When we're building ParticleOS images, we don't want the package
manager (or mkosi) to run systemd-sysusers, systemd-tmpfiles or
systemctl preset so let's add a few more bypass environment
variables that we can set to have execution of these skipped like
we already have $SYSTEMD_HWDB_UPDATE_BYPASS and $KERNEL_INSTALL_BYPASS.
This has been depracted since v254 (2023). Let's kill it for
good now, it has been long enough with 2y. Noone has shown up who wants
to keep it. And given it doesn't work in SB world anyway, and is not
measured is quite problematic security wise.
mkosi now supports -R to rerun build scripts without rebuilding the
image so let's document that instead of the current hack to prevent
the rebuild by changing the output format.
mkosi now supports -R to rerun build scripts without rebuilding the
image so let's document that instead of the current hack to prevent
the rebuild by changing the output format.
In https://github.com/systemd/mkosi/pull/3497, mkosi has started parsing
options passed after the verb as regular mkosi options instead of options
for the invoked command. We adapt to this change by adding '--' as a delimiter
everywhere where required.
Update osCPE field example to use cpe 2.3 format, as is in active use by
AmazonLinux 2023 for example.
Add appCPE field example to document the upstream application CPE for the
applicable CVEs. Often distribution source package names are different from the
upstream CPE. For example adding/removing "lib" prefix, or adding version
stream "-3" suffix. This typically leads to guessing or fuzzy matching. Adding
appCPE in such cases can help to disambiguate (or collate) correct application
CPEs; especially beyond the lifetime of osCPE support timeframes.
This is preparation for adding server side filtering to the userdb
logic: it adds some fields for this to the userdb varlink API. This only
adds the IDL for it, no client will use it for now, no server implement
it. That's added in later commits.
HACKING.md should first and foremost tell someone how to hack on
systemd, installing packages from OBS isn't the most likely section
a new contributor will be interested in, so let's move it further
down.
With the latest mkosi, mkosi takes care of making sure it is
available within mkosi sandbox so we get rid of all the --preserve-env=
options when we invoke mkosi sandbox with sudo as these are not
required anymore. It also doesn't matter anymore if mkosi is installed
in /usr on the host so we get rid of the documentation around that as
well.
This takes up a lot of storage space and we're almost hitting the
limit so since nobody's actually using these and we just started
doing nightly builds in OBS, let's drop this and point people towards
OBS for nightly packages in the future.
This makes the UID range configurable via build time options, but of
course it really shouldn't be changed. The default range I picked is
outside even of IPAs current (ridiculously large) allocation ranges,
hence hopefully minimizes conflicts.
"ninja -C build mkosi" doesn't actually work and fails because ninja
thinks the mkosi target does not exist. "meson compile -C build mkosi"
dpes work so let's use that instead.
Fixes#35741
Let's use "mkosi sandbox" in the docs so that users can build systemd
without having to install anything except mkosi. Using mkosi sandbox
will use tools and dependencies from the tools tree which is also used
in CI and thus has a higher chance of working from the first try compared
to whatever tools might be installed on the host system of a new contributor.
The package notes are nice standard mechanism to figure out the exact name and
version of a program or a library stored in a file, without running the code.
In the beginning this was designed for the purpose of analyzing core dumps, but
we've since started to use it more generically to identify files. The same need
to identify PE/COFF files occurs, for example for systemd-boot and other files
intended for UEFI. It has also been requested by people working on bootupd
(https://github.com/coreos/bootupd).
The text is changed to say "Executable" or "ELF or PE/COFF" wherever "ELF" was
used previously.
The description for PE/COFF files is very brief. AFAIK, we don't have the same
"note" mechanism there [1], so just a normal section is used. The alignment
rules for PE/UEFI are different and change over time, so no specific alignment
is specified.
Other requirements for the PE/COFF section are based on what ukify currently
does for the .osrel section:
5 .osrel 00000056 000000010132f000 000000010132f000 0002b600 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
The name ".pkgnote" is used as suggested by Daan De Meyer. This corresponds to
the ".note.package" name used for ELF. ".package" was also suggested, but I
think that is too generic and carries more risk of a conflict with a different
use.
[1] https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
Also zero/0 is replaced by NUL to clarify that a single 0 byte is meant.
We described the "how", but not the "why". And the text was a bit dated,
still mostly talking about core files. Let's make it more general
and describe why a section is used.
Add a recommendation/explanation for the debugInfoUrl field.
This document is renamed without any changes in a separate commit.
Otherwise, git does not show a diff, which makes it very hard
to review what is actually changed in the text.
