Alpine Linux image has OpenSSL 3.0.0 from the "edge" repository to test
OpenSSL 3.0.0 support in the BIND 9 "main" branch. However, this breaks
compilation of branches without OpenSSL 3.0.0 support and therefore
OpenSSL deprecated declarations need to be suppressed with
-DOPENSSL_SUPPRESS_DEPRECATED.
Michal Nowak [Tue, 30 Nov 2021 12:52:49 +0000 (13:52 +0100)]
Drop cppcheck CI job
Every cppcheck update brings the cost of addressing new false positives
in the BIND 9 source code while not reaping any benefits in case of
identified issues with the code.
Michal Nowak [Thu, 2 Dec 2021 12:50:30 +0000 (13:50 +0100)]
Configure gcc:pkcs11 CI job with "--disable-warn-error"
"--disable-warn-error" ./configure option disables compiler warnings.
This ensures that the job will not fail because of warnings (e.g., array
inconsistencies in lib/isc/sha2.c) we don't want to fix on BIND 9.11
because the version is in security-fixes-only mode.
sha2.c:310:26: error: argument 1 of type 'uint8_t[]' {aka 'unsigned char[]'} with mismatched bound [-Werror=array-parameter=]
310 | isc_sha224_final(uint8_t digest[], isc_sha224_t *context) {
| ~~~~~~~~^~~~~~~~
In file included from sha2.c:58:
./include/isc/sha2.h:132:24: note: previously declared as 'uint8_t[28]' {aka 'unsigned char[28]'}
132 | void isc_sha224_final (uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2.c:376:26: error: argument 1 of type 'uint8_t[]' {aka 'unsigned char[]'} with mismatched bound [-Werror=array-parameter=]
376 | isc_sha256_final(uint8_t digest[], isc_sha256_t *context) {
| ~~~~~~~~^~~~~~~~
In file included from sha2.c:58:
./include/isc/sha2.h:139:24: note: previously declared as 'uint8_t[32]' {aka 'unsigned char[32]'}
139 | void isc_sha256_final (uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2.c:442:26: error: argument 1 of type 'uint8_t[]' {aka 'unsigned char[]'} with mismatched bound [-Werror=array-parameter=]
442 | isc_sha512_final(uint8_t digest[], isc_sha512_t *context) {
| ~~~~~~~~^~~~~~~~
In file included from sha2.c:58:
./include/isc/sha2.h:153:24: note: previously declared as 'uint8_t[64]' {aka 'unsigned char[64]'}
153 | void isc_sha512_final (uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sha2.c:508:26: error: argument 1 of type 'uint8_t[]' {aka 'unsigned char[]'} with mismatched bound [-Werror=array-parameter=]
508 | isc_sha384_final(uint8_t digest[], isc_sha384_t *context) {
| ~~~~~~~~^~~~~~~~
In file included from sha2.c:58:
./include/isc/sha2.h:146:24: note: previously declared as 'uint8_t[48]' {aka 'unsigned char[48]'}
146 | void isc_sha384_final (uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Michal Nowak [Thu, 2 Dec 2021 12:33:13 +0000 (13:33 +0100)]
Drop gcc:fedora34 CI jobs
With switching the gcc:pkcs11 CI jobs from Debian Buster to Fedora, we
don't need two Fedora CI jobs, which differ only by leveraging PKCS#11
or OpenSSL.
Michal Nowak [Thu, 2 Dec 2021 12:26:11 +0000 (13:26 +0100)]
Run gcc:pkcs11 CI jobs on Fedora image
SoftHSM v2.4 was dropped from the base image because it is being
upgraded to Debian Bullseye, which has SoftHSM v2.6, the same version we
already have in the Fedora image, and use it in the "main" branch for
PKCS#11 testing. However, on the "v9_11" branch, to sustain PKCS#11
testing, gcc:pkcs11 CI jobs need to be ported from the base image to the
Fedora image.
Petr Špaček [Fri, 5 Nov 2021 10:39:07 +0000 (11:39 +0100)]
Automatically cancel CI jobs on outdated branches
Gitlab feature
https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
can automatically cancel jobs which operate on an outdated code, i.e. on
branches which received new commits while jobs with an older set of
commits are still running. For this feature to work jobs have to be
configured with boolean interruptible: true.
I think practically all of our current CI jobs can be cancelled,
so the option is now on by default for all jobs.
Michał Kępień [Thu, 28 Oct 2021 12:03:04 +0000 (14:03 +0200)]
Disable PyLint warning C0209
PyLint 2.11 reports a new warning, C0209 (consider-using-f-string).
Since f-strings are only available in Python 3.6+, existing scripts
cannot be updated to use this feature just yet because they would stop
working with older Python versions. Instead, disable PyLint warning
C0209 for the time being.
Enable lame response detection even with disabled lame cache
Previously, when lame cache would be disabled by setting lame-ttl to 0,
it would also disable lame answer detection. In this commit, we enable
the lame response detection even when the lame cache is disabled. This
enables stopping answer processing early rather than going through the
whole answer processing flow.
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>. This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.
Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
It was discovered that FreeBSD doesn't setup alias from default
Python version neither to python3 nor python, and thus the configure
step would fail to find working python installation.
Michał Kępień [Wed, 1 Sep 2021 13:46:36 +0000 (15:46 +0200)]
Test various --with-gssapi options in GitLab CI
The implicit ./configure default is to use --with-gssapi=auto. There is
already a GitLab CI job (gcc:stretch:amd64) which uses --without-gssapi.
Add four more forms of the --with-gssapi option to various GitLab CI job
configurations so that its every possible variant is regularly tested.
Call krb5-config with just one argument at the time
The autoconf script would call the krb5-config with both gssapi and krb5
libraries as arguments in a single call. It turned out that this is
actually not supported and it breaks some platforms. This commit splits
the call into two separate calls - one for gssapi and one for krb5
library.
Michal Nowak [Thu, 18 Feb 2021 15:28:31 +0000 (16:28 +0100)]
Run respdiff also for scheduled and web pipelines
respdiff needs to be run regularly to identify problems with query
responses discrepancies sooner than after tagging a release.
Contrary to the main branch, which hosts the BIND 9 Development Version
and thus sets MAX_DISAGREEMENTS_PERCENTAGE variable to 0.5, branches
hosting BIND 9 Stable Versions have it set to 0.1, which provides only
tiny room for non-timeout response disagreements between the baseline
version and version under test.
projects / thirdparty / bind9.git / log
