Add a new "pkg.linux.nosource" to let users disable building the
linux-source-* package, and allow to set "source: false" to modify
the default behaviour when no rofile is used.
When doing development builds this can save up to 15 minutes of build
time, especially on IO-strapped build workers.
We don't want to include "-4.9" in them twice. Add a "source_basename"
template variable that excludes any version suffix in the source package
name.
(cherry picked from commit f3c51efdd6e9d0ce32ee5a0f998fdcda930a715c)
For master, nothing is immediately broken without this. Also we have
no longer build a linux-manual package. Change the changelog text
accordingly.
We already had support for disabling the tools build, used by
src:linux-grsec. However in this case, where we're using a different
based version to src:linux, we do still need to build the versioned
tools packages (linux-kbuild-4.9 and linux-perf-4.9). Split the
control template, config setting and rules accordingly.
(cherry picked from commit cb62c945f27ddee476631fa85c6aa67e50ed3bee)
The obvious way to do this is to edit the PATH in .kernelvariables.
But this obvious way doesn't work due to a bug in make (#895835).
(cherry picked from commit 4c6213fbbbff44710dda2091a7b26e0f0ea0a610)
dpkg-source strictly enforces that 3.0 (native) packages do not have
Debian revisions in their version strings, i.e. they cannot include
hyphens.
Replace the hyphen from the image binary version with a '+'.
Override this version back to what we want when building the signed
binary packages.
debhelper no longer fully trusts the package list specified with -p,
but only processes packages that are listed in debian/control and
enabled in the current build profile. This breaks the test build of
udebs that we build for real after code signing.
Work around this by adding the udebs to the control file, conditional
on a new build profile (pkg.linux.udeb-unsigned-test-build). Override
the build profile during the test build.
I just made this change for firmware-nonfree, for which I wrote:
We open some, but not all, files with an explicit UTF-8 encoding. One
of the open calls that I missed has just caused gencontrol.py to fail
instead a pbuilder environment. Instead of continuing to set an
explicit encoding for each open call, use locale.setlocale to set it
globally.
I haven't hit such a problem here, but let's do it anyway.
Keep using explicit encodings in debian/lib for now, since we can't
assume all calling programs will set the locale.
Currently '*' and '**' match at least one character. Change them to
match zero or more characters, as in shell patterns.
'*' matches anything but '!', but that has no special meaning in
symbol names or module filenames. Change it to match anything but
'/', as in shell patterns.
dak currently allows a binary upload to include debug symbol packages
that don't appear in the overrides file or the Binary field of the
changes file, so long as they have the appropriate
'Auto-Built-Package' field and their name matches another binary
package in the upload plus the '-dbgsym' suffix.
For architectures with code signing enabled, our binary uploads never
match this condition as the corresponding binary package has the
'-unsigned' suffix and the debug symbols package does not. Since we
do list the debug symbol packages in the Binary field, they do get
added to the overrides file when accepted through the NEW queue, but
they are automatically pruned from there some time later. Later
uploads then have to go through NEW even though they are not
introducing new binary packages. This would be a big problem for
stable security updates.
For now, move debug symbols back to the main archive with the old
'-dbg' suffix. Keep them enabled for all architectures.
This reverts commit 99d37f9b16, which
caused most binary uploads to be rejected. dak's allows upload of
debug symbol packages not listed in the Binary field only if there is
a corresponding binary package without the -dbgsym suffix, which is
not the case on architectures where we use a -unsigned suffix.
Any packages listed in debian/control that are not installed in the
main archive will always be seen as NEW. This might be fixable by
archive configuration changes, but for now we'll generate them in a
similar way to debhelper.
- incoming.debian.org now uses pool layout
- deb.debian.org is a better default than ftp.de.debian.org
- ftp.debian-ports.org redirects to ftp.ports.debian.org, so use the
latter directly
I changed the wrapper to call gpgv instead of gpg. It is much easier
and cleaner to use local configuration this way, and it won't produce
a warning that the key isn't trusted.
I also removed used of an environment variable, as we (currently) only
pass one keyring filename here.
Include headers for all architectures that we build a kernel for.
This allows co-installation of per-flavour header packages for
multiple Debian architectures, and fixes the problem of arm64 headers
depending on arm headers that we did not include.
By default dpkg-architecture lets the current environment override the
architecture specified by the -a option. We mustn't let that happen
here as we are considering all architectures. Use the -f option to
force use of our specified architecture.
The current cross-compiler packages don't set the Multi-Arch field, so
specify that the cross-compiler package must be native, rather than any
architecture.
flex doesn't support multi-arch, and this would require splitting it
(#611230, #761449). Force use of the native package for now.
openssl doesn't support multi-arch but probably easily could (#827028).
Force use of the native package for now.
We need the native libssl-dev while building the kernel itself and the
host libssl-dev while building tools for linux-kbuild.
Document the state of cross-building in README.source.
These packages will be taken over by src:linux-signed. Still do
everything but building the packages so we find configuration
errors before building linux-signed.
This fixes some of the problems dch was causing:
- Putting the stable log in the wrong place
- Updating the date unnecessarily
Change stable-update.sh to be a wrapper for stable-update.
Delete ckt-stable-update.sh; if we need it again in future, it can be
implemented more cleanly as part of the new script.
- Enable it by default
- Disable it for armel/marvell since signature verification is not enabled.
- Disable it for mips and mipsel so linux-signed can be uploaded without
waiting for them to build
- Disable it for all architectures not in the main archive, as linux-signed
won't support them (at least, not initially).
We don't need a variable to control signing of the image, because
we should do that for all flavours that have CONFIG_EFI_STUB=y.