diff --git a/009-patch-unused-backend-crypto.vendor.patch b/009-patch-unused-backend-crypto.patch similarity index 100% rename from 009-patch-unused-backend-crypto.vendor.patch rename to 009-patch-unused-backend-crypto.patch diff --git a/010-fips.cond.patch b/010-fips.patch similarity index 100% rename from 010-fips.cond.patch rename to 010-fips.patch diff --git a/Makefile b/Makefile index a5c44c6..dab531d 100644 --- a/Makefile +++ b/Makefile @@ -8,10 +8,17 @@ SOURCE_TAR := $(NAME)-$(VERSION).tar.gz VENDOR_TAR := $(RPM_NAME)-vendor-$(VERSION)-$(RELEASE).tar.xz WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz -ALL_PATCHES := $(sort $(wildcard *.patch)) -VENDOR_PATCHES := $(sort $(wildcard *.vendor.patch)) -COND_PATCHES := $(sort $(wildcard *.cond.patch)) -REGULAR_PATCHES := $(filter-out $(VENDOR_PATCHES) $(COND_PATCHES),$(ALL_PATCHES)) +# patches which must be applied before creating the vendor tarball, for example: +# - changes in dependency versions +# - changes in Go module imports (which affect the vendored Go modules) +PATCHES_PRE_VENDOR := \ + 005-remove-unused-dependencies.patch \ + 008-remove-unused-frontend-crypto.patch + +# patches which must be applied before creating the webpack, for example: +# - changes in Node.js sources or vendored dependencies +PATCHES_PRE_WEBPACK := + all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR) @@ -19,11 +26,12 @@ $(SOURCE_TAR): spectool -g $(RPM_NAME).spec $(VENDOR_TAR): $(SOURCE_TAR) + # start with a clean state rm -rf $(SOURCE_DIR) tar xf $(SOURCE_TAR) # Patches to apply before vendoring - for patch in $(REGULAR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done + for patch in $(PATCHES_PRE_VENDOR); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done # Go cd $(SOURCE_DIR) && go mod vendor -v @@ -46,15 +54,20 @@ $(VENDOR_TAR): $(SOURCE_TAR) rm -r $(SOURCE_DIR)/node_modules/visjs-network/examples ./list_bundled_nodejs_packages.py $(SOURCE_DIR) >> $@.manifest - # Patches to apply after vendoring - for patch in $(VENDOR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done - # Create tarball XZ_OPT=-9 time -p tar cJf $@ \ $(SOURCE_DIR)/vendor \ $$(find $(SOURCE_DIR) -type d -name "node_modules" -prune) $(WEBPACK_TAR): $(VENDOR_TAR) + # start with a clean state + rm -rf $(SOURCE_DIR) + tar xf $(SOURCE_TAR) + tar xf $(VENDOR_TAR) + + # Patches to apply before creating the webpack + for patch in $(PATCHES_PRE_WEBPACK); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done + cd $(SOURCE_DIR) && \ ../build_frontend.sh diff --git a/README.md b/README.md index 7d9b4ee..5ce9598 100644 --- a/README.md +++ b/README.md @@ -14,19 +14,26 @@ The grafana package * upload new source tarballs: `fedpkg new-sources *.tar.gz *.tar.xz` * commit new `sources` file -## Backporting +## Patches * create the patch * declare and apply (`%prep`) the patch in the specfile * if the patch affects Go or Node.js dependencies, or the webpack + * add the patch to `PATCHES_PRE_VENDOR` or `PATCHES_PRE_WEBPACK` in the Makefile * create new tarballs - * update the specfile with new tarball path and contents of the `.manifest` file + * update the specfile with new tarball name and contents of the `.manifest` file -Note: the Makefile automatically applies patches before creating the tarballs +### General guidelines +* aim to apply all patches in the specfile +* avoid rebuilding the tarballs -## Patches -* `*.patch`: regular patches applied to the source, applied in the Makefile before vendoring and in the specfile (e.g. updating dependencies) -* `*.vendor.patch`: patches applied to the vendor tarball (e.g. patching vendored sources before generating a webpack) -* `*.cond.patch`: conditionally applied patches in the specfile +Patches fall in several categories: + * modify dependency versions + * modify both sources and vendored dependencies (e.g. CVEs) + * modify the Node.js source (i.e. affect the webpack) + * some patches are conditional (e.g. FIPS) + +Patches cannot be applied twice. +It is not possible to unconditionally apply all patches in the Makefile, and great care must be taken to include the required patches at the correct stage of the build. ## Verification * compare the list of files with the upstream RPM at https://grafana.com/grafana/download diff --git a/grafana.spec b/grafana.spec index d62b276..35f359b 100644 --- a/grafana.spec +++ b/grafana.spec @@ -85,11 +85,11 @@ Patch8: 008-remove-unused-frontend-crypto.patch # The Makefile removes a few files with crypto implementations # from the vendor tarball, which are not used in Grafana. # This patch removes all references to the deleted files. -Patch9: 009-patch-unused-backend-crypto.vendor.patch +Patch9: 009-patch-unused-backend-crypto.patch # This patch modifies the x/crypto/pbkdf2 function to use OpenSSL # if FIPS mode is enabled. -Patch10: 010-fips.cond.patch +Patch10: 010-fips.patch # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -488,6 +488,7 @@ rm -r plugins-bundled %patch5 -p1 %patch6 -p1 %patch8 -p1 +%patch9 -p1 %if %{enable_fips_mode} %patch10 -p1 %endif diff --git a/recreate_tarballs.sh b/recreate_tarballs.sh new file mode 100755 index 0000000..249441d --- /dev/null +++ b/recreate_tarballs.sh @@ -0,0 +1,17 @@ +#!/bin/bash -eu +# +# create vendor and webpack tarballs inside a container for reproducibility +# + +cat <