diff options
-rw-r--r-- | debian/changelog | 18 | ||||
-rw-r--r-- | debian/control | 15 | ||||
-rwxr-xr-x | debian/extra/gen-signing-template | 4 | ||||
-rwxr-xr-x | debian/rules | 8 | ||||
-rw-r--r-- | debian/signing-template/control | 1 | ||||
-rwxr-xr-x | debian/signing-template/rules | 2 | ||||
-rw-r--r-- | debian/systemd-boot-efi-amd64-signed-template.lintian-overrides | 1 | ||||
-rw-r--r-- | debian/systemd-boot-efi-arm64-signed-template.lintian-overrides | 1 | ||||
-rw-r--r-- | debian/systemd-cryptsetup.lintian-overrides | 2 | ||||
-rw-r--r-- | debian/systemd-standalone-shutdown.lintian-overrides | 2 | ||||
-rw-r--r-- | debian/tests/control | 121 | ||||
-rwxr-xr-x | debian/tests/upstream | 134 |
12 files changed, 193 insertions, 116 deletions
diff --git a/debian/changelog b/debian/changelog index 2f38fc4..c372313 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +systemd (256.1-1) unstable; urgency=medium + + * Bump versioned breaks against dracut to 102-2 (Closes: #1073290) + * autopkgtest: switch upstream suite to mkosi-based builds + * Add conflict against sysv-rc, insserv and startpar in systemd-sysv. + They are not needed, and having them installed causes problems. + (Closes: #1072562) + * New upstream version 256.1 + * Drop section from binary packages where it matches the source package + * Override Lintian false positives about spare manpages + * Deduplicate template packages descriptions + * Add Lintian override for template package false positives + * Rename EFI architecture variable to avoid dpkg clash. Fixes Lintian + warning: debian-rules-sets-dpkg-architecture-variable + * Upload to unstable. + + -- Luca Boccassi <bluca@debian.org> Tue, 18 Jun 2024 23:19:16 +0100 + systemd (256-2) experimental; urgency=medium * Add templated packages for UEFI Secure Boot signing of systemd-boot. diff --git a/debian/control b/debian/control index b45bf3c..6a7736e 100644 --- a/debian/control +++ b/debian/control @@ -114,7 +114,7 @@ Conflicts: consolekit, opensysusers, Breaks: less (<< 563), sicherboot (<< 0.1.6), - dracut (<= 060+5-7), + dracut-core (<< 102-2~), Provides: systemd-sysusers (= ${binary:Version}), systemd-tmpfiles (= ${binary:Version}), Description: system and service manager @@ -136,6 +136,9 @@ Conflicts: sysvinit-core, systemd-shim, initscripts, orphan-sysvinit-scripts, + sysv-rc, + insserv, + startpar, bfh-container (<< 20211009-22~), molly-guard (<< 0.8.2~), progress-linux-container (<< 20221002-11~), @@ -571,17 +574,17 @@ Package: systemd-boot-efi-amd64-signed-template Architecture: amd64 Depends: ${shlibs:Depends}, ${misc:Depends}, Build-Profiles: <!stage1 !pkg.systemd.upstream> -Description: Template for signed systemd-boot-efi package +Description: Template for signed systemd-boot-efi package (amd64) This package is used to control code signing by the Debian signing - service. + service (amd64 variant). Package: systemd-boot-efi-arm64-signed-template Architecture: arm64 Depends: ${shlibs:Depends}, ${misc:Depends}, Build-Profiles: <!stage1 !pkg.systemd.upstream> -Description: Template for signed systemd-boot-efi package +Description: Template for signed systemd-boot-efi package (arm64) This package is used to control code signing by the Debian signing - service. + service (arm64 variant). Package: systemd-ukify Build-Profiles: <!stage1 !pkg.systemd.noukify> @@ -642,7 +645,6 @@ Description: systemd development files Package: systemd-repart Architecture: linux-any -Section: admin Depends: ${shlibs:Depends}, ${misc:Depends}, Recommends: ${dlopen:Recommends}, @@ -657,7 +659,6 @@ Description: Provides the systemd-repart utility Package: systemd-cryptsetup Build-Profiles: <!stage1> Architecture: linux-any -Section: admin Depends: ${shlibs:Depends}, ${misc:Depends}, Recommends: ${dlopen:Recommends}, diff --git a/debian/extra/gen-signing-template b/debian/extra/gen-signing-template index 6c13571..3a25c7e 100755 --- a/debian/extra/gen-signing-template +++ b/debian/extra/gen-signing-template @@ -4,7 +4,7 @@ set -euE export DEB_VERSION="$1" export DEB_HOST_ARCH="$2" -export DEB_HOST_ARCH_EFI="$3" +export TEMPLATE_EFI_ARCH="$3" DISTRIBUTION="$(dpkg-parsechangelog -SDistribution)" URGENCY="$(dpkg-parsechangelog -SUrgency)" @@ -16,7 +16,7 @@ DEB_VERSION_SOURCE="$(echo "$DEB_VERSION" | sed -re 's/\+b[[:digit:]]+$//')" export DEB_VERSION_SOURCE SIGN_TEMPLATE_DIR="debian/systemd-boot-efi-${DEB_HOST_ARCH}-signed-template/usr/share/code-signing/systemd-boot-efi-${DEB_HOST_ARCH}-signed-template" SIGN_SOURCE_DIR="${SIGN_TEMPLATE_DIR}/source-template/debian" -FILE=usr/lib/systemd/boot/efi/systemd-boot${DEB_HOST_ARCH_EFI}.efi +FILE=usr/lib/systemd/boot/efi/systemd-boot${TEMPLATE_EFI_ARCH}.efi for i in $(find debian/signing-template -type f -printf '%P\n'); do mkdir -p "$SIGN_SOURCE_DIR/$(dirname "$i")" diff --git a/debian/rules b/debian/rules index 30dbaa1..e43b781 100755 --- a/debian/rules +++ b/debian/rules @@ -9,9 +9,9 @@ include /usr/share/dpkg/default.mk include /usr/share/debhelper/dh_package_notes/package-notes.mk ifeq (amd64,$(DEB_HOST_ARCH)) -export DEB_HOST_ARCH_EFI=x64 +export TEMPLATE_EFI_ARCH=x64 else ifeq (arm64,$(DEB_HOST_ARCH)) -export DEB_HOST_ARCH_EFI=aa64 +export TEMPLATE_EFI_ARCH=aa64 endif @@ -293,8 +293,8 @@ endif ifeq (, $(filter pkg.systemd.upstream, $(DEB_BUILD_PROFILES))) ifeq ($(DEB_VENDOR),Debian) -ifneq ($(DEB_HOST_ARCH_EFI),) - debian/extra/gen-signing-template $(DEB_VERSION) $(DEB_HOST_ARCH) $(DEB_HOST_ARCH_EFI) +ifneq ($(TEMPLATE_EFI_ARCH),) + debian/extra/gen-signing-template $(DEB_VERSION) $(DEB_HOST_ARCH) $(TEMPLATE_EFI_ARCH) endif endif endif diff --git a/debian/signing-template/control b/debian/signing-template/control index 8baaf83..cfe456f 100644 --- a/debian/signing-template/control +++ b/debian/signing-template/control @@ -11,7 +11,6 @@ Vcs-Git: https://salsa.debian.org/systemd-team/systemd.git Vcs-Browser: https://salsa.debian.org/systemd-team/systemd Package: systemd-boot-efi-${DEB_HOST_ARCH}-signed -Section: admin Architecture: ${DEB_HOST_ARCH} Provides: systemd-boot-efi-signed Built-Using: systemd (= ${DEB_VERSION_SOURCE}) diff --git a/debian/signing-template/rules b/debian/signing-template/rules index 0887e3e..b248342 100755 --- a/debian/signing-template/rules +++ b/debian/signing-template/rules @@ -2,7 +2,7 @@ include /usr/share/dpkg/default.mk -BINARY = systemd-boot${DEB_HOST_ARCH_EFI}.efi +BINARY = systemd-boot${TEMPLATE_EFI_ARCH}.efi INSTALLED = usr/lib/systemd/boot/efi/$(BINARY) SIGNATURE = debian/signatures/systemd-boot-efi/$(INSTALLED).sig diff --git a/debian/systemd-boot-efi-amd64-signed-template.lintian-overrides b/debian/systemd-boot-efi-amd64-signed-template.lintian-overrides new file mode 100644 index 0000000..170a3f6 --- /dev/null +++ b/debian/systemd-boot-efi-amd64-signed-template.lintian-overrides @@ -0,0 +1 @@ +systemd-boot-efi-amd64-signed-template: script-not-executable [usr/share/code-signing/systemd-boot-efi-amd64-signed-template/source-template/debian/rules] diff --git a/debian/systemd-boot-efi-arm64-signed-template.lintian-overrides b/debian/systemd-boot-efi-arm64-signed-template.lintian-overrides new file mode 100644 index 0000000..ccdf68c --- /dev/null +++ b/debian/systemd-boot-efi-arm64-signed-template.lintian-overrides @@ -0,0 +1 @@ +systemd-boot-efi-arm64-signed-template: script-not-executable [usr/share/code-signing/systemd-boot-efi-arm64-signed-template/source-template/debian/rules] diff --git a/debian/systemd-cryptsetup.lintian-overrides b/debian/systemd-cryptsetup.lintian-overrides new file mode 100644 index 0000000..590612b --- /dev/null +++ b/debian/systemd-cryptsetup.lintian-overrides @@ -0,0 +1,2 @@ +# Lintian is really bad at associating manpages +systemd-cryptsetup: spare-manual-page diff --git a/debian/systemd-standalone-shutdown.lintian-overrides b/debian/systemd-standalone-shutdown.lintian-overrides new file mode 100644 index 0000000..88e99c1 --- /dev/null +++ b/debian/systemd-standalone-shutdown.lintian-overrides @@ -0,0 +1,2 @@ +# Lintian is really bad at associating manpages +systemd-standalone-shutdown: spare-manual-page diff --git a/debian/tests/control b/debian/tests/control index dcc19eb..fb7db14 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -131,15 +131,19 @@ Depends: systemd-tests, Restrictions: needs-root, isolation-container, breaks-testbed Tests: upstream -Depends: systemd-tests, - systemd-dev, +Depends: systemd (>= 254~), + systemd-container (>= 254~), systemd-journal-remote, systemd-container, + systemd-ukify, + systemd-dev, + systemd-tests, systemd-coredump, systemd-timesyncd, systemd-oomd, systemd-homed, systemd-resolved, + systemd-boot [amd64 arm64 armhf i386 riscv64], systemd-repart, systemd-cryptsetup, systemd-boot-efi [amd64 arm64 armhf i386 riscv64], @@ -147,92 +151,53 @@ Depends: systemd-tests, libnss-mymachines, libnss-resolve, libnss-systemd, - attr, - tree, - perl, - xz-utils, - libcap2-bin, - iproute2, - lz4, - acl, - dmeventd, - kbd, - cryptsetup-bin, - cryptsetup-initramfs, - net-tools, - isc-dhcp-client, - iputils-ping, - strace, qemu-system-x86 [amd64 i386], qemu-system-arm [arm64 armhf], qemu-system-ppc [ppc64el], qemu-system-s390x [s390x], - seabios, - less, + qemu-system-misc [!amd64 !arm64 !armhf !i386 !ppc64el !s390x], + ovmf [amd64], + ovmf-ia32 [i386], + qemu-efi-aarch64 [arm64], + qemu-efi-arm [armhf], + qemu-efi-riscv64 [riscv64], + seabios [ppc64el s390x], + swtpm, + swtpm-tools, + tpm2-tools, + git, + ca-certificates, + build-essential, pkgconf, - gcc, - libc6-dev | libc-dev, - make, - quota, + libcap-dev, + mount, + libmount-dev, + python3-jinja2, + meson, + gperf, + libblkid-dev, + libcap-dev, + python3-pefile, + sbsigntool [amd64 arm64 armhf i386 riscv64], + mtools, + bash, + bubblewrap (>= 0.4~), + reprepro, fdisk, - netcat-openbsd, - socat, - busybox-static, - plymouth, + cryptsetup-bin, + gnupg, + openssh-client, + python3-cryptography, e2fsprogs, - zstd, - squashfs-tools, - vim-tiny, dosfstools, - mtools, erofs-utils, - libdw-dev, - libelf-dev, - dbus-user-session, - libtss2-dev, - libfido2-dev, - libqrencode-dev, - libpwquality-dev, - libarchive-dev, - libp11-kit-dev, - libssl-dev, - libgcrypt20-dev, - libkmod-dev, - python3-pexpect, - screen, - swtpm, - tpm2-tools, - openssl, - bsdutils, - knot, - knot-dnssecutils | knot-dnsutils, - bind9-dnsutils, - bind9-host, - nftables, - jq, - psmisc, - xkb-data, - locales, - locales-all, - stress, - curl, - tzdata-legacy | tzdata (<< 2024a-1), - python3-pefile, - nvme-cli, - mdadm, - lvm2, + squashfs-tools, btrfs-progs, - multipath-tools, - kpartx, - gnutls-bin, - opensc, - softhsm2, - openssh-client, - openssh-server, - polkitd, - open-iscsi, - tgt, -Restrictions: needs-root, allow-stderr, isolation-machine + xz-utils, + zstd, + uidmap, + jq, +Restrictions: needs-root, allow-stderr, isolation-machine, needs-internet, breaks-testbed Tests: boot-smoke Depends: systemd-sysv, diff --git a/debian/tests/upstream b/debian/tests/upstream index 850add1..6b7899a 100755 --- a/debian/tests/upstream +++ b/debian/tests/upstream @@ -1,31 +1,119 @@ #!/bin/sh -# run upstream system integration tests -# Author: Martin Pitt <martin.pitt@ubuntu.com> +# run upstream system integration tests via mkosi set -e +set -x + +cleanup () { + if [ -f "${workdir}/btrfs/build/meson-logs/testlog.txt" ]; then + cp "${workdir}/btrfs/build/meson-logs/testlog.txt" "$AUTOPKGTEST_ARTIFACTS" + fi + if [ -d "${workdir}/btrfs/build/test/journal" ]; then + cp -r "${workdir}/btrfs/build/test/journal" "$AUTOPKGTEST_ARTIFACTS" + fi + if [ -n "$workdir" ]; then + umount "$workdir/btrfs" || true + losetup --detach "$loop" || true + rm -rf "$workdir" + fi +} + +# apparmor is not compatible with swtpm +aa-teardown >/dev/null 2>&1 || true +# we need user namespaces for some tests running in nspawn +sysctl -we kernel.apparmor_restrict_unprivileged_unconfined=0 +sysctl -we kernel.apparmor_restrict_unprivileged_userns=0 + +mkdir -p /run/systemd/resolved.conf.d/ +tee /run/systemd/resolved.conf.d/dns.conf <<EOF +[Resolve] +DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com +EOF +systemctl try-reload-or-restart systemd-resolved.service + +workdir="$(mktemp --directory --tmpdir=/var/tmp integration-tests.XXXXXXXXXX)" +trap cleanup EXIT + +# We need to make nearly identical copies of large images, so set up a BTRFS volume that +# can use copy-on-write and compression, as the available disk space is very limited +truncate --size=100G "$workdir/btrfs.raw" +mkfs.btrfs "$workdir/btrfs.raw" +mkdir -p "$workdir/btrfs" +loop="$(losetup --find --show --direct-io=on "$workdir/btrfs.raw")" +mount "$loop" "$workdir/btrfs" --options compress=zstd:1,user_subvol_rm_allowed,noatime,discard=async,space_cache=v2 + +# mkosi will drop privileges and fail if it detects that is ran under sudo, +# so unset these variables to hide it +unset SUDO_USER SUDO_UID SUDO_GID + +mkosi_tree="${AUTOPKGTEST_TMP}/mkosi" +git clone https://github.com/systemd/mkosi.git "$mkosi_tree" +# If we have it, pin the mkosi version to the same one used by Github Actions, to ensure consistency +if [ -f .github/workflows/mkosi.yml ]; then + mkosi_hash="$(grep systemd/mkosi@ .github/workflows/mkosi.yml | sed "s|.*systemd/mkosi@||g")" + git -C "$mkosi_tree" checkout "$mkosi_hash" +fi + +tee mkosi.local.conf <<EOF +[Output] +Format=disk +WorkspaceDirectory=$workdir +PackageCacheDirectory=$workdir/cache + +[Distribution] +PackageManagerTrees=/etc/apt/preferences.d/:/etc/apt/preferences.d/ + +[Content] +Environment=NO_BUILD=1 NO_SYNC=1 ARTIFACT_DIRECTORY="$AUTOPKGTEST_ARTIFACTS" TEST_SAVE_JOURNAL=fail TEST_SHOW_JOURNAL=warning + +[Host] +RuntimeBuildSources=no +Incremental=no +EOF + +# reprepro is unhappy about non-existing directories +package_directories="" +if [ -d "${AUTOPKGTEST_TMP}/../binaries" ]; then + package_directories="${AUTOPKGTEST_TMP}/../binaries,$package_directories" +fi +if [ -d /var/cache/apt/archives/ ]; then + package_directories="/var/cache/apt/archives/,$package_directories" +fi +if [ -n "$package_directories" ]; then + tee -a mkosi.local.conf <<EOF +[Content] +PackageDirectories=$package_directories +EOF +fi + +# Everything is already built and installed, but these dependencies will cause rebuilds which we want to +# avoid, so patch them out +sed -i "/depends : mkosi_depends/d" meson.build + +# qemu/vsock does not appear to work on ppc64el/s390x, so skip those tests +dpkgarch=$(dpkg --print-architecture) +if [ "$dpkgarch" = ppc64el ] || [ "$dpkgarch" = s390x ]; then + export TEST_NO_QEMU=1 +fi + +# If we don't have KVM, the explicitly disable it, as mkosi will fail. But try to load the module first. +modprobe kvm || true +if [ ! -e /dev/kvm ]; then + export TEST_NO_KVM=1 +fi -DPKGARCH=$(dpkg --print-architecture) - -# Because this test is used both by upstream and by Debian, we use different deny-list filenames. -# For more details see https://salsa.debian.org/systemd-team/systemd/merge_requests/52 -case "${DEB_BUILD_PROFILES:-}" in - *pkg.systemd.upstream*) - denylist="deny-list-ubuntu-ci" - if [ "$DPKGARCH" = ppc64el ]; then - export TEST_NO_QEMU=1 - fi - ;; - *) - denylist="deny-list-upstream-ci" - ;; -esac - -export DENY_LIST_MARKERS="$denylist-$DPKGARCH $denylist" export ARTIFACT_DIRECTORY="$AUTOPKGTEST_ARTIFACTS" +export PATH="${mkosi_tree}/bin:$PATH" export TEST_SAVE_JOURNAL=fail export TEST_SHOW_JOURNAL=warning -export TEST_REQUIRE_INSTALL_TESTS=0 -export TEST_PREFER_NSPAWN=1 -export NO_BUILD=1 export QEMU_TIMEOUT=2400 export NSPAWN_TIMEOUT=2400 -test/run-integration-tests.sh +export SYSTEMD_INTEGRATION_TESTS=1 +export NO_BUILD=1 +export NO_SYNC=1 + +mkosi summary +meson setup "${workdir}/btrfs/build" -Dintegration-tests=true -Dtests=true +mkosi --debug genkey +cp mkosi.key mkosi.crt "${workdir}/btrfs/build" +meson compile -C "${workdir}/btrfs/build" mkosi +meson test -C "${workdir}/btrfs/build" -v --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit |