Decouple dependency bundling from bootstrapping

We probably should stop (ab)using the bootstrap macro for module builds
with bundled dependencies. This patch decouples one from the other;
use --with=bundled for just bundling
and --with=bootstrap for full bootstrapping.

Related: rhbz#2056969
This commit is contained in:
Jan Staněk 2022-04-04 14:40:57 +02:00
parent 9e882e7dcf
commit 9014bf6071
No known key found for this signature in database
GPG Key ID: 2972F2037B243B6D

View File

@ -1,5 +1,17 @@
# bundle dependencies that are not available as Fedora modules
%bcond_without bootstrap
# The following macros control the usage of dependencies bundled from upstream.
#
# When to use what:
# - Regular (presumably non-modular) build: use neither (the default in Fedora)
# - Early bootstrapping build that is not intended to be shipped:
# use --with=bootstrap; this will bundle deps and add `~bootstrap` release suffix
# - Build with some dependencies not avalaible in necessary versions (i.e. module build):
# use --with=bundled; will bundle deps, but do not add the suffix
#
# create bootstrapping build with bundled deps and extra release suffix
%bcond_with bootstrap
# bundle dependencies that are not available in CentOS
# currently hardcoded to bundle; see Fedora spec on how to make this dependent on bootstrap
%bcond_without bundled
%if 0%{?rhel} && 0%{?rhel} < 9
%bcond_without python3_fixup
@ -18,7 +30,7 @@
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
%global baserelease 4
%global baserelease 5
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -177,16 +189,15 @@ BuildRequires: chrpath
BuildRequires: libatomic
BuildRequires: systemtap-sdt-devel
%if %{with bootstrap}
Provides: bundled(libuv) = %{libuv_version}
%if %{with bundled}
Provides: bundled(libuv) = %{libuv_version}
%else
BuildRequires: libuv-devel >= 1:%{libuv_version}
Requires: libuv-devel >= 1:%{libuv_version}
%endif
%if %{with bootstrap} || !(0%{?fedora} || 0%{?rhel} >= 9)
%define nghttp2_configure %{nil}
Provides: bundled(nghttp2) = %{nghttp2_version}
%if %{with bundled} || !(0%{?fedora} || 0%{?rhel} >= 9)
Provides: bundled(nghttp2) = %{nghttp2_version}
%else
BuildRequires: libnghttp2-devel >= %{nghttp2_version}
Requires: libnghttp2-devel >= %{nghttp2_version}
@ -284,7 +295,7 @@ Requires: zlib-devel%{?_isa}
Requires: brotli-devel%{?_isa}
Requires: nodejs-packaging
%if %{without bootstrap}
%if %{without bundled}
Requires: libuv-devel%{?_isa}
%endif
@ -427,8 +438,8 @@ export LDFLAGS="%{build_ldflags}"
--shared-openssl \
--shared-zlib \
--shared-brotli \
%{!?with_bootstrap:--shared-libuv} \
%{!?with_bootstrap:--shared-nghttp2} \
%{!?with_bundled:--shared-libuv} \
%{!?with_bundled:--shared-nghttp2} \
--with-dtrace \
--with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \
@ -684,6 +695,9 @@ end
%changelog
* Thu Apr 21 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-5
- Decouple dependency bundling from bootstrapping
* Tue Apr 05 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-4
- Apply lock file validation fixes
Resolves: CVE-2021-43616