]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Add release tarball comparison script
authorMichal Nowak <mnowak@isc.org>
Mon, 23 Jan 2023 19:29:00 +0000 (20:29 +0100)
committerMichal Nowak <mnowak@isc.org>
Thu, 26 Jan 2023 12:59:42 +0000 (13:59 +0100)
The util/release-tarball-comparison.sh script compares a release-ready
BIND 9 tarball to a temporary BIND 9 tarball created from the same
signed Git tag to ensure that their content does not differ
(significantly).

.gitlab/issue_templates/Release.md
util/release-tarball-comparison.sh [new file with mode: 0755]

index d0d43a481a83350216bcae5eeba2dd62d22dfba7..21313a9c4f5dffe35f4f5fb448d9c75d9f381801 100644 (file)
@@ -57,6 +57,7 @@
  - [ ] ***(QA)*** Prepare and merge MRs resetting the release notes and updating the version string for each maintained branch.
  - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
  - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums.
+ - [ ] ***(Signers)*** Ensure that the contents of tarballs and tags are identical.
  - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
  - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
  - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
diff --git a/util/release-tarball-comparison.sh b/util/release-tarball-comparison.sh
new file mode 100755 (executable)
index 0000000..4d18016
--- /dev/null
@@ -0,0 +1,92 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+set -o nounset
+
+print_usage_and_exit() {
+       echo
+       echo "Usage: GITLAB_USER=<your_gitlab_username> GITLAB_TOKEN=<your_gitlab_token> ${0} /path/to/bind-9.x.y.tar.xz" >&2
+       exit 1
+}
+
+BIND_TARBALL="${1:-}"
+if [ ! -f "${BIND_TARBALL}" ]; then
+       echo "ERROR: path to BIND 9 tarball either not provided or the file does not exist." >&2
+       print_usage_and_exit
+fi
+
+GITLAB_USER=${GITLAB_USER:-}
+GITLAB_TOKEN=${GITLAB_TOKEN:-}
+if [ -z "${GITLAB_USER}" ] || [ -z "${GITLAB_TOKEN}" ]; then
+       echo "ERROR: GITLAB_USER and GITLAB_TOKEN environmental variables are not set." >&2
+       print_usage_and_exit
+fi
+
+# Create the container to work in.
+CONTAINER_ID=$(docker create --interactive debian:bullseye)
+trap "docker container rm -f \${CONTAINER_ID} >/dev/null" EXIT
+docker start "${CONTAINER_ID}"
+
+run_in_container() {
+       docker exec --workdir /usr/src "${CONTAINER_ID}" /bin/sh -c "$@"
+}
+
+# Pull build requirements.
+run_in_container "apt-get update &&                    \
+       apt-get -y install --no-install-recommends      \
+               automake                                \
+               ca-certificates                         \
+               git                                     \
+               libcap2-dev                             \
+               libjemalloc-dev                         \
+               liblmdb-dev                             \
+               libmaxminddb-dev                        \
+               libnghttp2-dev                          \
+               libssl-dev                              \
+               libtool                                 \
+               libuv1-dev                              \
+               make                                    \
+               pkg-config                              \
+               pkgdiff                                 \
+               xz-utils                                \
+"
+
+# Retrieve the release-ready BIND 9 tarball.
+docker cp "${BIND_TARBALL}" "${CONTAINER_ID}:/usr/src"
+
+BIND_VERSION=$(basename "${BIND_TARBALL}" | sed -E "s|bind-(.*)\.tar\.xz|\1|")
+BIND_DIRECTORY="bind-${BIND_VERSION}"
+
+# Prepare a temporary "release" tarball from upstream BIND 9 project.
+run_in_container "git -c advice.detachedHead=false clone --branch $(echo "v${BIND_VERSION}" | tr ".-" "_") --depth 1 https://${GITLAB_USER}:${GITLAB_TOKEN}@gitlab.isc.org/isc-private/bind9.git && \
+       cd bind9 && \
+       if [ $(echo "${BIND_VERSION}" | cut -b 1-5) = 9.16. ]; then \
+               git archive --prefix=${BIND_DIRECTORY}/ --output=${BIND_DIRECTORY}.tar HEAD && \
+               mkdir ${BIND_DIRECTORY} && \
+               echo SRCID=\$(git rev-list --max-count=1 HEAD | cut -b1-7) > ${BIND_DIRECTORY}/srcid && \
+               tar --append --file=${BIND_DIRECTORY}.tar ${BIND_DIRECTORY}/srcid && \
+               xz ${BIND_DIRECTORY}.tar; \
+       else \
+               autoreconf -fi && \
+               ./configure --enable-umbrella && \
+               make -j && \
+               make dist; \
+       fi"
+
+# Compare release-ready and custom tarballs; they are expected to be the same.
+run_in_container "pkgdiff bind9/bind-${BIND_VERSION}.tar.xz bind-${BIND_VERSION}.tar.xz" || true
+
+# Copy the pkgdiff report out of the container for inspection.
+docker cp "${CONTAINER_ID}:/usr/src/pkgdiff_reports/bind/" "pkgdiff_bind_${BIND_VERSION}_report"
+echo "pkgdiff report ready for inspection in 'pkgdiff_bind_${BIND_VERSION}_report'."