- [ ] ***(QA)*** Prepare and merge MRs resetting the release notes and updating the version string for each maintained branch.
- [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
- [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
+ - [ ] ***(Signers)*** Ensure that the contents of tarballs and tags are identical.
- [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
- [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
- [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+set -o nounset
+
+print_usage_and_exit() {
+ echo
+ echo "Usage: GITLAB_USER=<your_gitlab_username> GITLAB_TOKEN=<your_gitlab_token> ${0} /path/to/bind-9.x.y.tar.xz" >&2
+ exit 1
+}
+
+BIND_TARBALL="${1:-}"
+if [ ! -f "${BIND_TARBALL}" ]; then
+ echo "ERROR: path to BIND 9 tarball either not provided or the file does not exist." >&2
+ print_usage_and_exit
+fi
+
+GITLAB_USER=${GITLAB_USER:-}
+GITLAB_TOKEN=${GITLAB_TOKEN:-}
+if [ -z "${GITLAB_USER}" ] || [ -z "${GITLAB_TOKEN}" ]; then
+ echo "ERROR: GITLAB_USER and GITLAB_TOKEN environmental variables are not set." >&2
+ print_usage_and_exit
+fi
+
+# Create the container to work in.
+CONTAINER_ID=$(docker create --interactive debian:bullseye)
+trap "docker container rm -f \${CONTAINER_ID} >/dev/null" EXIT
+docker start "${CONTAINER_ID}"
+
+run_in_container() {
+ docker exec --workdir /usr/src "${CONTAINER_ID}" /bin/sh -c "$@"
+}
+
+# Pull build requirements.
+run_in_container "apt-get update && \
+ apt-get -y install --no-install-recommends \
+ automake \
+ ca-certificates \
+ git \
+ libcap2-dev \
+ libjemalloc-dev \
+ liblmdb-dev \
+ libmaxminddb-dev \
+ libnghttp2-dev \
+ libssl-dev \
+ libtool \
+ libuv1-dev \
+ make \
+ pkg-config \
+ pkgdiff \
+ xz-utils \
+"
+
+# Retrieve the release-ready BIND 9 tarball.
+docker cp "${BIND_TARBALL}" "${CONTAINER_ID}:/usr/src"
+
+BIND_VERSION=$(basename "${BIND_TARBALL}" | sed -E "s|bind-(.*)\.tar\.xz|\1|")
+BIND_DIRECTORY="bind-${BIND_VERSION}"
+
+# Prepare a temporary "release" tarball from upstream BIND 9 project.
+run_in_container "git -c advice.detachedHead=false clone --branch $(echo "v${BIND_VERSION}" | tr ".-" "_") --depth 1 https://${GITLAB_USER}:${GITLAB_TOKEN}@gitlab.isc.org/isc-private/bind9.git && \
+ cd bind9 && \
+ if [ $(echo "${BIND_VERSION}" | cut -b 1-5) = 9.16. ]; then \
+ git archive --prefix=${BIND_DIRECTORY}/ --output=${BIND_DIRECTORY}.tar HEAD && \
+ mkdir ${BIND_DIRECTORY} && \
+ echo SRCID=\$(git rev-list --max-count=1 HEAD | cut -b1-7) > ${BIND_DIRECTORY}/srcid && \
+ tar --append --file=${BIND_DIRECTORY}.tar ${BIND_DIRECTORY}/srcid && \
+ xz ${BIND_DIRECTORY}.tar; \
+ else \
+ autoreconf -fi && \
+ ./configure --enable-umbrella && \
+ make -j && \
+ make dist; \
+ fi"
+
+# Compare release-ready and custom tarballs; they are expected to be the same.
+run_in_container "pkgdiff bind9/bind-${BIND_VERSION}.tar.xz bind-${BIND_VERSION}.tar.xz" || true
+
+# Copy the pkgdiff report out of the container for inspection.
+docker cp "${CONTAINER_ID}:/usr/src/pkgdiff_reports/bind/" "pkgdiff_bind_${BIND_VERSION}_report"
+echo "pkgdiff report ready for inspection in 'pkgdiff_bind_${BIND_VERSION}_report'."