Update the compiler and linker flags for RHEL 9 by keeping '-trimpath'.
Switch to using the GO_BUILDTAGS and GO_LDFLAGS environment variables,
because their unprefixed counterparts have been deprecated [1].
The 'rpminspect --tests=elf' test run by the downstream CI was silenced
because toolbox(1) is only built with the '-z relro' linker flag, but
not '-z now' [2]. Otherwise, it fails with:
/usr/bin/toolbox lost full GNU_RELRO security protection
Stop carrying the downstream patch for the compiler and linker flags for
PPC64. The architecture was already discontinued from Fedora 29 [3],
even before the patch was added [4]. It was added purely for the sake
of completeness, and in the last four years since it was introduced, it
hasn't been tested or used. At this point it's becoming too much of a
maintenance burden, and removing it silences the %ifarch-applied-patch
warning from rpmlint.
Fill in some of the missing Requires for the toolbox-tests sub-package.
[1] go-rpm-macros commit bc7e5cc55c4709e8
https://pagure.io/go-rpm-macros/c/bc7e5cc55c4709e8
[2] Upstream commit 83f28c52e47c2d44
https://github.com/containers/toolbox/commit/83f28c52e47c2d44https://github.com/containers/toolbox/pull/1548
[3] https://fedoraproject.org/wiki/Changes/DiscontinuePPC64
[4] Fedora toolbox commit ba60453d21https://src.fedoraproject.org/rpms/toolbox/c/ba60453d216a9226https://src.fedoraproject.org/rpms/toolbox/pull-request/2
Resolves: RHEL-61578
It makes no difference on RHEL, because RHEL always comes with
subscription-manager installed by default, and currently there's no
relation between Toolbx and subscription-manager that's worth
advertising [1].
There's no need to do a build just for this.
[1] Fedora toolbox commit f79961c521https://src.fedoraproject.org/rpms/toolbox/c/f79961c521fdc38a
Resolves: RHEL-61578
Toolbx's system tests download several images when setting up the test
suite, and cache them for later use by the tests [1]. This saves time
and avoids hitting rate limits imposed by OCI registries by not
downloading the same images repeatedly for several tests, but at the
cost of increased use of storage space to cache the images.
The images are cached under BATS_TMPDIR. It defaults to the TMPDIR
environment variable, and if that's not set then to /tmp [2]. Normally,
TMPDIR isn't set, and the images end up getting cached under /tmp. Now,
/tmp is typically on tmpfs backed by RAM or swap, which means that it
should be used for smaller size-bounded files only, and /var/tmp should
be used for everything else [3].
The images are big enough that a collection of them can't be described
as smaller and size-bounded, and it led to:
1..306
# test suite: Set up
# test suite: Tear down
not ok 1 setup_suite
# (from function `setup_suite' in test file ./setup_suite.bash, line
55)
# `_pull_and_cache_distro_image fedora "$((system_version-1))" ||
false' failed
# Failed to cache image registry.fedoraproject.org/fedora-toolbox:40
to /tmp/bats-run-IPz4Cn/image-cache/fedora-toolbox-40
# time="2024-02-19T11:41:43Z" level=fatal msg="copying system image
from manifest list: writing blob: write
/tmp/bats-run-IPz4Cn/image-cache/fedora-toolbox-40/dir-put-blob607392514:
no space left on device"
# bats warning: Executed 1 instead of expected 306 tests
So, change the default location of the BATS_TMPDIR environment variable
to /var/tmp by setting TMPDIR.
[1] Toolbx commit 50683c9d9a78adc9
https://github.com/containers/toolbox/commit/50683c9d9a78adc9https://github.com/containers/toolbox/pull/375
[2] https://bats-core.readthedocs.io/en/stable/writing-tests.html
[3] https://systemd.io/TEMPORARY_DIRECTORIES/
Resolves: RHEL-61578
It clarifies that %golang_arches_future are meant for RHEL 10, and drops
the custom /etc/containers/toolbox.conf from RHEL 10.
There's no need to do a build just for this.
Resolves: RHEL-19772
There's no need to pass the --buildtype=plain option to the %meson RPM
macro, because it's one of the default options used by the macro.
There's no need to do a build just for this.
Fallout from ca4846e684Resolves: #2165742
This commit resolves both bugs 2116786 and 2126772. However, since the
latter doesn't have all approvals yet, it's not listed below. Else,
the check-gitbz test will fail and block this from getting merged.
Resolves: #2116786
Toolbx doesn't seem to directly use any cryptography, but go.sum does
list golang.org/x/crypto, which indicates that it's present somewhere
in the dependency chain.
Looking inside the vendored sources, there doesn't seem to be any
actual use of golang.org/x/crypto but it's still listed in the go.sum
files of some of the packages.
Interestingly, github.com/godbus/dbus does use crypto/rand and
crypto/sha1, and the former is a cryptographically secure random number
generator [1], but note that these aren't part of golang.org/x/crypto.
Anyway, it's better and easier to just rebuild the package than trying
to decipher if Toolbx is affected by the FIPS-mode memory leak in the
Go toolchain that affects cryptographic code.
[1] https://pkg.go.dev/crypto/randResolves: #2060769
The test suite should use the latest build of the image for any given
RHEL minor release. Otherwise, it won't detect any breakage caused by
changes to the image.
Resolves: #2000807
The RPM installs /etc/containers/toolbox.conf with its permissions set
to 0644, and there's no reason for the test suite to deviate from that.
Resolves: #2000807
