summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/changelog18
-rw-r--r--debian/control15
-rwxr-xr-xdebian/extra/gen-signing-template4
-rwxr-xr-xdebian/rules8
-rw-r--r--debian/signing-template/control1
-rwxr-xr-xdebian/signing-template/rules2
-rw-r--r--debian/systemd-boot-efi-amd64-signed-template.lintian-overrides1
-rw-r--r--debian/systemd-boot-efi-arm64-signed-template.lintian-overrides1
-rw-r--r--debian/systemd-cryptsetup.lintian-overrides2
-rw-r--r--debian/systemd-standalone-shutdown.lintian-overrides2
-rw-r--r--debian/tests/control121
-rwxr-xr-xdebian/tests/upstream134
12 files changed, 193 insertions, 116 deletions
diff --git a/debian/changelog b/debian/changelog
index 2f38fc4..c372313 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+systemd (256.1-1) unstable; urgency=medium
+
+ * Bump versioned breaks against dracut to 102-2 (Closes: #1073290)
+ * autopkgtest: switch upstream suite to mkosi-based builds
+ * Add conflict against sysv-rc, insserv and startpar in systemd-sysv.
+ They are not needed, and having them installed causes problems.
+ (Closes: #1072562)
+ * New upstream version 256.1
+ * Drop section from binary packages where it matches the source package
+ * Override Lintian false positives about spare manpages
+ * Deduplicate template packages descriptions
+ * Add Lintian override for template package false positives
+ * Rename EFI architecture variable to avoid dpkg clash. Fixes Lintian
+ warning: debian-rules-sets-dpkg-architecture-variable
+ * Upload to unstable.
+
+ -- Luca Boccassi <bluca@debian.org> Tue, 18 Jun 2024 23:19:16 +0100
+
systemd (256-2) experimental; urgency=medium
* Add templated packages for UEFI Secure Boot signing of systemd-boot.
diff --git a/debian/control b/debian/control
index b45bf3c..6a7736e 100644
--- a/debian/control
+++ b/debian/control
@@ -114,7 +114,7 @@ Conflicts: consolekit,
opensysusers,
Breaks: less (<< 563),
sicherboot (<< 0.1.6),
- dracut (<= 060+5-7),
+ dracut-core (<< 102-2~),
Provides: systemd-sysusers (= ${binary:Version}),
systemd-tmpfiles (= ${binary:Version}),
Description: system and service manager
@@ -136,6 +136,9 @@ Conflicts: sysvinit-core,
systemd-shim,
initscripts,
orphan-sysvinit-scripts,
+ sysv-rc,
+ insserv,
+ startpar,
bfh-container (<< 20211009-22~),
molly-guard (<< 0.8.2~),
progress-linux-container (<< 20221002-11~),
@@ -571,17 +574,17 @@ Package: systemd-boot-efi-amd64-signed-template
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends},
Build-Profiles: <!stage1 !pkg.systemd.upstream>
-Description: Template for signed systemd-boot-efi package
+Description: Template for signed systemd-boot-efi package (amd64)
This package is used to control code signing by the Debian signing
- service.
+ service (amd64 variant).
Package: systemd-boot-efi-arm64-signed-template
Architecture: arm64
Depends: ${shlibs:Depends}, ${misc:Depends},
Build-Profiles: <!stage1 !pkg.systemd.upstream>
-Description: Template for signed systemd-boot-efi package
+Description: Template for signed systemd-boot-efi package (arm64)
This package is used to control code signing by the Debian signing
- service.
+ service (arm64 variant).
Package: systemd-ukify
Build-Profiles: <!stage1 !pkg.systemd.noukify>
@@ -642,7 +645,6 @@ Description: systemd development files
Package: systemd-repart
Architecture: linux-any
-Section: admin
Depends: ${shlibs:Depends},
${misc:Depends},
Recommends: ${dlopen:Recommends},
@@ -657,7 +659,6 @@ Description: Provides the systemd-repart utility
Package: systemd-cryptsetup
Build-Profiles: <!stage1>
Architecture: linux-any
-Section: admin
Depends: ${shlibs:Depends},
${misc:Depends},
Recommends: ${dlopen:Recommends},
diff --git a/debian/extra/gen-signing-template b/debian/extra/gen-signing-template
index 6c13571..3a25c7e 100755
--- a/debian/extra/gen-signing-template
+++ b/debian/extra/gen-signing-template
@@ -4,7 +4,7 @@ set -euE
export DEB_VERSION="$1"
export DEB_HOST_ARCH="$2"
-export DEB_HOST_ARCH_EFI="$3"
+export TEMPLATE_EFI_ARCH="$3"
DISTRIBUTION="$(dpkg-parsechangelog -SDistribution)"
URGENCY="$(dpkg-parsechangelog -SUrgency)"
@@ -16,7 +16,7 @@ DEB_VERSION_SOURCE="$(echo "$DEB_VERSION" | sed -re 's/\+b[[:digit:]]+$//')"
export DEB_VERSION_SOURCE
SIGN_TEMPLATE_DIR="debian/systemd-boot-efi-${DEB_HOST_ARCH}-signed-template/usr/share/code-signing/systemd-boot-efi-${DEB_HOST_ARCH}-signed-template"
SIGN_SOURCE_DIR="${SIGN_TEMPLATE_DIR}/source-template/debian"
-FILE=usr/lib/systemd/boot/efi/systemd-boot${DEB_HOST_ARCH_EFI}.efi
+FILE=usr/lib/systemd/boot/efi/systemd-boot${TEMPLATE_EFI_ARCH}.efi
for i in $(find debian/signing-template -type f -printf '%P\n'); do
mkdir -p "$SIGN_SOURCE_DIR/$(dirname "$i")"
diff --git a/debian/rules b/debian/rules
index 30dbaa1..e43b781 100755
--- a/debian/rules
+++ b/debian/rules
@@ -9,9 +9,9 @@ include /usr/share/dpkg/default.mk
include /usr/share/debhelper/dh_package_notes/package-notes.mk
ifeq (amd64,$(DEB_HOST_ARCH))
-export DEB_HOST_ARCH_EFI=x64
+export TEMPLATE_EFI_ARCH=x64
else ifeq (arm64,$(DEB_HOST_ARCH))
-export DEB_HOST_ARCH_EFI=aa64
+export TEMPLATE_EFI_ARCH=aa64
endif
@@ -293,8 +293,8 @@ endif
ifeq (, $(filter pkg.systemd.upstream, $(DEB_BUILD_PROFILES)))
ifeq ($(DEB_VENDOR),Debian)
-ifneq ($(DEB_HOST_ARCH_EFI),)
- debian/extra/gen-signing-template $(DEB_VERSION) $(DEB_HOST_ARCH) $(DEB_HOST_ARCH_EFI)
+ifneq ($(TEMPLATE_EFI_ARCH),)
+ debian/extra/gen-signing-template $(DEB_VERSION) $(DEB_HOST_ARCH) $(TEMPLATE_EFI_ARCH)
endif
endif
endif
diff --git a/debian/signing-template/control b/debian/signing-template/control
index 8baaf83..cfe456f 100644
--- a/debian/signing-template/control
+++ b/debian/signing-template/control
@@ -11,7 +11,6 @@ Vcs-Git: https://salsa.debian.org/systemd-team/systemd.git
Vcs-Browser: https://salsa.debian.org/systemd-team/systemd
Package: systemd-boot-efi-${DEB_HOST_ARCH}-signed
-Section: admin
Architecture: ${DEB_HOST_ARCH}
Provides: systemd-boot-efi-signed
Built-Using: systemd (= ${DEB_VERSION_SOURCE})
diff --git a/debian/signing-template/rules b/debian/signing-template/rules
index 0887e3e..b248342 100755
--- a/debian/signing-template/rules
+++ b/debian/signing-template/rules
@@ -2,7 +2,7 @@
include /usr/share/dpkg/default.mk
-BINARY = systemd-boot${DEB_HOST_ARCH_EFI}.efi
+BINARY = systemd-boot${TEMPLATE_EFI_ARCH}.efi
INSTALLED = usr/lib/systemd/boot/efi/$(BINARY)
SIGNATURE = debian/signatures/systemd-boot-efi/$(INSTALLED).sig
diff --git a/debian/systemd-boot-efi-amd64-signed-template.lintian-overrides b/debian/systemd-boot-efi-amd64-signed-template.lintian-overrides
new file mode 100644
index 0000000..170a3f6
--- /dev/null
+++ b/debian/systemd-boot-efi-amd64-signed-template.lintian-overrides
@@ -0,0 +1 @@
+systemd-boot-efi-amd64-signed-template: script-not-executable [usr/share/code-signing/systemd-boot-efi-amd64-signed-template/source-template/debian/rules]
diff --git a/debian/systemd-boot-efi-arm64-signed-template.lintian-overrides b/debian/systemd-boot-efi-arm64-signed-template.lintian-overrides
new file mode 100644
index 0000000..ccdf68c
--- /dev/null
+++ b/debian/systemd-boot-efi-arm64-signed-template.lintian-overrides
@@ -0,0 +1 @@
+systemd-boot-efi-arm64-signed-template: script-not-executable [usr/share/code-signing/systemd-boot-efi-arm64-signed-template/source-template/debian/rules]
diff --git a/debian/systemd-cryptsetup.lintian-overrides b/debian/systemd-cryptsetup.lintian-overrides
new file mode 100644
index 0000000..590612b
--- /dev/null
+++ b/debian/systemd-cryptsetup.lintian-overrides
@@ -0,0 +1,2 @@
+# Lintian is really bad at associating manpages
+systemd-cryptsetup: spare-manual-page
diff --git a/debian/systemd-standalone-shutdown.lintian-overrides b/debian/systemd-standalone-shutdown.lintian-overrides
new file mode 100644
index 0000000..88e99c1
--- /dev/null
+++ b/debian/systemd-standalone-shutdown.lintian-overrides
@@ -0,0 +1,2 @@
+# Lintian is really bad at associating manpages
+systemd-standalone-shutdown: spare-manual-page
diff --git a/debian/tests/control b/debian/tests/control
index dcc19eb..fb7db14 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -131,15 +131,19 @@ Depends: systemd-tests,
Restrictions: needs-root, isolation-container, breaks-testbed
Tests: upstream
-Depends: systemd-tests,
- systemd-dev,
+Depends: systemd (>= 254~),
+ systemd-container (>= 254~),
systemd-journal-remote,
systemd-container,
+ systemd-ukify,
+ systemd-dev,
+ systemd-tests,
systemd-coredump,
systemd-timesyncd,
systemd-oomd,
systemd-homed,
systemd-resolved,
+ systemd-boot [amd64 arm64 armhf i386 riscv64],
systemd-repart,
systemd-cryptsetup,
systemd-boot-efi [amd64 arm64 armhf i386 riscv64],
@@ -147,92 +151,53 @@ Depends: systemd-tests,
libnss-mymachines,
libnss-resolve,
libnss-systemd,
- attr,
- tree,
- perl,
- xz-utils,
- libcap2-bin,
- iproute2,
- lz4,
- acl,
- dmeventd,
- kbd,
- cryptsetup-bin,
- cryptsetup-initramfs,
- net-tools,
- isc-dhcp-client,
- iputils-ping,
- strace,
qemu-system-x86 [amd64 i386],
qemu-system-arm [arm64 armhf],
qemu-system-ppc [ppc64el],
qemu-system-s390x [s390x],
- seabios,
- less,
+ qemu-system-misc [!amd64 !arm64 !armhf !i386 !ppc64el !s390x],
+ ovmf [amd64],
+ ovmf-ia32 [i386],
+ qemu-efi-aarch64 [arm64],
+ qemu-efi-arm [armhf],
+ qemu-efi-riscv64 [riscv64],
+ seabios [ppc64el s390x],
+ swtpm,
+ swtpm-tools,
+ tpm2-tools,
+ git,
+ ca-certificates,
+ build-essential,
pkgconf,
- gcc,
- libc6-dev | libc-dev,
- make,
- quota,
+ libcap-dev,
+ mount,
+ libmount-dev,
+ python3-jinja2,
+ meson,
+ gperf,
+ libblkid-dev,
+ libcap-dev,
+ python3-pefile,
+ sbsigntool [amd64 arm64 armhf i386 riscv64],
+ mtools,
+ bash,
+ bubblewrap (>= 0.4~),
+ reprepro,
fdisk,
- netcat-openbsd,
- socat,
- busybox-static,
- plymouth,
+ cryptsetup-bin,
+ gnupg,
+ openssh-client,
+ python3-cryptography,
e2fsprogs,
- zstd,
- squashfs-tools,
- vim-tiny,
dosfstools,
- mtools,
erofs-utils,
- libdw-dev,
- libelf-dev,
- dbus-user-session,
- libtss2-dev,
- libfido2-dev,
- libqrencode-dev,
- libpwquality-dev,
- libarchive-dev,
- libp11-kit-dev,
- libssl-dev,
- libgcrypt20-dev,
- libkmod-dev,
- python3-pexpect,
- screen,
- swtpm,
- tpm2-tools,
- openssl,
- bsdutils,
- knot,
- knot-dnssecutils | knot-dnsutils,
- bind9-dnsutils,
- bind9-host,
- nftables,
- jq,
- psmisc,
- xkb-data,
- locales,
- locales-all,
- stress,
- curl,
- tzdata-legacy | tzdata (<< 2024a-1),
- python3-pefile,
- nvme-cli,
- mdadm,
- lvm2,
+ squashfs-tools,
btrfs-progs,
- multipath-tools,
- kpartx,
- gnutls-bin,
- opensc,
- softhsm2,
- openssh-client,
- openssh-server,
- polkitd,
- open-iscsi,
- tgt,
-Restrictions: needs-root, allow-stderr, isolation-machine
+ xz-utils,
+ zstd,
+ uidmap,
+ jq,
+Restrictions: needs-root, allow-stderr, isolation-machine, needs-internet, breaks-testbed
Tests: boot-smoke
Depends: systemd-sysv,
diff --git a/debian/tests/upstream b/debian/tests/upstream
index 850add1..6b7899a 100755
--- a/debian/tests/upstream
+++ b/debian/tests/upstream
@@ -1,31 +1,119 @@
#!/bin/sh
-# run upstream system integration tests
-# Author: Martin Pitt <martin.pitt@ubuntu.com>
+# run upstream system integration tests via mkosi
set -e
+set -x
+
+cleanup () {
+ if [ -f "${workdir}/btrfs/build/meson-logs/testlog.txt" ]; then
+ cp "${workdir}/btrfs/build/meson-logs/testlog.txt" "$AUTOPKGTEST_ARTIFACTS"
+ fi
+ if [ -d "${workdir}/btrfs/build/test/journal" ]; then
+ cp -r "${workdir}/btrfs/build/test/journal" "$AUTOPKGTEST_ARTIFACTS"
+ fi
+ if [ -n "$workdir" ]; then
+ umount "$workdir/btrfs" || true
+ losetup --detach "$loop" || true
+ rm -rf "$workdir"
+ fi
+}
+
+# apparmor is not compatible with swtpm
+aa-teardown >/dev/null 2>&1 || true
+# we need user namespaces for some tests running in nspawn
+sysctl -we kernel.apparmor_restrict_unprivileged_unconfined=0
+sysctl -we kernel.apparmor_restrict_unprivileged_userns=0
+
+mkdir -p /run/systemd/resolved.conf.d/
+tee /run/systemd/resolved.conf.d/dns.conf <<EOF
+[Resolve]
+DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
+EOF
+systemctl try-reload-or-restart systemd-resolved.service
+
+workdir="$(mktemp --directory --tmpdir=/var/tmp integration-tests.XXXXXXXXXX)"
+trap cleanup EXIT
+
+# We need to make nearly identical copies of large images, so set up a BTRFS volume that
+# can use copy-on-write and compression, as the available disk space is very limited
+truncate --size=100G "$workdir/btrfs.raw"
+mkfs.btrfs "$workdir/btrfs.raw"
+mkdir -p "$workdir/btrfs"
+loop="$(losetup --find --show --direct-io=on "$workdir/btrfs.raw")"
+mount "$loop" "$workdir/btrfs" --options compress=zstd:1,user_subvol_rm_allowed,noatime,discard=async,space_cache=v2
+
+# mkosi will drop privileges and fail if it detects that is ran under sudo,
+# so unset these variables to hide it
+unset SUDO_USER SUDO_UID SUDO_GID
+
+mkosi_tree="${AUTOPKGTEST_TMP}/mkosi"
+git clone https://github.com/systemd/mkosi.git "$mkosi_tree"
+# If we have it, pin the mkosi version to the same one used by Github Actions, to ensure consistency
+if [ -f .github/workflows/mkosi.yml ]; then
+ mkosi_hash="$(grep systemd/mkosi@ .github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")"
+ git -C "$mkosi_tree" checkout "$mkosi_hash"
+fi
+
+tee mkosi.local.conf <<EOF
+[Output]
+Format=disk
+WorkspaceDirectory=$workdir
+PackageCacheDirectory=$workdir/cache
+
+[Distribution]
+PackageManagerTrees=/etc/apt/preferences.d/:/etc/apt/preferences.d/
+
+[Content]
+Environment=NO_BUILD=1 NO_SYNC=1 ARTIFACT_DIRECTORY="$AUTOPKGTEST_ARTIFACTS" TEST_SAVE_JOURNAL=fail TEST_SHOW_JOURNAL=warning
+
+[Host]
+RuntimeBuildSources=no
+Incremental=no
+EOF
+
+# reprepro is unhappy about non-existing directories
+package_directories=""
+if [ -d "${AUTOPKGTEST_TMP}/../binaries" ]; then
+ package_directories="${AUTOPKGTEST_TMP}/../binaries,$package_directories"
+fi
+if [ -d /var/cache/apt/archives/ ]; then
+ package_directories="/var/cache/apt/archives/,$package_directories"
+fi
+if [ -n "$package_directories" ]; then
+ tee -a mkosi.local.conf <<EOF
+[Content]
+PackageDirectories=$package_directories
+EOF
+fi
+
+# Everything is already built and installed, but these dependencies will cause rebuilds which we want to
+# avoid, so patch them out
+sed -i "/depends : mkosi_depends/d" meson.build
+
+# qemu/vsock does not appear to work on ppc64el/s390x, so skip those tests
+dpkgarch=$(dpkg --print-architecture)
+if [ "$dpkgarch" = ppc64el ] || [ "$dpkgarch" = s390x ]; then
+ export TEST_NO_QEMU=1
+fi
+
+# If we don't have KVM, the explicitly disable it, as mkosi will fail. But try to load the module first.
+modprobe kvm || true
+if [ ! -e /dev/kvm ]; then
+ export TEST_NO_KVM=1
+fi
-DPKGARCH=$(dpkg --print-architecture)
-
-# Because this test is used both by upstream and by Debian, we use different deny-list filenames.
-# For more details see https://salsa.debian.org/systemd-team/systemd/merge_requests/52
-case "${DEB_BUILD_PROFILES:-}" in
- *pkg.systemd.upstream*)
- denylist="deny-list-ubuntu-ci"
- if [ "$DPKGARCH" = ppc64el ]; then
- export TEST_NO_QEMU=1
- fi
- ;;
- *)
- denylist="deny-list-upstream-ci"
- ;;
-esac
-
-export DENY_LIST_MARKERS="$denylist-$DPKGARCH $denylist"
export ARTIFACT_DIRECTORY="$AUTOPKGTEST_ARTIFACTS"
+export PATH="${mkosi_tree}/bin:$PATH"
export TEST_SAVE_JOURNAL=fail
export TEST_SHOW_JOURNAL=warning
-export TEST_REQUIRE_INSTALL_TESTS=0
-export TEST_PREFER_NSPAWN=1
-export NO_BUILD=1
export QEMU_TIMEOUT=2400
export NSPAWN_TIMEOUT=2400
-test/run-integration-tests.sh
+export SYSTEMD_INTEGRATION_TESTS=1
+export NO_BUILD=1
+export NO_SYNC=1
+
+mkosi summary
+meson setup "${workdir}/btrfs/build" -Dintegration-tests=true -Dtests=true
+mkosi --debug genkey
+cp mkosi.key mkosi.crt "${workdir}/btrfs/build"
+meson compile -C "${workdir}/btrfs/build" mkosi
+meson test -C "${workdir}/btrfs/build" -v --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit