diff --git a/.gitlab/issue_templates/Release.md b/.gitlab/issue_templates/Release.md index d0d43a481a..21313a9c4f 100644 --- a/.gitlab/issue_templates/Release.md +++ b/.gitlab/issue_templates/Release.md @@ -57,6 +57,7 @@ - [ ] ***(QA)*** Prepare and merge MRs resetting the release notes and updating the version string for each maintained branch. - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over. - [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums. + - [ ] ***(Signers)*** Ensure that the contents of tarballs and tags are identical. - [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures. - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again. - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built. diff --git a/util/release-tarball-comparison.sh b/util/release-tarball-comparison.sh new file mode 100755 index 0000000000..4d18016689 --- /dev/null +++ b/util/release-tarball-comparison.sh @@ -0,0 +1,92 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e +set -o nounset + +print_usage_and_exit() { + echo + echo "Usage: GITLAB_USER= GITLAB_TOKEN= ${0} /path/to/bind-9.x.y.tar.xz" >&2 + exit 1 +} + +BIND_TARBALL="${1:-}" +if [ ! -f "${BIND_TARBALL}" ]; then + echo "ERROR: path to BIND 9 tarball either not provided or the file does not exist." >&2 + print_usage_and_exit +fi + +GITLAB_USER=${GITLAB_USER:-} +GITLAB_TOKEN=${GITLAB_TOKEN:-} +if [ -z "${GITLAB_USER}" ] || [ -z "${GITLAB_TOKEN}" ]; then + echo "ERROR: GITLAB_USER and GITLAB_TOKEN environmental variables are not set." >&2 + print_usage_and_exit +fi + +# Create the container to work in. +CONTAINER_ID=$(docker create --interactive debian:bullseye) +trap "docker container rm -f \${CONTAINER_ID} >/dev/null" EXIT +docker start "${CONTAINER_ID}" + +run_in_container() { + docker exec --workdir /usr/src "${CONTAINER_ID}" /bin/sh -c "$@" +} + +# Pull build requirements. +run_in_container "apt-get update && \ + apt-get -y install --no-install-recommends \ + automake \ + ca-certificates \ + git \ + libcap2-dev \ + libjemalloc-dev \ + liblmdb-dev \ + libmaxminddb-dev \ + libnghttp2-dev \ + libssl-dev \ + libtool \ + libuv1-dev \ + make \ + pkg-config \ + pkgdiff \ + xz-utils \ +" + +# Retrieve the release-ready BIND 9 tarball. +docker cp "${BIND_TARBALL}" "${CONTAINER_ID}:/usr/src" + +BIND_VERSION=$(basename "${BIND_TARBALL}" | sed -E "s|bind-(.*)\.tar\.xz|\1|") +BIND_DIRECTORY="bind-${BIND_VERSION}" + +# Prepare a temporary "release" tarball from upstream BIND 9 project. +run_in_container "git -c advice.detachedHead=false clone --branch $(echo "v${BIND_VERSION}" | tr ".-" "_") --depth 1 https://${GITLAB_USER}:${GITLAB_TOKEN}@gitlab.isc.org/isc-private/bind9.git && \ + cd bind9 && \ + if [ $(echo "${BIND_VERSION}" | cut -b 1-5) = 9.16. ]; then \ + git archive --prefix=${BIND_DIRECTORY}/ --output=${BIND_DIRECTORY}.tar HEAD && \ + mkdir ${BIND_DIRECTORY} && \ + echo SRCID=\$(git rev-list --max-count=1 HEAD | cut -b1-7) > ${BIND_DIRECTORY}/srcid && \ + tar --append --file=${BIND_DIRECTORY}.tar ${BIND_DIRECTORY}/srcid && \ + xz ${BIND_DIRECTORY}.tar; \ + else \ + autoreconf -fi && \ + ./configure --enable-umbrella && \ + make -j && \ + make dist; \ + fi" + +# Compare release-ready and custom tarballs; they are expected to be the same. +run_in_container "pkgdiff bind9/bind-${BIND_VERSION}.tar.xz bind-${BIND_VERSION}.tar.xz" || true + +# Copy the pkgdiff report out of the container for inspection. +docker cp "${CONTAINER_ID}:/usr/src/pkgdiff_reports/bind/" "pkgdiff_bind_${BIND_VERSION}_report" +echo "pkgdiff report ready for inspection in 'pkgdiff_bind_${BIND_VERSION}_report'."