[gentoo-commits] repo/gentoo:master commit in: app-containers/buildah/

["Sam James" <sam@gentoo.org>]

commit:     da62fc25c5269bad61409b528c7cd456de6f2a9d
Author:     Rahil Bhimjiani <me <AT> rahil <DOT> rocks>
AuthorDate: Fri Mar 22 10:45:37 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Mar 23 08:29:05 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da62fc25

app-containers/buildah: add 1.33.7 and 1.34.3 fix security issues

Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502
Bug: https://bugs.gentoo.org/show_bug.cgi?id=927499
Signed-off-by: Rahil Bhimjiani <me <AT> rahil.rocks>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 app-containers/buildah/Manifest              |   2 +
 app-containers/buildah/buildah-1.33.7.ebuild | 122 +++++++++++++++++++++++++++
 app-containers/buildah/buildah-1.34.3.ebuild | 122 +++++++++++++++++++++++++++
 3 files changed, 246 insertions(+)

diff --git a/app-containers/buildah/Manifest b/app-containers/buildah/Manifest
index 1cf183235cf6..7e199a5ae97d 100644
--- a/app-containers/buildah/Manifest
+++ b/app-containers/buildah/Manifest
@@ -1,4 +1,6 @@
 DIST buildah-1.33.5.tar.gz 18579521 BLAKE2B a59bfda3dea1f588a2f77a26b942da6ae02a00f1169008f776a2d7699b6b14f38ab29b46b7d0651e9fff3f007e5f95caed99952cc7585c25ea2a3153402958e9 SHA512 82ddfacd69918fb4ca8110d7d5279f4075385e5db5b64b58cf41a90c47e16093f1e65d8ef20136a4cd8f5c23ea8da7f35fb72581cec6472497b9c5b458023e9c
 DIST buildah-1.33.6.tar.gz 18585405 BLAKE2B 4a6f6ebfce7799a45b0984b6f9a319becfed87d5acf5f1f784249ff6e5397495ac72c00a22ff0bcc68fd94f1d0a591fa4ac5f0f88bcc9c0a6cdefe117166b4ec SHA512 86eab18af459b0b92361d6e9f56ebe9dab65527d829e7771c13b6c574ef45746a7f53520783ff52978b14aac0d6ee8de32cdabf807666a96dcf46e07e36157e2
+DIST buildah-1.33.7.tar.gz 18604354 BLAKE2B d2788096d8d6fd6cc528e8f33edc577778a2775a561ea3c4a983eb4a6fa1d5b570f6d8dc0f77e464d0c242add5d641e20afce83c9f5157021fbc82a009ea47c9 SHA512 1248ad1dcf0d10608674543caf4d78f5052db7932102226e23b73add5e129bd8c614672f3d06aa8052675dd83fa83ef2742ef08fe1a883037b41df8fde893ea1
 DIST buildah-1.34.0.tar.gz 18751419 BLAKE2B 6584c5234e849f9b8cde5e4188791024c8ac5c0ba85859e289f3eb2ec32f97f722ebf25f1291f29e14edf4adc14e19d6a6a76630c820085e9f345736aeb3d4eb SHA512 a3836ce540058f418131969e157d548864727398535e4e99a693d883419b8d764da7166f9b9376c2b9686d8beac101687843c2e93198b16328ef333ad96d55db
+DIST buildah-1.34.3.tar.gz 18856476 BLAKE2B c91c995a2ff4be8b4e84a70c581a817cb2f1333b08ca297163d218f80d538905c41718cfc267c03173330234c3476344be44df799eaaac891395a22bc7a020b3 SHA512 26d5c48cb5b056a274c1a9c6820a6076337f625fc6dd6683000db871f3de9d37907bd962ced3400334bfc230718219cda2108e2e984be5f8c76ecfa4a2f1e1ac
 DIST buildah-1.35.1.tar.gz 19349661 BLAKE2B 31b633f35f937364816dac65e7a801676043630bc3c00ac445ad67afea04142748f76c4aed16690aa990e2c15ed220bdb42b96c6dd9bb0dac9c9d16fc2a27ddc SHA512 3e5af28b3d45e51674d08bef9a92cd64589026d9c6ebee51156738151681395860e372bba2667815e0f90e37984eb9dfdc9b8ad0675b62c8751582b29485d159

diff --git a/app-containers/buildah/buildah-1.33.7.ebuild b/app-containers/buildah/buildah-1.33.7.ebuild
new file mode 100644
index 000000000000..8d0698568fd3
--- /dev/null
+++ b/app-containers/buildah/buildah-1.33.7.ebuild
@@ -0,0 +1,122 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module linux-info
+
+DESCRIPTION="A tool that facilitates building OCI images"
+HOMEPAGE="https://github.com/containers/buildah"
+
+# main pkg
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+
+SLOT="0"
+IUSE="apparmor btrfs +seccomp systemd test"
+RESTRICT="test"
+DOCS=(
+	"CHANGELOG.md"
+	"troubleshooting.md"
+	"docs/tutorials"
+)
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/buildah.git"
+else
+	SRC_URI="https://github.com/containers/buildah/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm64"
+fi
+
+RDEPEND="
+	systemd? ( sys-apps/systemd )
+	btrfs? ( sys-fs/btrfs-progs )
+	seccomp? ( sys-libs/libseccomp:= )
+	apparmor? ( sys-libs/libapparmor:= )
+	app-containers/containers-common
+	app-crypt/gpgme:=
+	dev-libs/libgpg-error:=
+	dev-libs/libassuan:=
+	sys-apps/shadow:=
+"
+DEPEND="${RDEPEND}"
+
+pkg_pretend() {
+	local CONFIG_CHECK=""
+	use btrfs && CONFIG_CHECK+=" ~BTRFS_FS"
+	check_extra_config
+
+	linux_config_exists || ewarn "Cannot determine configuration of your kernel."
+}
+
+src_prepare() {
+	default
+
+	# ensure all  necessary files are there
+	local file
+	for file in docs/Makefile hack/libsubid_tag.sh hack/apparmor_tag.sh \
+		hack/systemd_tag.sh btrfs_installed_tag.sh btrfs_tag.sh; do
+		[[ -f "${file}" ]] || die
+	done
+
+	sed -i -e "s|/usr/local|/usr|g" Makefile docs/Makefile || die
+	echo -e '#!/usr/bin/env bash\necho libsubid' > hack/libsubid_tag.sh || die
+
+	cat <<-EOF > hack/apparmor_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex apparmor 'echo apparmor' echo)
+	EOF
+
+	use seccomp || {
+		cat <<-'EOF' > "${T}/disable_seccomp.patch"
+		 --- a/Makefile
+		 +++ b/Makefile
+		 @@ -5 +5 @@
+		 -SECURITYTAGS ?= seccomp $(APPARMORTAG)
+		 +SECURITYTAGS ?= $(APPARMORTAG)
+		EOF
+		eapply "${T}/disable_seccomp.patch" || die
+	}
+
+	cat <<-EOF > hack/systemd_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex systemd 'echo systemd' echo)
+	EOF
+
+	echo -e "#!/usr/bin/env bash\n echo" > btrfs_installed_tag.sh || die
+	cat <<-EOF > btrfs_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
+	EOF
+
+	use test || {
+		cat <<-'EOF' > "${T}/disable_tests.patch"
+		--- a/Makefile
+		+++ b/Makefile
+		@@ -54 +54 @@
+		-all: bin/buildah bin/imgtype bin/copy bin/tutorial docs
+		+all: bin/buildah docs
+		EOF
+		eapply "${T}/disable_tests.patch" || die
+	}
+
+}
+
+src_compile() {
+	# For non-live versions, prevent git operations which causes sandbox violations
+	# https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493
+	[[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT=""
+
+	default
+}
+
+src_test() {
+	emake test-unit
+}
+
+src_install() {
+	emake DESTDIR="${ED}" install install.completions
+	einstalldocs
+}

diff --git a/app-containers/buildah/buildah-1.34.3.ebuild b/app-containers/buildah/buildah-1.34.3.ebuild
new file mode 100644
index 000000000000..8d0698568fd3
--- /dev/null
+++ b/app-containers/buildah/buildah-1.34.3.ebuild
@@ -0,0 +1,122 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module linux-info
+
+DESCRIPTION="A tool that facilitates building OCI images"
+HOMEPAGE="https://github.com/containers/buildah"
+
+# main pkg
+LICENSE="Apache-2.0"
+# deps
+LICENSE+=" BSD BSD-2 CC-BY-SA-4.0 ISC MIT MPL-2.0"
+
+SLOT="0"
+IUSE="apparmor btrfs +seccomp systemd test"
+RESTRICT="test"
+DOCS=(
+	"CHANGELOG.md"
+	"troubleshooting.md"
+	"docs/tutorials"
+)
+
+if [[ ${PV} == 9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/containers/buildah.git"
+else
+	SRC_URI="https://github.com/containers/buildah/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm64"
+fi
+
+RDEPEND="
+	systemd? ( sys-apps/systemd )
+	btrfs? ( sys-fs/btrfs-progs )
+	seccomp? ( sys-libs/libseccomp:= )
+	apparmor? ( sys-libs/libapparmor:= )
+	app-containers/containers-common
+	app-crypt/gpgme:=
+	dev-libs/libgpg-error:=
+	dev-libs/libassuan:=
+	sys-apps/shadow:=
+"
+DEPEND="${RDEPEND}"
+
+pkg_pretend() {
+	local CONFIG_CHECK=""
+	use btrfs && CONFIG_CHECK+=" ~BTRFS_FS"
+	check_extra_config
+
+	linux_config_exists || ewarn "Cannot determine configuration of your kernel."
+}
+
+src_prepare() {
+	default
+
+	# ensure all  necessary files are there
+	local file
+	for file in docs/Makefile hack/libsubid_tag.sh hack/apparmor_tag.sh \
+		hack/systemd_tag.sh btrfs_installed_tag.sh btrfs_tag.sh; do
+		[[ -f "${file}" ]] || die
+	done
+
+	sed -i -e "s|/usr/local|/usr|g" Makefile docs/Makefile || die
+	echo -e '#!/usr/bin/env bash\necho libsubid' > hack/libsubid_tag.sh || die
+
+	cat <<-EOF > hack/apparmor_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex apparmor 'echo apparmor' echo)
+	EOF
+
+	use seccomp || {
+		cat <<-'EOF' > "${T}/disable_seccomp.patch"
+		 --- a/Makefile
+		 +++ b/Makefile
+		 @@ -5 +5 @@
+		 -SECURITYTAGS ?= seccomp $(APPARMORTAG)
+		 +SECURITYTAGS ?= $(APPARMORTAG)
+		EOF
+		eapply "${T}/disable_seccomp.patch" || die
+	}
+
+	cat <<-EOF > hack/systemd_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex systemd 'echo systemd' echo)
+	EOF
+
+	echo -e "#!/usr/bin/env bash\n echo" > btrfs_installed_tag.sh || die
+	cat <<-EOF > btrfs_tag.sh || die
+	#!/usr/bin/env bash
+	$(usex btrfs echo 'echo exclude_graphdriver_btrfs btrfs_noversion')
+	EOF
+
+	use test || {
+		cat <<-'EOF' > "${T}/disable_tests.patch"
+		--- a/Makefile
+		+++ b/Makefile
+		@@ -54 +54 @@
+		-all: bin/buildah bin/imgtype bin/copy bin/tutorial docs
+		+all: bin/buildah docs
+		EOF
+		eapply "${T}/disable_tests.patch" || die
+	}
+
+}
+
+src_compile() {
+	# For non-live versions, prevent git operations which causes sandbox violations
+	# https://github.com/gentoo/gentoo/pull/33531#issuecomment-1786107493
+	[[ ${PV} != 9999* ]] && export COMMIT_NO="" GIT_COMMIT=""
+
+	default
+}
+
+src_test() {
+	emake test-unit
+}
+
+src_install() {
+	emake DESTDIR="${ED}" install install.completions
+	einstalldocs
+}