github.com/meulengracht/snapd@v0.0.0-20210719210640-8bde69bcc84e/packaging/debian-sid/rules (about) 1 #!/usr/bin/make -f 2 # -*- makefile -*- 3 # 4 # These rules should work for any debian-ish distro that uses systemd 5 # as init. That does _not_ include Ubuntu 14.04 ("trusty"); look for 6 # its own special rule file. 7 # 8 # Please keep the diff between that and this relatively small, even if 9 # it means having suboptimal code; these need to be kept in sync by 10 # sentient bags of meat. 11 12 #export DH_VERBOSE=1 13 export DH_OPTIONS 14 export DH_GOPKG := github.com/snapcore/snapd 15 #export DEB_BUILD_OPTIONS=nocheck 16 export DH_GOLANG_EXCLUDES=tests 17 export DH_GOLANG_GO_GENERATE=1 18 19 export PATH:=${PATH}:${CURDIR} 20 21 include /etc/os-release 22 23 # On 18.04 the released version of apt (1.6.1) has a bug that causes 24 # problem on "apt purge snapd". To ensure this won't happen add the 25 # right dependency on 18.04. 26 ifeq (${VERSION_ID},"18.04") 27 SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.6.3)" 28 endif 29 # Same as above for 18.10 just a different version. 30 ifeq (${VERSION_ID},"18.10") 31 SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)" 32 endif 33 34 # this is overridden in the ubuntu/14.04 release branch 35 SYSTEMD_UNITS_DESTDIR="lib/systemd/system/" 36 37 # The go tool does not fully support vendoring with gccgo, but we can 38 # work around that by constructing the appropriate -I flag by hand. 39 GCCGO := $(shell go tool dist env > /dev/null 2>&1 && echo no || echo yes) 40 41 # Disable -buildmode=pie mode on i386 as can panics in spectacular 42 # ways (LP: #1711052). 43 # See also https://forum.snapcraft.io/t/artful-i386-panics/ 44 # Note while the panic is only on artful, that's because artful 45 # detects it; the issue potentially there on older things. 46 BUILDFLAGS:=-pkgdir=$(CURDIR)/_build/std 47 ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),i386) 48 BUILDFLAGS+= -buildmode=pie 49 endif 50 51 GCCGOFLAGS= 52 ifeq ($(GCCGO),yes) 53 GOARCH := $(shell go env GOARCH) 54 GOOS := $(shell go env GOOS) 55 BUILDFLAGS:= 56 GCCGOFLAGS=-gccgoflags="-I $(CURDIR)/_build/pkg/gccgo_$(GOOS)_$(GOARCH)/$(DH_GOPKG)/vendor" 57 export DH_GOLANG_GO_GENERATE=0 58 # workaround for https://github.com/golang/go/issues/23721 59 export GOMAXPROCS=2 60 endif 61 62 # check if we need to include the testkeys in the binary 63 # TAGS are the go build tags for all binaries, SNAP_TAGS are for snap 64 # build only. 65 TAGS=nosecboot 66 SNAP_TAGS=nosecboot nomanagers 67 ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS))) 68 TAGS+= withtestkeys 69 SNAP_TAGS+= withtestkeys 70 endif 71 72 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) 73 74 BUILT_USING_PACKAGES= 75 # export DEB_BUILD_MAINT_OPTIONS = hardening=+all 76 # DPKG_EXPORT_BUILDFLAGS = 1 77 # include /usr/share/dpkg/buildflags.mk 78 79 # Currently, we enable confinement for Ubuntu only, not for derivatives, 80 # because derivatives may have different kernels that don't support all the 81 # required confinement features and we don't to mislead anyone about the 82 # security of the system. Discuss a proper approach to this for downstreams 83 # if and when they approach us. 84 ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu) 85 # On Ubuntu 16.04 we need to produce a build that can be used on wide 86 # variety of systems. As such we prefer static linking over dynamic linking 87 # for stability, predicability and easy of deployment. We need to link some 88 # things dynamically though: udev has no stable IPC protocol between 89 # libudev and udevd so we need to link with it dynamically. 90 VENDOR_ARGS=--enable-nvidia-multiarch --enable-static-libcap --enable-static-libapparmor --enable-static-libseccomp --with-host-arch-triplet=$(DEB_HOST_MULTIARCH) 91 ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),amd64) 92 VENDOR_ARGS+= --with-host-arch-32bit-triplet=$(shell dpkg-architecture -f -ai386 -qDEB_HOST_MULTIARCH) 93 endif 94 BUILT_USING_PACKAGES=libcap-dev libapparmor-dev libseccomp-dev 95 else 96 ifeq ($(shell dpkg-vendor --query Vendor),Debian) 97 VENDOR_ARGS=--enable-nvidia-multiarch 98 BUILT_USING_PACKAGES=libcap-dev 99 else 100 VENDOR_ARGS=--disable-apparmor 101 endif 102 endif 103 BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES)) 104 105 %: 106 dh $@ --buildsystem=golang --with=golang --fail-missing --with systemd --builddirectory=_build 107 108 override_dh_fixperms: 109 dh_fixperms -Xusr/lib/snapd/snap-confine 110 111 112 # The .real profile is a workaround for a bug in dpkg LP: #1673247 that causes 113 # ubiquity to crash. It allows us to "move" the snap-confine profile from 114 # snap-confine into snapd in a way that works with old dpkg that is in the live 115 # CD image. 116 # 117 # Because both the usual and the .real profile describe the same binary the 118 # .real profile takes priority (as it is loaded later). 119 override_dh_installdeb: 120 dh_apparmor --profile-name=usr.lib.snapd.snap-confine.real -psnapd 121 dh_installdeb 122 123 override_dh_clean: 124 ifneq (,$(TEST_GITHUB_AUTOPKGTEST)) 125 # this will be set by the GITHUB webhook to trigger a autopkgtest 126 # we only need to run "govendor sync" here and then its ready 127 (export GOPATH="/tmp/go"; \ 128 mkdir -p /tmp/go/src/github.com/snapcore/; \ 129 cp -ar . /tmp/go/src/github.com/snapcore/snapd; \ 130 go get -u github.com/kardianos/govendor; \ 131 (cd /tmp/go/src/github.com/snapcore/snapd ; /tmp/go/bin/govendor sync); \ 132 cp -ar /tmp/go/src/github.com/snapcore/snapd/vendor/ .; \ 133 ) 134 endif 135 dh_clean 136 $(MAKE) -C data clean 137 # XXX: hacky 138 $(MAKE) -C cmd distclean || true 139 140 override_dh_auto_build: 141 # usually done via `go generate` but that is not supported on powerpc 142 ./mkversion.sh 143 # Build golang bits 144 mkdir -p _build/src/$(DH_GOPKG)/cmd/snap/test-data 145 cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/ 146 cp -a bootloader/assets/data _build/src/$(DH_GOPKG)/bootloader/assets 147 148 # exclude certain parts that won't be used by debian 149 find _build/src/$(DH_GOPKG)/cmd/snap-bootstrap -name "*.go" | xargs rm -f 150 find _build/src/$(DH_GOPKG)/gadget/install -name "*.go" | grep -vE '(params\.go|install_dummy\.go)'| xargs rm -f 151 # XXX: once dh-golang understands go build tags this would not be needed 152 find _build/src/$(DH_GOPKG)/secboot/ -name "*.go" | grep -Ev '(encrypt\.go|secboot_dummy\.go|secboot\.go|encrypt_dummy\.go)' | xargs rm -f 153 # and build 154 dh_auto_build -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS) 155 156 (cd _build/bin && GOPATH=$$(pwd)/.. GOCACHE=/tmp/go-build go build $(BUILDFLAGS) $(GCCGOFLAGS) -tags "$(SNAP_TAGS)" $(DH_GOPKG)/cmd/snap) 157 158 # (static linking on powerpc with cgo is broken) 159 ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc) 160 # Generate static snap-exec, snapctl and snap-update-ns - it somehow includes CGO so 161 # we must force a static build here. We need a static snap-{exec,update-ns} 162 # inside the core snap because not all bases will have a libc 163 (cd _build/bin && GOPATH=$$(pwd)/.. GOCACHE=/tmp/go-build CGO_ENABLED=0 go build $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snap-exec) 164 (cd _build/bin && GOPATH=$$(pwd)/.. GOCACHE=/tmp/go-build CGO_ENABLED=0 go build $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snapctl) 165 (cd _build/bin && GOPATH=$$(pwd)/.. GOCACHE=/tmp/go-build go build --ldflags '-extldflags "-static"' $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snap-update-ns) 166 167 # ensure we generated a static build 168 $(shell if ldd _build/bin/snap-exec; then false "need static build"; fi) 169 $(shell if ldd _build/bin/snap-update-ns; then false "need static build"; fi) 170 $(shell if ldd _build/bin/snapctl; then false "need static build"; fi) 171 endif 172 173 # ensure snap-seccomp is build with a static libseccomp on Ubuntu 174 ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu) 175 # (static linking on powerpc with cgo is broken) 176 ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc) 177 sed -i "s|#cgo LDFLAGS:|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go 178 (cd _build/bin && GOPATH=$$(pwd)/.. CGO_LDFLAGS_ALLOW="/.*/libseccomp.a" go build $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-seccomp) 179 # ensure that libseccomp is not dynamically linked 180 ldd _build/bin/snap-seccomp 181 test "$$(ldd _build/bin/snap-seccomp | grep libseccomp)" = "" 182 # revert again so that the subsequent tests work 183 sed -i "s|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|#cgo LDFLAGS:|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go 184 endif 185 endif 186 187 # Build C bits, sadly manually 188 cd cmd && ( autoreconf -i -f ) 189 cd cmd && ( ./configure --prefix=/usr --libexecdir=/usr/lib/snapd $(VENDOR_ARGS)) 190 $(MAKE) -C cmd all 191 192 # Generate the real systemd/dbus/env config files 193 $(MAKE) -C data all 194 195 override_dh_auto_test: 196 dh_auto_test -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS) 197 # a tested default (production) build should have no test keys 198 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) 199 # check that only the main trusted account-keys are included 200 [ $$(strings _build/bin/snapd|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 2 ] 201 strings _build/bin/snapd|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$" 202 strings _build/bin/snapd|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$" 203 # same for snap-repair 204 [ $$(strings _build/bin/snap-repair|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 3 ] 205 # common with snapd 206 strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$" 207 strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$" 208 # repair-root 209 strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: nttW6NfBXI_E-00u38W-KH6eiksfQNXuI7IiumoV49_zkbhM0sYTzSnFlwZC-W4t$$" 210 endif 211 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) 212 # run the snap-confine tests 213 $(MAKE) -C cmd check 214 endif 215 216 override_dh_install-indep: 217 # we do not need this in the package, its just needed during build 218 rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go 219 # toolbelt is not shippable 220 rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt 221 # we do not like /usr/bin/snappy anymore 222 rm -f ${CURDIR}/debian/tmp/usr/bin/snappy 223 # chrorder generator 224 rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder 225 # bootloader assets generator 226 rm -f ${CURDIR}/debian/tmp/usr/bin/genasset 227 # docs generator 228 rm -f ${CURDIR}/debian/tmp/usr/bin/docs 229 230 dh_install 231 232 override_dh_install-arch: 233 # we do not need this in the package, its just needed during build 234 rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go 235 # toolbelt is not shippable 236 rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt 237 # we do not like /usr/bin/snappy anymore 238 rm -f ${CURDIR}/debian/tmp/usr/bin/snappy 239 # i18n stuff 240 mkdir -p debian/snapd/usr/share 241 if [ -d share/locale ]; then \ 242 cp -R share/locale debian/snapd/usr/share; \ 243 fi 244 # chrorder generator 245 rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder 246 # bootloader assets generator 247 rm -f ${CURDIR}/debian/tmp/usr/bin/genasset 248 # docs generator 249 rm -f ${CURDIR}/debian/tmp/usr/bin/docs 250 251 # Install snapd's systemd units / upstart jobs, done 252 # here instead of debian/snapd.install because the 253 # ubuntu/14.04 release branch adds/changes bits here 254 $(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \ 255 SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR) 256 # We called this apps-bin-path.sh instead of snapd.sh, and 257 # it's a conf file so we're stuck with it 258 mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh 259 260 $(MAKE) -C cmd install DESTDIR=$(CURDIR)/debian/tmp 261 262 # Rename the apparmor profile, see dh_apparmor call above for an explanation. 263 mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real 264 265 # On Ubuntu and Debian we don't need to install the apparmor helper service. 266 rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.apparmor.service 267 rm $(CURDIR)/debian/tmp/usr/lib/snapd/snapd-apparmor 268 269 # Ouside of core we don't need to install the following files: 270 rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.autoimport.service 271 rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.core-fixup.service 272 rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.failure.service 273 rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.service 274 rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.timer 275 rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.system-shutdown.service 276 rm $(CURDIR)/debian/snapd/usr/lib/snapd/snapd.run-from-snap 277 278 dh_install 279 280 override_dh_auto_install: snap.8 281 dh_auto_install -O--buildsystem=golang 282 283 snap.8: 284 # fix reproducible builds as reported by: 285 # https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/snapd.html 286 # once golang-go-flags is fixed we can remove the "sed" expression 287 $(CURDIR)/_build/bin/snap help --man | sed '1 s/^.*/.TH snap 8 "$(shell date --reference=debian/changelog +"%d %B %Y")"/' > $@ 288 289 override_dh_auto_clean: 290 dh_auto_clean -O--buildsystem=golang 291 rm -vf snap.8 292 293 override_dh_gencontrol: 294 dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)"