[PR PATCH] glibc: neutralise supply chain attack

[PR PATCH] glibc: neutralise supply chain attack

[sgn]

[-- Attachment #1: Type: text/plain, Size: 1359 bytes --]

There is a new pull request by sgn against master on the void-packages repository

https://github.com/sgn/void-packages glibc-patch
https://github.com/void-linux/void-packages/pull/41469

glibc: neutralise supply chain attack
Relies on vasilek.cz is questionable by some of our users.

@paper42 @oreo639 @CameronNemo 
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**|**briefly**|**NO**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/41469.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-glibc-patch-41469.patch --]
[-- Type: text/x-diff, Size: 1819 bytes --]

From afb3d063cea3c1a4a5756aa5ddfdf07acfda8d6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
 <congdanhqx@gmail.com>
Date: Thu, 5 Jan 2023 18:22:47 +0700
Subject: [PATCH] glibc: neutralise supply chain attack

Relies on vasilek.cz is questionable by some of our users.
---
 srcpkgs/glibc/template | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/glibc/template b/srcpkgs/glibc/template
index 452b55c12762..500d9852f7ca 100644
--- a/srcpkgs/glibc/template
+++ b/srcpkgs/glibc/template
@@ -8,8 +8,12 @@ short_desc="GNU C library"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later, LGPL-2.1-or-later, BSD-3-Clause"
 homepage="http://www.gnu.org/software/libc"
-distfiles="https://vasilek.cz/paste/glibc-${version}-${_patchver}.tar.xz"
-checksum=656200722d5ba968b4888a2d2950719d72c86290fd0479f61897d25b7db2cb57
+distfiles="${GNU_SITE}/glibc/glibc-${version}.tar.xz
+ https://github.com/bminor/glibc/compare/glibc-${version}...${_patchver#*g}.patch"
+#distfiles="https://vasilek.cz/paste/glibc-${version}-${_patchver}.tar.xz"
+checksum="1c959fea240906226062cb4b1e7ebce71a9f0e3c0836c09e7e3423d434fcfe75
+ 8a1ee7bb3f3b015c4cb9da03695ec0a614730127cf8ff1c19a4b625f95ecbecf"
+skip_extraction="glibc-${version}...${_patchver#*g}.patch"
 # Do not strip these files, objcopy errors out.
 nostrip_files="
 	XBS5_ILP32_OFFBIG
@@ -59,6 +63,13 @@ if [ "$XBPS_TARGET_LIBC" = musl ]; then
 	broken="no point in building this for musl"
 fi
 
+post_extract() {
+	if [ ! -f $XBPS_SRCDISTDIR/${pkgname}-${version}/glibc-${version}...${_patchver#*g}.patch ]; then
+		return
+	fi
+	patch -Np1 -s -F0 <$XBPS_SRCDISTDIR/${pkgname}-${version}/glibc-${version}...${_patchver#*g}.patch
+}
+
 do_configure() {
 	mkdir build
 	cd build

Re: [PR PATCH] [Updated] glibc: neutralise supply chain attack

[sgn]

[-- Attachment #1: Type: text/plain, Size: 1364 bytes --]

There is an updated pull request by sgn against master on the void-packages repository

https://github.com/sgn/void-packages glibc-patch
https://github.com/void-linux/void-packages/pull/41469

glibc: neutralise supply chain attack
Relies on vasilek.cz is questionable by some of our users.

@paper42 @oreo639 @CameronNemo 
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**|**briefly**|**NO**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/41469.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-glibc-patch-41469.patch --]
[-- Type: text/x-diff, Size: 1807 bytes --]

From 9fbb22c41525cf64285c57c56e11b47f0502a8dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
 <congdanhqx@gmail.com>
Date: Thu, 5 Jan 2023 18:22:47 +0700
Subject: [PATCH] glibc: neutralise supply chain attack

Relies on vasilek.cz is questionable by some of our users.
---
 srcpkgs/glibc/template | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/glibc/template b/srcpkgs/glibc/template
index 452b55c12762..afcb1c4741e1 100644
--- a/srcpkgs/glibc/template
+++ b/srcpkgs/glibc/template
@@ -8,8 +8,12 @@ short_desc="GNU C library"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later, LGPL-2.1-or-later, BSD-3-Clause"
 homepage="http://www.gnu.org/software/libc"
-distfiles="https://vasilek.cz/paste/glibc-${version}-${_patchver}.tar.xz"
-checksum=656200722d5ba968b4888a2d2950719d72c86290fd0479f61897d25b7db2cb57
+distfiles="${GNU_SITE}/glibc/glibc-${version}.tar.xz
+ https://github.com/bminor/glibc/compare/glibc-${version}...${_patchver#*g}.patch"
+#distfiles="https://vasilek.cz/paste/glibc-${version}-${_patchver}.tar.xz"
+checksum="1c959fea240906226062cb4b1e7ebce71a9f0e3c0836c09e7e3423d434fcfe75
+ 8a1ee7bb3f3b015c4cb9da03695ec0a614730127cf8ff1c19a4b625f95ecbecf"
+skip_extraction="glibc-${version}...${_patchver#*g}.patch"
 # Do not strip these files, objcopy errors out.
 nostrip_files="
 	XBS5_ILP32_OFFBIG
@@ -59,6 +63,12 @@ if [ "$XBPS_TARGET_LIBC" = musl ]; then
 	broken="no point in building this for musl"
 fi
 
+post_extract() {
+	if [ -f $XBPS_SRCDISTDIR/${pkgname}-${version}/glibc-${version}...${_patchver#*g}.patch ]; then
+		patch -Np1 -s -F0 <$XBPS_SRCDISTDIR/${pkgname}-${version}/glibc-${version}...${_patchver#*g}.patch
+	fi
+}
+
 do_configure() {
 	mkdir build
 	cd build

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 928 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people around to it. That is still my preference.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) really does much for us aside from breaking build when github or git changes the way patches generate (or if the mirror goes down).

The https://git.vuxu.org/mirror/glibc/ was created to be used in the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in my getting an error: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 958 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people around to it. That is still my preference.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created to be used in the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in my getting an error: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 956 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people around to it. That is still my preference.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in my getting an error: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. That is still my preference.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in my getting an error: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. That is still my preference.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 962 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 1075 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`
If all of those issues can be addressed then I'm fine with using that, but probably not atm.

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 1087 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`
If all of those issues can be addressed then I'm fine with using that, but probably not a good idea atm.

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate (or if the mirror goes down/the account gets deleted).

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 1019 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate  (not sure how frequent/likely that is) or if the mirror goes down/the account gets deleted.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 1033 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate  (I don't imagine that is particularly likely though) or if the mirror goes down/the account gets deleted.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 1033 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches generated from a mirror not affiliated GNU (or us for that matter) is a good idea. I imagine the glibc build can break if/when github or git changes the way patches generate  (I don't imagine that is particularly likely though) or if the mirror goes down/the account gets deleted.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'm not sure relying on runtime generated patches from a mirror not affiliated with GNU (or us for that matter) is the best option.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 806 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

I'd prefer to avoid relying on runtime generated patches from a mirror not affiliated with GNU or void.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 699 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 813 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

imo, it is better to avoid relying on runtime generated patches from a mirror not affiliated with GNU or void.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 822 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

imo, it is probably better to avoid relying on runtime generated patches from a mirror not affiliated with GNU or void.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`

Re: [PR PATCH] [Updated] glibc: neutralise supply chain attack

[sgn]

[-- Attachment #1: Type: text/plain, Size: 1364 bytes --]

There is an updated pull request by sgn against master on the void-packages repository

https://github.com/sgn/void-packages glibc-patch
https://github.com/void-linux/void-packages/pull/41469

glibc: neutralise supply chain attack
Relies on vasilek.cz is questionable by some of our users.

@paper42 @oreo639 @CameronNemo 
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**|**briefly**|**NO**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/41469.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-glibc-patch-41469.patch --]
[-- Type: text/x-diff, Size: 1804 bytes --]

From 8bd21f59441f9262389a14c3c0d58e6f2e61027a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
 <congdanhqx@gmail.com>
Date: Thu, 5 Jan 2023 18:22:47 +0700
Subject: [PATCH] glibc: neutralise supply chain attack

Relies on vasilek.cz is questionable by some of our users.
---
 srcpkgs/glibc/template | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/glibc/template b/srcpkgs/glibc/template
index 452b55c12762..9a4d0c220609 100644
--- a/srcpkgs/glibc/template
+++ b/srcpkgs/glibc/template
@@ -8,8 +8,12 @@ short_desc="GNU C library"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later, LGPL-2.1-or-later, BSD-3-Clause"
 homepage="http://www.gnu.org/software/libc"
-distfiles="https://vasilek.cz/paste/glibc-${version}-${_patchver}.tar.xz"
-checksum=656200722d5ba968b4888a2d2950719d72c86290fd0479f61897d25b7db2cb57
+distfiles="${GNU_SITE}/glibc/glibc-${version}.tar.xz
+ https://github.com/bminor/glibc/compare/glibc-${version}...${_patchver#*g}.diff"
+#distfiles="https://vasilek.cz/paste/glibc-${version}-${_patchver}.tar.xz"
+checksum="1c959fea240906226062cb4b1e7ebce71a9f0e3c0836c09e7e3423d434fcfe75
+ a3d3015f1842186c5b278cbef0e92cf47941497d3f0af5c9a28645112c3d1359"
+skip_extraction="glibc-${version}...${_patchver#*g}.diff"
 # Do not strip these files, objcopy errors out.
 nostrip_files="
 	XBS5_ILP32_OFFBIG
@@ -59,6 +63,12 @@ if [ "$XBPS_TARGET_LIBC" = musl ]; then
 	broken="no point in building this for musl"
 fi
 
+post_extract() {
+	if [ -f $XBPS_SRCDISTDIR/${pkgname}-${version}/glibc-${version}...${_patchver#*g}.patch ]; then
+		patch -Np1 -s -F0 <$XBPS_SRCDISTDIR/${pkgname}-${version}/glibc-${version}...${_patchver#*g}.diff
+	fi
+}
+
 do_configure() {
 	mkdir build
 	cd build

Re: glibc: neutralise supply chain attack

[sgn]

[-- Attachment #1: Type: text/plain, Size: 206 bytes --]

New comment by sgn on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372263475

Comment:
Ok, `.patch` maybe unstable, but `.diff` is pretty much very stable.

Re: glibc: neutralise supply chain attack

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 621 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372529632

Comment:
I knew it was paper's domain, but I had no idea what it was that was downloaded. This is a little more clear on what is being achieved, but relying on a github mirror is not strictly better for supply chain reasons IMO.

Hosting something on https://repo-default.voidlinux.org/distfiles/ (maybe just the patch) or using Leah's git server are both alright options to me, however a comment should be added explaining why we are not (just) downloading GNU's release artifacts.

Re: glibc: neutralise supply chain attack

[leahneukirchen]

[-- Attachment #1: Type: text/plain, Size: 248 bytes --]

New comment by leahneukirchen on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372743190

Comment:
Something like this? https://git.vuxu.org/mirror/glibc/patch/?id=release/2.36/master&id2=glibc-2.36

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

imo, it is probably better to avoid relying on runtime generated patches from a mirror not affiliated with GNU or void.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`
Edit: I tried it again rn (git.vuxu.org) and it works now.

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 911 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution.

imo, it is probably better to avoid relying on runtime generated patches from a mirror not affiliated with GNU or void.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`
Edit: I tried downloading a glibc git snapshot from git.vuxu.org now and it worked fine

Re: glibc: neutralise supply chain attack

[oreo639]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

New comment by oreo639 on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1372170752

Comment:
I was under the impression that the plan was to swap it out to https://repo-default.voidlinux.org/distfiles/ once the infra people get around to it. imo that is the best solution. (and as CameronNemo pointed out a comment should be added)

imo, it is probably better to avoid relying on runtime generated patches from a mirror not affiliated with GNU or void.

The https://git.vuxu.org/mirror/glibc/ was created by Leah for the PR but I didn't use it because at the time the snapshots generated broken tarballs and took forever to download. Not sure about now, but trying to download a snapshot resulted in me getting an error after a long delay: `Sorry, the page you are looking for is currently unavailable.
Please try again later.`
Edit: I tried downloading a glibc git snapshot from git.vuxu.org now and it worked fine

Re: glibc: neutralise supply chain attack

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/pull/41469#issuecomment-1498382610

Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that.  If this pull request is still relevant bump it or assign it.

Re: [PR PATCH] [Closed]: glibc: neutralise supply chain attack

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 1212 bytes --]

There's a closed pull request on the void-packages repository

glibc: neutralise supply chain attack
https://github.com/void-linux/void-packages/pull/41469

Description:
Relies on vasilek.cz is questionable by some of our users.

@paper42 @oreo639 @CameronNemo 
<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**|**briefly**|**NO**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->