Make bullseye the base image

"buster" jobs are now only going to be run in scheduled pipelines.

"--without-gssapi" ./configure option of "bullseye" before it became the
base image is dropped from "bullseye"-the-base-image because it reduces
gcov coverage by 0.38 % (651 lines) and is used in Debian 9 "stretch".

"--enable-openssl-hash" is on purpose not being tested because it fails
linking when either of --with-ecdsa, --with-gost, --with-eddsa, or
--with-aes is used as well because it can't find f.e. HMAC_CTX_new() as
"-lcrypto" is missing:

    /usr/bin/ld: ../../lib/isc/libisc.a(hmacmd5.o): in function `isc_hmacmd5_init':
    /root/bind9/lib/isc/hmacmd5.c:49: undefined reference to `HMAC_CTX_new'
    /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `EVP_md5'
    /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `HMAC_Init_ex'

BIND 9.11 is in security-fixes-only-mode and configure.ac code should
not be fixed to include "-lcrypto" in this corner case; better eliminate
a pairwise hint.

(cherry picked from commit 910d595fbc90ab0d5d5ff5fb8e2881e413666f60)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 670fb24d3f534976431b2fa131207470fcada403..580f7ab9d7b7767fcad34c64898fb4f20ddc10b9 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -177,7 +177,7 @@ stages:
 # This is a meta image that is used as a base for non-specific jobs
 
 .base: &base_image
-  <<: *debian_buster_amd64_image
+  <<: *debian_bullseye_amd64_image
 
 ### QCOW2 Image Templates
 
@@ -515,7 +515,7 @@ tarball-create:
     paths:
       - bind-*.tar.${TARBALL_EXTENSION}
 
-# Jobs for doc builds on Debian Sid (amd64)
+# Jobs for doc builds on Debian 11 "bullseye" (amd64)
 
 docs:
   <<: *release_branch_triggering_rules
@@ -698,22 +698,24 @@ unit:gcc:stretch:amd64:
 gcc:buster:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} --coverage -O0"
-    LDFLAGS: "--coverage"
+    CFLAGS: "${CFLAGS_COMMON}"
     EXTRA_CONFIGURE: "--with-libidn2"
   <<: *debian_buster_amd64_image
   <<: *build_job
+  <<: *schedules_tags_web_triggering_rules
 
 system:gcc:buster:amd64:
   <<: *debian_buster_amd64_image
-  <<: *system_test_gcov_job
+  <<: *system_test_job
+  <<: *schedules_tags_web_triggering_rules
   needs:
-    - job: unit:gcc:buster:amd64
+    - job: gcc:buster:amd64
       artifacts: true
 
 unit:gcc:buster:amd64:
   <<: *debian_buster_amd64_image
-  <<: *unit_test_gcov_job
+  <<: *unit_test_job
+  <<: *schedules_tags_web_triggering_rules
   needs:
     - job: gcc:buster:amd64
       artifacts: true
@@ -723,26 +725,27 @@ unit:gcc:buster:amd64:
 gcc:bullseye:amd64:
   variables:
     CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -O2"
-    EXTRA_CONFIGURE: "--without-gssapi --with-libidn2"
+    CFLAGS: "${CFLAGS_COMMON} --coverage -O0"
+    EXTRA_CONFIGURE: "--with-libidn2"
+    LDFLAGS: "--coverage"
   <<: *debian_bullseye_amd64_image
   <<: *build_job
 
 system:gcc:bullseye:amd64:
   <<: *debian_bullseye_amd64_image
-  <<: *system_test_job
+  <<: *system_test_gcov_job
   needs:
-    - job: gcc:bullseye:amd64
+    - job: unit:gcc:bullseye:amd64
       artifacts: true
 
 unit:gcc:bullseye:amd64:
   <<: *debian_bullseye_amd64_image
-  <<: *unit_test_job
+  <<: *unit_test_gcov_job
   needs:
     - job: gcc:bullseye:amd64
       artifacts: true
 
-# Jobs for scan-build builds on Debian Buster (amd64)
+# Jobs for scan-build builds on Debian 11 "bullseye" (amd64)
 
 .scan_build: &scan_build
   - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)"
@@ -798,7 +801,7 @@ unit:gcc:sid:amd64:
     - job: gcc:sid:amd64
       artifacts: true
 
-# Job for out-of-tree GCC build on Debian Sid (amd64)
+# Job for out-of-tree GCC build on Debian 11 "bullseye" (amd64)
 # Also tests configration option: --with-lmdb.
 
 gcc:out-of-tree:
@@ -813,7 +816,7 @@ gcc:out-of-tree:
   <<: *base_image
   <<: *build_job
 
-# Jobs for tarball GCC builds on Debian Sid (amd64)
+# Jobs for tarball GCC builds on Debian 11 "bullseye" (amd64)
 
 gcc:tarball:
   variables:
@@ -925,12 +928,16 @@ unit:gcc:focal:amd64:
 
 # Jobs for builds with ASAN enabled
 
+# "--disable-warn-error" ./configure option disables compiler warnings. This
+# ensures that the job will not fail because of warnings (e.g., null
+# destination pointer in lib/lwres/print.c) we don't want to fix on BIND 9.11
+# because the version is in security-fixes-only mode.
 gcc:asan:
   variables:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0"
     LDFLAGS: "-fsanitize=address,undefined"
-    EXTRA_CONFIGURE: "--with-libidn2"
+    EXTRA_CONFIGURE: "--with-libidn2 --disable-warn-error"
   <<: *base_image
   <<: *build_job
 
@@ -1114,28 +1121,28 @@ unit:gcc:noatomics:
     - job: gcc:noatomics
       artifacts: true
 
-# Jobs for Clang builds on Debian Buster (amd64)
+# Jobs for Clang builds on Debian 11 "bullseye" (amd64)
 
-clang:buster:amd64:
+clang:bullseye:amd64:
   variables:
     CC: ${CLANG}
     CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion"
     EXTRA_CONFIGURE: "--with-python=python3"
-  <<: *debian_buster_amd64_image
+  <<: *debian_bullseye_amd64_image
   <<: *build_job
 
-system:clang:buster:amd64:
-  <<: *debian_buster_amd64_image
+system:clang:bullseye:amd64:
+  <<: *debian_bullseye_amd64_image
   <<: *system_test_job
   needs:
-    - job: clang:buster:amd64
+    - job: clang:bullseye:amd64
       artifacts: true
 
-unit:clang:buster:amd64:
-  <<: *debian_buster_amd64_image
+unit:clang:bullseye:amd64:
+  <<: *debian_bullseye_amd64_image
   <<: *unit_test_job
   needs:
-    - job: clang:buster:amd64
+    - job: clang:bullseye:amd64
       artifacts: true
 
 # Jobs for PKCS#11-enabled GCC builds on Fedora 35 (amd64)
@@ -1610,7 +1617,7 @@ gcov:
   <<: *default_triggering_rules
   stage: postcheck
   needs:
-    - job: system:gcc:buster:amd64
+    - job: system:gcc:bullseye:amd64
       artifacts: true
   script:
     # *.gcno and *.gcda files generated for shared library objects are created

diff --git a/configure.ac b/configure.ac
index 030c4d7969287995b895626c4dbec7f22b4b097c..8411605a37979cf13558372ef40fd2dca65fddf8 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1500,7 +1500,12 @@ AC_ARG_ENABLE(native-pkcs11,
 #
 # was --with-openssl specified?
 #
-# [pairwise: --with-openssl --enable-openssl-hash, --with-openssl --disable-openssl-hash, --without-openssl]
+# "--enable-openssl-hash" is on purpose not being tested because it fails
+# linking when either of --with-ecdsa, --with-gost, --with-eddsa, or --with-aes
+# is used as well because it can't find f.e. HMAC_CTX_new() as "-lcrypto" is
+# missing.
+#
+# [pairwise: --with-openssl, --with-openssl --disable-openssl-hash, --without-openssl]
 AC_ARG_WITH(openssl,
            AS_HELP_STRING([--with-openssl[=PATH]],
                           [Build with OpenSSL [yes|no|path].
@@ -1547,6 +1552,9 @@ AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
 #
 # was --enable-openssl-hash specified?
 #
+# "--enable-openssl-hash" is not being tested, see the reasoning in
+# "--with-openssl" pairwise section.
+#
 # [pairwise: skip]
 AC_ARG_ENABLE(openssl-hash,
              AS_HELP_STRING([--enable-openssl-hash],