We already had support for disabling the tools build, used by
src:linux-grsec. However in this case, where we're using a different
based version to src:linux, we do still need to build the versioned
tools packages (linux-kbuild-4.9 and linux-perf-4.9). Split the
control template, config setting and rules accordingly.
(cherry picked from commit cb62c945f27ddee476631fa85c6aa67e50ed3bee)
The obvious way to do this is to edit the PATH in .kernelvariables.
But this obvious way doesn't work due to a bug in make (#895835).
(cherry picked from commit 4c6213fbbbff44710dda2091a7b26e0f0ea0a610)
debhelper no longer fully trusts the package list specified with -p,
but only processes packages that are listed in debian/control and
enabled in the current build profile. This breaks the test build of
udebs that we build for real after code signing.
Work around this by adding the udebs to the control file, conditional
on a new build profile (pkg.linux.udeb-unsigned-test-build). Override
the build profile during the test build.
I just made this change for firmware-nonfree, for which I wrote:
We open some, but not all, files with an explicit UTF-8 encoding. One
of the open calls that I missed has just caused gencontrol.py to fail
instead a pbuilder environment. Instead of continuing to set an
explicit encoding for each open call, use locale.setlocale to set it
globally.
I haven't hit such a problem here, but let's do it anyway.
Keep using explicit encodings in debian/lib for now, since we can't
assume all calling programs will set the locale.
dak currently allows a binary upload to include debug symbol packages
that don't appear in the overrides file or the Binary field of the
changes file, so long as they have the appropriate
'Auto-Built-Package' field and their name matches another binary
package in the upload plus the '-dbgsym' suffix.
For architectures with code signing enabled, our binary uploads never
match this condition as the corresponding binary package has the
'-unsigned' suffix and the debug symbols package does not. Since we
do list the debug symbol packages in the Binary field, they do get
added to the overrides file when accepted through the NEW queue, but
they are automatically pruned from there some time later. Later
uploads then have to go through NEW even though they are not
introducing new binary packages. This would be a big problem for
stable security updates.
For now, move debug symbols back to the main archive with the old
'-dbg' suffix. Keep them enabled for all architectures.
This reverts commit 99d37f9b16, which
caused most binary uploads to be rejected. dak's allows upload of
debug symbol packages not listed in the Binary field only if there is
a corresponding binary package without the -dbgsym suffix, which is
not the case on architectures where we use a -unsigned suffix.
Any packages listed in debian/control that are not installed in the
main archive will always be seen as NEW. This might be fixable by
archive configuration changes, but for now we'll generate them in a
similar way to debhelper.
Include headers for all architectures that we build a kernel for.
This allows co-installation of per-flavour header packages for
multiple Debian architectures, and fixes the problem of arm64 headers
depending on arm headers that we did not include.
By default dpkg-architecture lets the current environment override the
architecture specified by the -a option. We mustn't let that happen
here as we are considering all architectures. Use the -f option to
force use of our specified architecture.
The current cross-compiler packages don't set the Multi-Arch field, so
specify that the cross-compiler package must be native, rather than any
architecture.
flex doesn't support multi-arch, and this would require splitting it
(#611230, #761449). Force use of the native package for now.
openssl doesn't support multi-arch but probably easily could (#827028).
Force use of the native package for now.
We need the native libssl-dev while building the kernel itself and the
host libssl-dev while building tools for linux-kbuild.
Document the state of cross-building in README.source.
These packages will be taken over by src:linux-signed. Still do
everything but building the packages so we find configuration
errors before building linux-signed.
- Enable it by default
- Disable it for armel/marvell since signature verification is not enabled.
- Disable it for mips and mipsel so linux-signed can be uploaded without
waiting for them to build
- Disable it for all architectures not in the main archive, as linux-signed
won't support them (at least, not initially).
We don't need a variable to control signing of the image, because
we should do that for all flavours that have CONFIG_EFI_STUB=y.
* Drop redundant gitignore.patch from linux-tools
* Rename linux-tools' debian/templates/control.main.in to
debian/templates/control.tools.in
* Combine changelogs, putting all entries for each upstream release
cycle in chronological order
* Combine rules and gencontrol.py code
The linux-grsec source package needs a way to explicitly disable these
binary packages which are already built by the linux source package.
We already do that when there are no actual kernels for the target
architecture. Rename the FOREIGN_KERNEL make variable and combine the
two conditions.
Based on work by Yves-Alexis Perez.
A parallel 'debian/rules build' will now invoke 'debian/rules.real
build' twice in parallel, which is disastrous.
- Add and use proper build-arch and build-indep targets in
debian/rules.gen and debian/rules.real
- Assign a separate temporary directory to each target in
debian/rules.real. Add the directories to .gitignore and
the clean rule.
- Pull installation of the lockdep wrapper (which is indep)
up into debian/rules.real so that we don't end up building
liblockdep twice in parallel.
Currently we don't allow versions like 3.16.7-ckt9-3~deb8u1~bpo7+1 in
*-backports, but we should! Add the security suffix as an option
before the backports suffix.
We also don't check that an upload to *-security or *-lts includes the
expected suffix and nothing else. Add a check for that.
svn path=/dists/trunk/linux/; revision=22539