1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
#!/bin/sh
set -eux
# Produce a set of Cockpit release tarballs.
#
# This is the script used to create the official releases.
#
# It takes two mandatory arguments:
#
# - the URL to clone the repository from,
# eg. 'https://github.com/cockpit-project/cockpit'.
#
# - the version to release, which is also the tag name, eg. '215'.
#
# The main release tarball contains a number of files that are not directly in
# version control:
# - the usual automake stuff
# - several submodules
# - pre-compiled HTML and JS code
#
# This script shallow-clones the specified version of Cockpit from the
# specified URL, and downloads the version of the tasks container specified in
# that version. It then does an offline build of the release tarball, which is
# deterministic.
#
# You can use this script to verify the integrity of a particular set of Cockpit
# release tarballs, or even use it to create the tarballs for yourself, as an
# alternative to downloading it.
#
# The result of running `./autogen.sh && make dist VERSION=...` on any system
# ought to be the same, so long as the same versions of the autotools are
# present. Everything else present in the tarball is definitively pinned down
# in one way or another by the contents of the git repository. This script is
# a bit overkill, but it's written in hopes that someone reading it can
# reasonably convince themselves about the origin of absolutely everything in a
# Cockpit source release.
#
# If this script produces tarballs with different checksums than the
# officially-released ones, then please report a bug.
URL="$1"
VERSION="$2"
# We collect the sources into a temporary directory, then use tar to pipe them
# into a container with no network or filesystem access, where the actual build
# takes place. The container pipes the built source release back to us.
SOURCE="$(mktemp -dt 'cockpit-build-XXXXXX')"
trap 'rm -rf "${SOURCE}"' EXIT
# Clone the release and selected submodules into the temporary directory.
git clone \
--depth=1 \
--recurse-submodules=node_modules \
--recurse-submodules=vendor \
-b "${VERSION}" \
"${URL}" \
"${SOURCE}"
# Show exactly what we're building.
git -C "${SOURCE}" show --no-patch "${VERSION}"
# Download the tasks container image used for this release.
IMAGE="$(cat "${SOURCE}"/.cockpit-ci/container)"
podman pull "${IMAGE}"
# Build the checked out sources into the release tarballs, offline.
# `make dist` builds both the main and node runtime tarballs.
# Wrap both in a tar for output and unwrap on the outside.
tar -C "${SOURCE}" -c . | \
podman \
run \
--rm \
--pull=never \
--network=none \
--log-driver=none \
--interactive \
--env=VERSION="${VERSION}" \
"${IMAGE}" \
sh -euxc '
(
mkdir work
cd work
rpm -q autoconf automake
automake --version
autoconf --version
tar x
./autogen.sh
make dist VERSION="${VERSION}"
) >&2
tar -C work -c cockpit-"${VERSION}".tar.xz cockpit-node-"${VERSION}".tar.xz
' \
| tar -xv
# Show the result.
sha256sum cockpit-"${VERSION}".tar.xz cockpit-node-"${VERSION}".tar.xz
|
