rebuilderd

• Change the default in the archlinux integration to not execute check()
• Fix application/x-bzip2 detection for Arch Linux packages (thanks @Vekhir!)
• Update dependencies and fix some clippy warnings

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

• Run delete for orphaned builds in chunks
• Update in-toto dependency to 0.3.0
• Add make install target
• Misc bugfixes for Debian, Arch Linux, Tails rebuilds

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

• Update the tails rebuilder script to set $HOME to a temporary directory. Thanks to @jvoisin for reporting and his help debugging this (#112, #118)

Thanks

We'd like to thank @jvoisin, @SantiagoTorres and @repi for their support on github sponsors.

• Include error message in unexpected error while rebuilding package #114
• Refactor logging so a fatal error is appended to the log instead of replacing it #114
• Debian: Use Filename: field for .deb url #115
• Make POST body size limit configurable #116

Thanks

We'd like to thank @jvoisin, @SantiagoTorres and @repi for their support on github sponsors.

• Allow picking a different sync-method than the distro used. This allows reusing the Arch Linux sync code for other pacman-based distributions that might need a different rebuilder backend. #109
• Create new process groups for the rebuild and kill the whole group on build timeout instead of just the immediate child process #110, #111 (thanks to @stoeckmann for his help and insight)

Thanks

We'd like to thank @jvoisin, @SantiagoTorres and @repi for their support on github sponsors.

• Fix rebuildctl queue push using package ids instead of pkgbase ids
• Clear next_retry column if all packages are GOOD

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Generate diffoscope from artifact_path, not input_path #102

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Don't send all artifacts when pinging a build, avoids http 413 errors #100

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Add missing runtime dependencies to docker container #92, #93
• If attestation failed to generate log a warning but don't error #94, #95, #96
• Allow multiple versions of packages in unique constraint #97
• Run sync import in database transaction #97
• Allow multiple pkgbases with same name and version but different architecture #97
• Fix delete performance when removing packages with filters #97

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Switch worker-debian Dockerfile to use debrebuild.py by @fepitre

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Fix a regression in the container image: Revert REBUILDERD_COOKIE_PATH=/secret/auth default - When using rebuildctl from the container image this would always attempt to load the auth cookie from /secret/auth and fail if it doesn't exist, instead of attempting to load the auth cookie from /etc/rebuilderd.conf.

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• This release lands build groups, which allows reproducing multiple packages with a single build, if they share a common base (pkgbase in Arch Linux, source package in debian, or a common release number in tails). This reduces the cpu load of running a rebuilder because it's using the resources more efficiently.
• Update tails documentation (thanks to @jvoisin)

Important: the build group change impacts the size of the report POST body, both because the build log is submitted multiple times for each package and because each package can have its own diffoscope. If you're using nginx to limit the request body (on by default) please adjust your config accordingly, either by setting a lower size limit in rebuilderd, or allowing larger request bodies in nginx.

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• distro field is now an opaque string instead of an enum
• url has been renamed to artifact_url in a few places
• It's now possible to pass --input-url to support eg. external buildinfo files
• /data and /secret are now volumes in the rebuilderd docker image
• Avoid double-slash in request if endpoint url ends with slash
• Correctly load auth-cookie in rebuildctl pkgs sync-stdin

Breaking changes

• The worker config format has been updated, the rebuilder backends now need to be explicitly registered. This may look like this:

[backend."archlinux"]
path = "/usr/libexec/rebuilderd/rebuilder-archlinux.sh"

[backend."debian"]
path = "/usr/libexec/rebuilderd/rebuilder-debian.sh"

[backend."tails"]
path = "/usr/libexec/rebuilderd/rebuilder-tails.sh"

• The url field is now called artifact_url in some api responses, using 0.14.2 rebuildctl and 0.15.0 rebuilderd may not be compatible with each other

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Make stdio-read fixes for #71 more reliable. Shoutout to @stoeckmann and @c3h2_ctf for helping debug this.

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Fix race when reading from stdio and waiting for process to exit. This has (very rarely) caused incomplete logs, diffoscopes, and flaky tests
• libsodium is not required anymore since in-toto and the dependency has been removed

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

• Add in-toto attestation to rebuilderd by @joyliu-q during Google Summer of Code
• Add experimental tails support
• Add subcommand to download attestation with rebuildctl
• Dynamically link zstd
• Arch Linux: Detect compression with tree_magic
• Change default cpu and io priority of rebuilderd-worker to idle
• Fix auth cookie discovery for docker-compose
• Bugfixes for the work-in-progress debian setup by @SantiagoTorres
• Update debrebuild flag to --buildresults=
• Convert blocking reqwest client to async

Breaking changes

• The worker keys are automatically regenerated when migrating from 0.13.0 to 0.14.0
• Authenticating by the public key alone is not allowed anymore

Thanks

This work was sponsored by Google, The Linux Foundation, and people like you and me! We'd like to thank @SantiagoTorres and @repi in particular for their support on github sponsors.

• Track if a diffoscope report is available and publish this info on /api/v0/pkgs/list for the frontend to use

Thanks

This work was sponsored by Google, The Linux Foundation, and people like you and me! We'd like to thank @SantiagoTorres and @repi in particular for their support on github sponsors.

• Automatically garbage collect old builds in a background thread
• Add a subcommand to fetch build logs
• Add a subcommand to fetch diffoscope
• Add pager to log and diffoscope when writing to tty

Thanks

We'd like to thank @repi for their support on github sponsors.

• The output directory for repro is now managed by rebuilderd
• In preparation for pkgbase aware rebuilds, we now ignore the exit code of the rebuilder backend and instead verify the file written to the outdir is equal to the rebuild input
• The ./build/ folders in /var/lib/rebuilderd-worker are now unused and can be deleted
• The rebuild artifacts are not stored anymore, only the status and optionally the diffoscope are stored

Thanks

We'd like to thank @repi for their support on github sponsors.

• Add Last-Modified and If-Modified-Since support for /api/v0/pkgs/list (contributed by @jelly)
• Updated dependencies

Thanks

We'd like to thank @repi for their support on github sponsors.