grafana/README.md
Andreas Gerstmayr 1a807bbfa9 update to upstream Grafana 7.5.15, resolve CVE-2021-23648 and CVE-2022-21698
Resolves: rhbz#2055349
Resolves: rhbz#2046614
Resolves: rhbz#2053463
Resolves: rhbz#2055453
Resolves: rhbz#2055454
Resolves: rhbz#2066488
Resolves: rhbz#2068163
2022-04-22 14:29:58 +02:00

44 lines
2.1 KiB
Markdown

# grafana
The grafana package
## Upgrade instructions
* update `Version`, `Release`, `%changelog` and tarball NVRs in the specfile
* create bundles and manifest: `make clean all`
* update specfile with contents of the `.manifest` file
* check if the default configuration has changed: `diff grafana-X.Y.Z/conf/defaults.ini distro-defaults.ini` and update `distro-defaults.ini` if necessary
* update the manpages patch in `002-manpages.patch` and other patches if required
* run local build: `rpkg local`
* run rpm linter: `rpkg lint -r grafana.rpmlintrc`
* run a scratch build: `fedpkg scratch-build --srpm`
* upload new source tarballs: `fedpkg new-sources *.tar.gz *.tar.xz`
* commit new `sources` file
## Patches
* create the patch
* declare and apply (`%prep`) the patch in the specfile
* if the patch affects Go or Node.js dependencies, or the webpack
* add the patch to `PATCHES_PRE_VENDOR` or `PATCHES_PRE_WEBPACK` in the Makefile
* create new tarballs
* update the specfile with new tarball name and contents of the `.manifest` file
### General guidelines
* aim to apply all patches in the specfile
* avoid rebuilding the tarballs
Patches fall in several categories:
* modify dependency versions
* modify both sources and vendored dependencies (e.g. CVEs)
* modify the Node.js source (i.e. affect the webpack)
* some patches are conditional (e.g. FIPS)
Patches cannot be applied twice.
It is not possible to unconditionally apply all patches in the Makefile, and great care must be taken to include the required patches at the correct stage of the build.
## Reproducible Bundles
Run `./create_bundles_in_container.sh` to generate a reproducible vendor and webpack bundle.
Alternatively, install the same software as in the container, create a bind mount from `/tmp/grafana-build` to the directory of this repository, and run `make`.
The bind mount is required because Webpack stores absolute paths in the JS source maps, and also resolves symlinks (i.e. symlinking `/tmp/grafana-build` doesn't work).
## Verification
* compare the list of files with the upstream RPM at https://grafana.com/grafana/download