auto/config

   1 #! /bin/sh
   2 # automatically run by "lb config"
   3
   4 set -e
   5 set -u
   6 set -x
   7
   8 . "$(dirname "$0")/scripts/utils.sh"
   9
  10 . config/variables
  11
  12 if [ -n "${SOURCE_DATE_EPOCH}" ]; then
  13     CURRENT_EPOCH="$(date --utc +%s)"
  14     if [ "${SOURCE_DATE_EPOCH}" -gt "${CURRENT_EPOCH}" ]; then
  15         fatal "SOURCE_DATE_EPOCH is set before the current time. Exiting."
  16     fi
  17 else
  18     fatal "SOURCE_DATE_EPOCH is not set. Exiting."
  19 fi
  20
  21 if [ -n "${FEATURE_BRANCH_GIT_COMMIT:-}" ]; then
  22     GIT_SHORT_ID="$(git rev-parse --short=10 "${FEATURE_BRANCH_GIT_COMMIT}")"
  23     GIT_COMMIT="${FEATURE_BRANCH_GIT_COMMIT}"
  24 else
  25     GIT_SHORT_ID="$(git_current_commit --short=10)"
  26     GIT_COMMIT="$(git_current_commit)"
  27 fi
  28
  29 # get git branch or tag so we can set the basename appropriately.
  30 GIT_BRANCH="$(git_current_branch)"
  31 GIT_BASE_BRANCH_COMMIT="$(git rev-parse --verify "$(git_base_branch_head)")"
  32 GIT_BASE_BRANCH_SHORT_ID="$(git rev-parse --verify --short=10 "$(git_base_branch_head)")"
  33 if [ -n "${GIT_BRANCH}" ]; then
  34     CLEAN_GIT_BRANCH=$(echo "$GIT_BRANCH" | sed 's,/,_,g')
  35     BASE_BRANCH_PART=''
  36     if [ "${GIT_BRANCH}" != "$(base_branch)" ]; then
  37         CLEAN_GIT_BASE_BRANCH=$(base_branch | sed 's,/,_,g')
  38         BASE_BRANCH_PART="+${CLEAN_GIT_BASE_BRANCH}@${GIT_BASE_BRANCH_SHORT_ID}"
  39     fi
  40     BUILD_BASENAME="tails-amd64-${CLEAN_GIT_BRANCH}@${GIT_SHORT_ID}${BASE_BRANCH_PART}-${DATETIME_NOW}"
  41 else
  42     if git_on_a_tag; then
  43         CLEAN_GIT_TAG=$(git_current_tag | tr '/-' '_~')
  44         BUILD_BASENAME="tails-amd64-${CLEAN_GIT_TAG}"
  45     else
  46         # this shouldn't reasonably happen (e.g. only if you checkout a
  47         # tag, remove the tag and then build)
  48         fatal "Neither a Git branch nor a tag, exiting."
  49     fi
  50 fi
  51
  52 # save variables that lb build needs
  53 mkdir -p tmp
  54 echo "BUILD_BASENAME='${BUILD_BASENAME}'" >tmp/build_environment
  55
  56 # sanity checks
  57 if grep -qs -E '^Pin:\s+release\s+.*a=' config/chroot_apt/preferences; then
  58     fatal "Found unsupported a= syntax in config/chroot_apt/preferences," \
  59         "use n= instead. Exiting."
  60 fi
  61 if grep -qs -E '^Pin:\s+release\s+.*o=Debian Backports' \
  62     config/chroot_apt/preferences; then
  63     fatal "Found unsupported 'o=Debian Backports' syntax," \
  64         "in config/chroot_apt/preferences. Use o=Debian instead. Exiting."
  65 fi
  66 if [ "$(dpkg --print-architecture)" != amd64 ]; then
  67     fatal "Only amd64 build systems are supported"
  68 fi
  69
  70 # space-separated list of additional packages debootstrap installs
  71 #  - gnupg: needed by apt-key, not installed by default since Buster
  72 export LB_BOOTSTRAP_INCLUDE="gnupg"
  73
  74 # init variables
  75 RUN_LB_CONFIG="lb config noauto"
  76
  77 # init config/ with defaults for the target distribution
  78 $RUN_LB_CONFIG --distribution bookworm "${@}"
  79
  80 # set up everything for time-based snapshots:
  81 if [ -n "${APT_SNAPSHOTS_SERIALS:-}" ]; then
  82     echo "I: Fixing 'latest' APT snapshots serials to: '${APT_SNAPSHOTS_SERIALS}'."
  83     apt-snapshots-serials prepare-build "${APT_SNAPSHOTS_SERIALS}"
  84 else
  85     apt-snapshots-serials prepare-build
  86 fi
  87 # record what APT snapshots this build is going to use, so that one
  88 # can try to reproduce it more reliably
  89 JENKINS_ENV_PROPERTIES=tails-build-env.list
  90 {
  91     echo "# This file is in Java property file format"
  92     echo "# (https://en.wikipedia.org/wiki/.properties)"
  93     echo "APT_SNAPSHOTS_SERIALS = $(apt-snapshots-serials cat-json tmp/APT_snapshots.d)"
  94 } >>"$JENKINS_ENV_PROPERTIES"
  95
  96 DEBIAN_MIRROR="$(apt-mirror debian)"
  97 DEBIAN_SECURITY_MIRROR="$(apt-mirror debian-security)"
  98 TORPROJECT_MIRROR="$(apt-mirror torproject)"
  99
 100 [ -n "$DEBIAN_MIRROR" ] || fatal "\$DEBIAN_MIRROR is empty"
 101 [ -n "$DEBIAN_SECURITY_MIRROR" ] || fatal "\$DEBIAN_SECURITY_MIRROR is empty"
 102 [ -n "$TORPROJECT_MIRROR" ] || fatal "\$TORPROJECT_MIRROR is empty"
 103
 104 perl -pi \
 105     -E \
 106     "s|^(deb(?:-src)?\s+)https?://ftp[.]us[.]debian[.]org/debian/?(\s+)|\$1$DEBIAN_MIRROR\$2| ; \
 107         s|^(deb(?:-src)?\s+)https?://security[.]debian[.]org/debian-security/?(\s+)|\$1$DEBIAN_SECURITY_MIRROR\$2| ; \
 108         s|^(deb(?:-src)?\s+)https?://deb[.]torproject[.]org/torproject[.]org/?(\s+)|\$1$TORPROJECT_MIRROR\$2|" \
 109     config/chroot_sources/*.chroot ||
 110     fatal "APT mirror substitution failed with exit code $?"
 111
 112 # Adjust live-build to handle the new security suite name
 113 # introduced in Debian Bullseye.
 114 # shellcheck disable=SC2016
 115 sed -i 's@${LB_DISTRIBUTION}/updates@${LB_DISTRIBUTION}-security@' \
 116     /usr/share/live/build/scripts/build/lb_chroot_sources
 117
 118 if [ -n "${KERNEL_VERSION}" ]; then
 119     kernel_package="linux-image-${KERNEL_VERSION}"
 120 else
 121     kernel_package=linux-image
 122 fi
 123
 124 # set general options
 125 $RUN_LB_CONFIG \
 126     --verbose \
 127     --apt-recommends false \
 128     --architecture amd64 \
 129     --backports false \
 130     --binary-images iso \
 131     --binary-indices false \
 132     --cache false \
 133     --cache-indices false \
 134     --cache-packages false \
 135     --cache-stages false \
 136     --checksums none \
 137     --bootappend-live "${CMDLINE_APPEND}" \
 138     --bootstrap debootstrap \
 139     --bootstrap-config bookworm \
 140     --archive-areas "main contrib non-free non-free-firmware" \
 141     --includes none \
 142     --iso-application="Tails" \
 143     --iso-publisher="https://tails.net/" \
 144     --iso-volume="TAILS ${TAILS_FULL_VERSION}" \
 145     --linux-flavours amd64 \
 146     --memtest none \
 147     --mirror-binary "$DEBIAN_MIRROR" \
 148     --mirror-bootstrap "$DEBIAN_MIRROR" \
 149     --mirror-chroot "$DEBIAN_MIRROR" \
 150     --mirror-binary-security "$DEBIAN_SECURITY_MIRROR" \
 151     --mirror-chroot-security "$DEBIAN_SECURITY_MIRROR" \
 152     --packages-lists none \
 153     --tasks none \
 154     --linux-packages="$kernel_package" \
 155     --syslinux-menu vesamenu \
 156     --syslinux-splash data/splash.png \
 157     --syslinux-timeout 4 \
 158     --initramfs=live-boot \
 159     "${@}"
 160
 161 install -d config/chroot_local-includes/etc/amnesia/
 162 install -d config/chroot_local-includes/etc/tails/
 163
 164 # environment
 165 TAILS_WIKI_SUPPORTED_LANGUAGES="$(ikiwiki-supported-languages ikiwiki.setup)"
 166 [ -n "$TAILS_WIKI_SUPPORTED_LANGUAGES" ] ||
 167     fatal "\$TAILS_WIKI_SUPPORTED_LANGUAGES is empty"
 168 echo "TAILS_WIKI_SUPPORTED_LANGUAGES='${TAILS_WIKI_SUPPORTED_LANGUAGES}'" \
 169     >>config/chroot_local-includes/etc/tails/environment
 170
 171 # os-release
 172 cat >>config/chroot_local-includes/etc/os-release <<EOF
 173 NAME="Tails"
 174 ID="tails"
 175 ID_LIKE="debian"
 176 PRETTY_NAME="Tails"
 177 VERSION="$TAILS_VERSION"
 178 HOME_URL="https://tails.net/"
 179 SUPPORT_URL="https://tails.net/support/"
 180 BUG_REPORT_URL="https://tails.net/doc/first_steps/whisperback/"
 181 TAILS_DISTRIBUTION="$TAILS_DISTRIBUTION"
 182 TAILS_SOURCE_DATE_EPOCH="$SOURCE_DATE_EPOCH"
 183 TAILS_GIT_COMMIT="$GIT_COMMIT"
 184 EOF
 185
 186 if [ -n "${GIT_BRANCH}" ]; then
 187     cat >>config/chroot_local-includes/etc/os-release <<EOF
 188 TAILS_GIT_BRANCH="$GIT_BRANCH"
 189 EOF
 190     if [ "$GIT_BRANCH" != "$(base_branch)" ]; then
 191         cat >>config/chroot_local-includes/etc/os-release <<EOF
 192 TAILS_GIT_BASE_BRANCH="$(base_branch)"
 193 TAILS_GIT_BASE_COMMIT="$GIT_BASE_BRANCH_COMMIT"
 194 EOF
 195     fi
 196 else
 197     cat >>config/chroot_local-includes/etc/os-release <<EOF
 198 TAILS_GIT_TAG="$(git_current_tag)"
 199 EOF
 200 fi
 201
 202 # If you update the following regexp, also update it in
 203 # config/chroot_local-includes/usr/src/iuk/lib/Tails/IUK/UpgradeDescriptionFile/Generate.pm
 204 if echo "$TAILS_VERSION" | grep -qs -E '~(alpha|beta|rc)[0-9]*$'; then
 205     echo 'TAILS_CHANNEL="alpha"' >>config/chroot_local-includes/etc/os-release
 206 fi
 207
 208 # changelog
 209 cp debian/changelog config/chroot_local-includes/usr/share/doc/tails/Changelog
 210
 211 # custom APT sources
 212 tails-custom-apt-sources >config/chroot_sources/tails.chroot ||
 213     fatal "tails-custom-apt-sources failed with exit code $?"
 214
 215 # save the original file, shipped by the debootstrap package,
 216 # so we can always apply our debian-common.patch to the original
 217 # version
 218 if ! [ -e /usr/share/debootstrap/scripts/debian-common.bak ]; then
 219     cp -a /usr/share/debootstrap/scripts/debian-common \
 220         /usr/share/debootstrap/scripts/debian-common.bak
 221 fi
 222 # customize debootstrap with some APT magic to log downloads
 223 patch \
 224     --output=/usr/share/debootstrap/scripts/debian-common \
 225     /usr/share/debootstrap/scripts/debian-common.bak \
 226     data/debootstrap/scripts/debian-common.patch
 227 sed -i "s,%%topdir%%,$(pwd)," /usr/share/debootstrap/scripts/debian-common
 228
 229 # Make the python library available in Tails
 230 install -d -m 2777 config/chroot_local-includes/tmp/