dpkg-source strictly enforces that 3.0 (native) packages do not have
Debian revisions in their version strings, i.e. they cannot include
hyphens.
Replace the hyphen from the image binary version with a '+'.
Override this version back to what we want when building the signed
binary packages.
debhelper no longer fully trusts the package list specified with -p,
but only processes packages that are listed in debian/control and
enabled in the current build profile. This breaks the test build of
udebs that we build for real after code signing.
Work around this by adding the udebs to the control file, conditional
on a new build profile (pkg.linux.udeb-unsigned-test-build). Override
the build profile during the test build.
I just made this change for firmware-nonfree, for which I wrote:
We open some, but not all, files with an explicit UTF-8 encoding. One
of the open calls that I missed has just caused gencontrol.py to fail
instead a pbuilder environment. Instead of continuing to set an
explicit encoding for each open call, use locale.setlocale to set it
globally.
I haven't hit such a problem here, but let's do it anyway.
Keep using explicit encodings in debian/lib for now, since we can't
assume all calling programs will set the locale.
Currently '*' and '**' match at least one character. Change them to
match zero or more characters, as in shell patterns.
'*' matches anything but '!', but that has no special meaning in
symbol names or module filenames. Change it to match anything but
'/', as in shell patterns.
dak currently allows a binary upload to include debug symbol packages
that don't appear in the overrides file or the Binary field of the
changes file, so long as they have the appropriate
'Auto-Built-Package' field and their name matches another binary
package in the upload plus the '-dbgsym' suffix.
For architectures with code signing enabled, our binary uploads never
match this condition as the corresponding binary package has the
'-unsigned' suffix and the debug symbols package does not. Since we
do list the debug symbol packages in the Binary field, they do get
added to the overrides file when accepted through the NEW queue, but
they are automatically pruned from there some time later. Later
uploads then have to go through NEW even though they are not
introducing new binary packages. This would be a big problem for
stable security updates.
For now, move debug symbols back to the main archive with the old
'-dbg' suffix. Keep them enabled for all architectures.
This reverts commit 99d37f9b16, which
caused most binary uploads to be rejected. dak's allows upload of
debug symbol packages not listed in the Binary field only if there is
a corresponding binary package without the -dbgsym suffix, which is
not the case on architectures where we use a -unsigned suffix.
Any packages listed in debian/control that are not installed in the
main archive will always be seen as NEW. This might be fixable by
archive configuration changes, but for now we'll generate them in a
similar way to debhelper.
- incoming.debian.org now uses pool layout
- deb.debian.org is a better default than ftp.de.debian.org
- ftp.debian-ports.org redirects to ftp.ports.debian.org, so use the
latter directly
I changed the wrapper to call gpgv instead of gpg. It is much easier
and cleaner to use local configuration this way, and it won't produce
a warning that the key isn't trusted.
I also removed used of an environment variable, as we (currently) only
pass one keyring filename here.
Include headers for all architectures that we build a kernel for.
This allows co-installation of per-flavour header packages for
multiple Debian architectures, and fixes the problem of arm64 headers
depending on arm headers that we did not include.
By default dpkg-architecture lets the current environment override the
architecture specified by the -a option. We mustn't let that happen
here as we are considering all architectures. Use the -f option to
force use of our specified architecture.
The current cross-compiler packages don't set the Multi-Arch field, so
specify that the cross-compiler package must be native, rather than any
architecture.
flex doesn't support multi-arch, and this would require splitting it
(#611230, #761449). Force use of the native package for now.
openssl doesn't support multi-arch but probably easily could (#827028).
Force use of the native package for now.
We need the native libssl-dev while building the kernel itself and the
host libssl-dev while building tools for linux-kbuild.
Document the state of cross-building in README.source.
These packages will be taken over by src:linux-signed. Still do
everything but building the packages so we find configuration
errors before building linux-signed.
This fixes some of the problems dch was causing:
- Putting the stable log in the wrong place
- Updating the date unnecessarily
Change stable-update.sh to be a wrapper for stable-update.
Delete ckt-stable-update.sh; if we need it again in future, it can be
implemented more cleanly as part of the new script.
- Enable it by default
- Disable it for armel/marvell since signature verification is not enabled.
- Disable it for mips and mipsel so linux-signed can be uploaded without
waiting for them to build
- Disable it for all architectures not in the main archive, as linux-signed
won't support them (at least, not initially).
We don't need a variable to control signing of the image, because
we should do that for all flavours that have CONFIG_EFI_STUB=y.
* Drop redundant gitignore.patch from linux-tools
* Rename linux-tools' debian/templates/control.main.in to
debian/templates/control.tools.in
* Combine changelogs, putting all entries for each upstream release
cycle in chronological order
* Combine rules and gencontrol.py code
The linux-grsec source package needs a way to explicitly disable these
binary packages which are already built by the linux source package.
We already do that when there are no actual kernels for the target
architecture. Rename the FOREIGN_KERNEL make variable and combine the
two conditions.
Based on work by Yves-Alexis Perez.
A parallel 'debian/rules build' will now invoke 'debian/rules.real
build' twice in parallel, which is disastrous.
- Add and use proper build-arch and build-indep targets in
debian/rules.gen and debian/rules.real
- Assign a separate temporary directory to each target in
debian/rules.real. Add the directories to .gitignore and
the clean rule.
- Pull installation of the lockdep wrapper (which is indep)
up into debian/rules.real so that we don't end up building
liblockdep twice in parallel.
Ben Hutchings
Bastian Blank
Roger Shimizu
Yves-Alexis Perez