] ; then
  68     fatal "Only amd64 build systems are supported"
  69 fi
  70
  71
  72 # space-separated list of additional packages debootstrap installs
  73 #  - gnupg: needed by apt-key, not installed by default since Buster
  74 export LB_BOOTSTRAP_INCLUDE="gnupg"
  75
  76 # init variables
  77 RUN_LB_CONFIG="lb config noauto"
  78
  79 # init config/ with defaults for the target distribution
  80 $RUN_LB_CONFIG --distribution bookworm "${@}"
  81
  82 # set up everything for time-based snapshots:
  83 if [ -n "${APT_SNAPSHOTS_SERIALS:-}" ]; then
  84     echo "I: Fixing 'latest' APT snapshots serials to: '${APT_SNAPSHOTS_SERIALS}'."
  85     apt-snapshots-serials prepare-build "${APT_SNAPSHOTS_SERIALS}"
  86 else
  87     apt-snapshots-serials prepare-build
  88 fi
  89 # record what APT snapshots this build is going to use, so that one
  90 # can try to reproduce it more reliably
  91 JENKINS_ENV_PROPERTIES=tails-build-env.list
  92 {
  93     echo "# This file is in Java property file format"
  94     echo "# (https://en.wikipedia.org/wiki/.properties)"
  95     echo "APT_SNAPSHOTS_SERIALS = $(apt-snapshots-serials cat-json tmp/APT_snapshots.d)"
  96 } >> "$JENKINS_ENV_PROPERTIES"
  97
  98 DEBIAN_MIRROR="$(apt-mirror debian)"
  99 DEBIAN_SECURITY_MIRROR="$(apt-mirror debian-security)"
 100 TORPROJECT_MIRROR="$(apt-mirror torproject)"
 101
 102 [ -n "$DEBIAN_MIRROR" ]          || fatal "\$DEBIAN_MIRROR is empty"
 103 [ -n "$DEBIAN_SECURITY_MIRROR" ] || fatal "\$DEBIAN_SECURITY_MIRROR is empty"
 104 [ -n "$TORPROJECT_MIRROR" ]      || fatal "\$TORPROJECT_MIRROR is empty"
 105
 106 perl -pi \
 107      -E \
 108        "s|^(deb(?:-src)?\s+)https?://ftp[.]us[.]debian[.]org/debian/?(\s+)|\$1$DEBIAN_MIRROR\$2| ; \
 109         s|^(deb(?:-src)?\s+)https?://security[.]debian[.]org/debian-security/?(\s+)|\$1$DEBIAN_SECURITY_MIRROR\$2| ; \
 110         s|^(deb(?:-src)?\s+)https?://deb[.]torproject[.]org/torproject[.]org/?(\s+)|\$1$TORPROJECT_MIRROR\$2|" \
 111     config/chroot_sources/*.chroot \
 112     || fatal "APT mirror substitution failed with exit code $?"
 113
 114 # Adjust live-build to handle the new security suite name
 115 # introduced in Debian Bullseye.
 116 # shellcheck disable=SC2016
 117 sed -i 's@${LB_DISTRIBUTION}/updates@${LB_DISTRIBUTION}-security@' \
 118     /usr/share/live/build/scripts/build/lb_chroot_sources
 119
 120 # set general options
 121 $RUN_LB_CONFIG \
 122    --verbose \
 123    --apt-recommends false \
 124    --architecture amd64 \
 125    --backports false \
 126    --binary-images iso \
 127    --binary-indices false \
 128    --cache          false \
 129    --cache-indices  false \
 130    --cache-packages false \
 131    --cache-stages   false \
 132    --checksums none \
 133    --bootappend-live "${CMDLINE_APPEND}" \
 134    --bootstrap debootstrap \
 135    --bootstrap-config bookworm \
 136    --archive-areas "main contrib non-free non-free-firmware" \
 137    --includes none \
 138    --iso-application="Tails" \
 139    --iso-publisher="https://tails.net/" \
 140    --iso-volume="TAILS ${TAILS_FULL_VERSION}" \
 141    --linux-flavours amd64 \
 142    --memtest none \
 143    --mirror-binary              "$DEBIAN_MIRROR" \
 144    --mirror-bootstrap           "$DEBIAN_MIRROR" \
 145    --mirror-chroot              "$DEBIAN_MIRROR" \
 146    --mirror-binary-security     "$DEBIAN_SECURITY_MIRROR" \
 147    --mirror-chroot-security     "$DEBIAN_SECURITY_MIRROR" \
 148    --packages-lists none \
 149    --tasks none \
 150    --linux-packages="linux-image-${KERNEL_VERSION}" \
 151    --syslinux-menu vesamenu \
 152    --syslinux-splash data/splash.png \
 153    --syslinux-timeout 4 \
 154    --initramfs=live-boot \
 155    "${@}"
 156
 157 install -d config/chroot_local-includes/etc/amnesia/
 158 install -d config/chroot_local-includes/etc/tails/
 159
 160 # environment
 161 TAILS_WIKI_SUPPORTED_LANGUAGES="$(ikiwiki-supported-languages ikiwiki.setup)"
 162 [ -n "$TAILS_WIKI_SUPPORTED_LANGUAGES" ] \
 163    || fatal "\$TAILS_WIKI_SUPPORTED_LANGUAGES is empty"
 164 echo "TAILS_WIKI_SUPPORTED_LANGUAGES='${TAILS_WIKI_SUPPORTED_LANGUAGES}'" \
 165    >> config/chroot_local-includes/etc/tails/environment
 166
 167 # os-release
 168 cat >> config/chroot_local-includes/etc/os-release <<EOF
 169 NAME="Tails"
 170 ID="tails"
 171 ID_LIKE="debian"
 172 PRETTY_NAME="Tails"
 173 VERSION="$TAILS_VERSION"
 174 HOME_URL="https://tails.net/"
 175 SUPPORT_URL="https://tails.net/support/"
 176 BUG_REPORT_URL="https://tails.net/doc/first_steps/whisperback/"
 177 TAILS_DISTRIBUTION="$TAILS_DISTRIBUTION"
 178 TAILS_SOURCE_DATE_EPOCH="$SOURCE_DATE_EPOCH"
 179 TAILS_GIT_COMMIT="$GIT_COMMIT"
 180 EOF
 181
 182 if [ -n "${GIT_BRANCH}" ]; then
 183     cat >> config/chroot_local-includes/etc/os-release <<EOF
 184 TAILS_GIT_BRANCH="$GIT_BRANCH"
 185 EOF
 186     if [ "$GIT_BRANCH" != "$(base_branch)" ]; then
 187         cat >> config/chroot_local-includes/etc/os-release <<EOF
 188 TAILS_GIT_BASE_BRANCH="$(base_branch)"
 189 TAILS_GIT_BASE_COMMIT="$GIT_BASE_BRANCH_COMMIT"
 190 EOF
 191     fi
 192 else
 193     cat >> config/chroot_local-includes/etc/os-release <<EOF
 194 TAILS_GIT_TAG="$(git_current_tag)"
 195 EOF
 196 fi
 197
 198 # If you update the following regexp, also update it in
 199 # config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/UpgradeDescriptionFile/Generate.pm
 200 if echo "$TAILS_VERSION" | grep -qs -E '~(alpha|beta|rc)[0-9]*$' ; then
 201     echo 'TAILS_CHANNEL="alpha"' >> config/chroot_local-includes/etc/os-release
 202 fi
 203
 204 # changelog
 205 cp debian/changelog config/chroot_local-includes/usr/share/doc/tails/Changelog
 206
 207 # custom APT sources
 208 tails-custom-apt-sources > config/chroot_sources/tails.chroot \
 209    || fatal "tails-custom-apt-sources failed with exit code $?"
 210
 211 # save the original file, shipped by the debootstrap package,
 212 # so we can always apply our debian-common.patch to the original
 213 # version
 214 if ! [ -e /usr/share/debootstrap/scripts/debian-common.bak ]; then
 215    cp -a /usr/share/debootstrap/scripts/debian-common \
 216          /usr/share/debootstrap/scripts/debian-common.bak
 217 fi
 218 # customize debootstrap with some APT magic to log downloads
 219 patch \
 220     --output=/usr/share/debootstrap/scripts/debian-common \
 221     /usr/share/debootstrap/scripts/debian-common.bak \
 222     data/debootstrap/scripts/debian-common.patch
 223 sed -i "s,%%topdir%%,$(pwd)," /usr/share/debootstrap/scripts/debian-common
 224
 225 # Make the python library available in Tails
 226 install -d -m 2777 config/chroot_local-includes/tmp/