aboutsummaryrefslogtreecommitdiff
path: root/contrib/guix
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/guix')
-rw-r--r--contrib/guix/README.md127
-rwxr-xr-xcontrib/guix/guix-attest240
-rwxr-xr-xcontrib/guix/guix-build (renamed from contrib/guix/guix-build.sh)232
-rwxr-xr-xcontrib/guix/guix-clean83
-rwxr-xr-xcontrib/guix/guix-codesign392
-rwxr-xr-xcontrib/guix/guix-verify142
-rwxr-xr-x[-rw-r--r--]contrib/guix/libexec/build.sh139
-rwxr-xr-xcontrib/guix/libexec/codesign.sh113
-rw-r--r--contrib/guix/libexec/prelude.bash66
-rw-r--r--contrib/guix/manifest.scm510
-rw-r--r--contrib/guix/patches/binutils-mingw-w64-disable-flags.patch171
-rw-r--r--contrib/guix/patches/gcc-8-sort-libtool-find-output.patch400
-rw-r--r--contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch62
-rw-r--r--contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch100
-rw-r--r--contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch72
-rw-r--r--contrib/guix/patches/glibc-ldd-x86_64.patch10
-rw-r--r--contrib/guix/patches/glibc-versioned-locpath.patch240
-rw-r--r--contrib/guix/patches/nsis-SConstruct-sde-support.patch3
-rw-r--r--contrib/guix/patches/oscrypto-hard-code-openssl.patch13
19 files changed, 2954 insertions, 161 deletions
diff --git a/contrib/guix/README.md b/contrib/guix/README.md
index e218ba89a0..e604b370e3 100644
--- a/contrib/guix/README.md
+++ b/contrib/guix/README.md
@@ -80,6 +80,50 @@ at the end of the `guix pull`)
export PATH="${HOME}/.config/guix/current/bin${PATH:+:}$PATH"
```
+### Controlling the number of threads used by `guix` build commands
+
+By default, the scripts under `./contrib/guix` will invoke all `guix` build
+commands with `--cores="$JOBS"`. Note that `$JOBS` defaults to `$(nproc)` if not
+specified. However, astute manual readers will also notice that there is a
+`--max-jobs=` flag (which defaults to 1 if unspecified).
+
+Here is the difference between `--cores=` and `--max-jobs=`:
+
+> Note: When I say "derivation," think "package"
+
+`--cores=`
+
+ - controls the number of CPU cores to build each derivation. This is the value
+ passed to `make`'s `--jobs=` flag.
+
+`--max-jobs=`
+
+ - controls how many derivations can be built in parallel
+ - defaults to 1
+
+Therefore, the default is for `guix` build commands to build one derivation at a
+time, utilizing `$JOBS` threads.
+
+Specifying the `$JOBS` environment variable will only modify `--cores=`, but you
+can also modify the value for `--max-jobs=` by specifying
+`$ADDITIONAL_GUIX_COMMON_FLAGS`. For example, if you have a LOT of memory, you
+may want to set:
+
+```sh
+export ADDITIONAL_GUIX_COMMON_FLAGS='--max-jobs=8'
+```
+
+Which allows for a maximum of 8 derivations to be built at the same time, each
+utilizing `$JOBS` threads.
+
+Or, if you'd like to avoid spurious build failures caused by issues with
+parallelism within a single package, but would still like to build multiple
+packages when the dependency graph allows for it, you may want to try:
+
+```sh
+export JOBS=1 ADDITIONAL_GUIX_COMMON_FLAGS='--max-jobs=8'
+```
+
## Usage
### As a Tool for Deterministic Builds
@@ -87,7 +131,7 @@ export PATH="${HOME}/.config/guix/current/bin${PATH:+:}$PATH"
From the top of a clean Bitcoin Core repository:
```sh
-./contrib/guix/guix-build.sh
+./contrib/guix/guix-build
```
After the build finishes successfully (check the status code please), compare
@@ -103,8 +147,8 @@ find output/ -type f -print0 | sort -z | xargs -r0 sha256sum
Override the space-separated list of platform triples for which to perform a
bootstrappable build. _(defaults to "x86\_64-linux-gnu arm-linux-gnueabihf
- aarch64-linux-gnu riscv64-linux-gnu x86_64-w64-mingw32
- x86_64-apple-darwin18")_
+ aarch64-linux-gnu riscv64-linux-gnu powerpc64-linux-gnu powerpc64le-linux-gnu
+ x86\_64-w64-mingw32 x86\_64-apple-darwin18")_
* _**SOURCES_PATH**_
@@ -118,12 +162,23 @@ find output/ -type f -print0 | sort -z | xargs -r0 sha256sum
depends tree. Setting this to the same directory across multiple builds of the
depends tree can eliminate unnecessary building of packages.
-* _**MAX_JOBS**_
+* _**SDK_PATH**_
+
+ Set the path where _extracted_ SDKs can be found. This is passed through to
+ the depends tree. Note that this is should be set to the _parent_ directory of
+ the actual SDK (e.g. SDK_PATH=$HOME/Downloads/macOS-SDKs instead of
+ $HOME/Downloads/macOS-SDKs/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers).
+
+* _**JOBS**_
+
+ Override the number of jobs to run simultaneously, you might want to do so on
+ a memory-limited machine. This may be passed to:
- Override the maximum number of jobs to run simultaneously, you might want to
- do so on a memory-limited machine. This may be passed to `make` as in `make
- --jobs="$MAX_JOBS"` or `xargs` as in `xargs -P"$MAX_JOBS"`. _(defaults to the
- value of `nproc` outside the container)_
+ - `guix` build commands as in `guix environment --cores="$JOBS"`
+ - `make` as in `make --jobs="$JOBS"`
+ - `xargs` as in `xargs -P"$JOBS"`
+
+ _(defaults to the value of `nproc` outside the container)_
* _**SOURCE_DATE_EPOCH**_
@@ -150,10 +205,7 @@ find output/ -type f -print0 | sort -z | xargs -r0 sha256sum
* _**ADDITIONAL_GUIX_COMMON_FLAGS**_
- Additional flags to be passed to all `guix` commands. For a fully-bootstrapped
- build, set this to `--bootstrap --no-substitutes` (refer to the [security
- model section](#choosing-your-security-model) for more details). Note that a
- fully-bootstrapped build will take quite a long time on the first run.
+ Additional flags to be passed to all `guix` commands.
* _**ADDITIONAL_GUIX_TIMEMACHINE_FLAGS**_
@@ -210,6 +262,57 @@ To use dongcarl's substitute server for Bitcoin Core builds after having
export SUBSTITUTE_URLS='https://guix.carldong.io https://ci.guix.gnu.org'
```
+## Troubleshooting
+
+### Derivation failed to build
+
+When you see a build failure like below:
+
+```
+building /gnu/store/...-foo-3.6.12.drv...
+/ 'check' phasenote: keeping build directory `/tmp/guix-build-foo-3.6.12.drv-0'
+builder for `/gnu/store/...-foo-3.6.12.drv' failed with exit code 1
+build of /gnu/store/...-foo-3.6.12.drv failed
+View build log at '/var/log/guix/drvs/../...-foo-3.6.12.drv.bz2'.
+cannot build derivation `/gnu/store/...-qux-7.69.1.drv': 1 dependencies couldn't be built
+cannot build derivation `/gnu/store/...-bar-3.16.5.drv': 1 dependencies couldn't be built
+cannot build derivation `/gnu/store/...-baz-2.0.5.drv': 1 dependencies couldn't be built
+guix time-machine: error: build of `/gnu/store/...-baz-2.0.5.drv' failed
+```
+
+It means that `guix` failed to build a package named `foo`, which was a
+dependency of `qux`, `bar`, and `baz`. Importantly, note that the last "failed"
+line is not necessarily the root cause, the first "failed" line is.
+
+Most of the time, the build failure is due to a spurious test failure or the
+package's build system/test suite breaking when running multi-threaded. To
+rebuild _just_ this derivation in a single-threaded fashion:
+
+```sh
+$ guix build --cores=1 /gnu/store/...-foo-3.6.12.drv
+```
+
+If the single-threaded rebuild did not succeed, you may need to dig deeper.
+You may view `foo`'s build logs in `less` like so (please replace paths with the
+path you see in the build failure output):
+
+```sh
+$ bzcat /var/log/guix/drvs/../...-foo-3.6.12.drv.bz2 | less
+```
+
+`foo`'s build directory is also preserved and available at
+`/tmp/guix-build-foo-3.6.12.drv-0`. However, if you fail to build `foo` multiple
+times, it may be `/tmp/...drv-1` or `/tmp/...drv-2`. Always consult the build
+failure output for the most accurate, up-to-date information.
+
+#### python(-minimal): [Errno 84] Invalid or incomplete multibyte or wide character
+
+This error occurs when your `$TMPDIR` (default: /tmp) exists on a filesystem
+which rejects characters not present in the UTF-8 character code set. An example
+is ZFS with the utf8only=on option set.
+
+More information: https://bugs.python.org/issue37584
+
## FAQ
### How can I trust the binary installation?
diff --git a/contrib/guix/guix-attest b/contrib/guix/guix-attest
new file mode 100755
index 0000000000..c8cf73d400
--- /dev/null
+++ b/contrib/guix/guix-attest
@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## Sanity Checks ##
+###################
+
+################
+# Required non-builtin commands should be invokable
+################
+
+check_tools cat env basename mkdir xargs find
+if [ -z "$NO_SIGN" ]; then
+ check_tools gpg
+fi
+
+################
+# Required env vars should be non-empty
+################
+
+cmd_usage() {
+cat <<EOF
+Synopsis:
+
+ env GUIX_SIGS_REPO=<path/to/guix.sigs> \\
+ SIGNER=GPG_KEY_NAME[=SIGNER_NAME] \\
+ [ NO_SIGN=1 ]
+ ./contrib/guix/guix-attest
+
+Example w/o overriding signing name:
+
+ env GUIX_SIGS_REPO=/home/achow101/guix.sigs \\
+ SIGNER=achow101 \\
+ ./contrib/guix/guix-attest
+
+Example overriding signing name:
+
+ env GUIX_SIGS_REPO=/home/dongcarl/guix.sigs \\
+ SIGNER=0x96AB007F1A7ED999=dongcarl \\
+ ./contrib/guix/guix-attest
+
+Example w/o signing, just creating SHA256SUMS:
+
+ env GUIX_SIGS_REPO=/home/achow101/guix.sigs \\
+ SIGNER=achow101 \\
+ NO_SIGN=1 \\
+ ./contrib/guix/guix-attest
+
+EOF
+}
+
+if [ -z "$GUIX_SIGS_REPO" ] || [ -z "$SIGNER" ]; then
+ cmd_usage
+ exit 1
+fi
+
+################
+# GUIX_SIGS_REPO should exist as a directory
+################
+
+if [ ! -d "$GUIX_SIGS_REPO" ]; then
+cat << EOF
+ERR: The specified GUIX_SIGS_REPO is not an existent directory:
+
+ '$GUIX_SIGS_REPO'
+
+Hint: Please clone the guix.sigs repository and point to it with the
+ GUIX_SIGS_REPO environment variable.
+
+EOF
+cmd_usage
+exit 1
+fi
+
+################
+# The key specified in SIGNER should be usable
+################
+
+IFS='=' read -r gpg_key_name signer_name <<< "$SIGNER"
+if [ -z "${signer_name}" ]; then
+ signer_name="$gpg_key_name"
+fi
+
+if [ -z "$NO_SIGN" ] && ! gpg --dry-run --list-secret-keys "${gpg_key_name}" >/dev/null 2>&1; then
+ echo "ERR: GPG can't seem to find any key named '${gpg_key_name}'"
+ exit 1
+fi
+
+################
+# We should be able to find at least one output
+################
+
+echo "Looking for build output SHA256SUMS fragments in ${OUTDIR_BASE}"
+
+shopt -s nullglob
+sha256sum_fragments=( "$OUTDIR_BASE"/*/SHA256SUMS.part ) # This expands to an array of directories...
+shopt -u nullglob
+
+noncodesigned_fragments=()
+codesigned_fragments=()
+
+if (( ${#sha256sum_fragments[@]} )); then
+ echo "Found build output SHA256SUMS fragments:"
+ for outdir in "${sha256sum_fragments[@]}"; do
+ echo " '$outdir'"
+ case "$outdir" in
+ "$OUTDIR_BASE"/*-codesigned/SHA256SUMS.part)
+ codesigned_fragments+=("$outdir")
+ ;;
+ *)
+ noncodesigned_fragments+=("$outdir")
+ ;;
+ esac
+ done
+ echo
+else
+ echo "ERR: Could not find any build output SHA256SUMS fragments in ${OUTDIR_BASE}"
+ exit 1
+fi
+
+##############
+## Attest ##
+##############
+
+# Usage: out_name $outdir
+#
+# HOST: The output directory being attested
+#
+out_name() {
+ basename "$(dirname "$1")"
+}
+
+shasum_already_exists() {
+cat <<EOF
+--
+
+ERR: An ${1} file already exists for '${VERSION}' and attests
+ differently. You likely previously attested to a partial build (e.g. one
+ where you specified the HOST environment variable).
+
+ See the diff above for more context.
+
+Hint: You may wish to remove the existing attestations and their signatures by
+ invoking:
+
+ rm '${PWD}/${1}'{,.asc}
+
+ Then try running this script again.
+
+EOF
+}
+
+echo "Attesting to build outputs for version: '${VERSION}'"
+echo ""
+
+outsigdir="$GUIX_SIGS_REPO/$VERSION/$signer_name"
+mkdir -p "$outsigdir"
+(
+ cd "$outsigdir"
+
+ temp_noncodesigned="$(mktemp)"
+ trap 'rm -rf -- "$temp_noncodesigned"' EXIT
+
+ if (( ${#noncodesigned_fragments[@]} )); then
+ cat "${noncodesigned_fragments[@]}" \
+ | sort -u \
+ | sort -k2 \
+ > "$temp_noncodesigned"
+ if [ -e noncodesigned.SHA256SUMS ]; then
+ # The SHA256SUMS already exists, make sure it's exactly what we
+ # expect, error out if not
+ if diff -u noncodesigned.SHA256SUMS "$temp_noncodesigned"; then
+ echo "A noncodesigned.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+ else
+ shasum_already_exists noncodesigned.SHA256SUMS
+ exit 1
+ fi
+ else
+ mv "$temp_noncodesigned" noncodesigned.SHA256SUMS
+ fi
+ else
+ echo "ERR: No noncodesigned outputs found for '${VERSION}', exiting..."
+ exit 1
+ fi
+
+ temp_codesigned="$(mktemp)"
+ trap 'rm -rf -- "$temp_codesigned"' EXIT
+
+ if (( ${#codesigned_fragments[@]} )); then
+ # Note: all.SHA256SUMS attests to all of $sha256sum_fragments, but is
+ # not needed if there are no $codesigned_fragments
+ cat "${sha256sum_fragments[@]}" \
+ | sort -u \
+ | sort -k2 \
+ > "$temp_codesigned"
+ if [ -e codesigned.SHA256SUMS ]; then
+ # The SHA256SUMS already exists, make sure it's exactly what we
+ # expect, error out if not
+ if diff -u all.SHA256SUMS "$temp_codesigned"; then
+ echo "An all.SHA256SUMS file already exists for '${VERSION}' and is up-to-date."
+ else
+ shasum_already_exists all.SHA256SUMS
+ exit 1
+ fi
+ else
+ mv "$temp_codesigned" codesigned.SHA256SUMS
+ fi
+ else
+ # It is fine to have the codesigned outputs be missing (perhaps the
+ # detached codesigs have not been published yet), just print a log
+ # message instead of erroring out
+ echo "INFO: No codesigned outputs found for '${VERSION}', skipping..."
+ fi
+
+ if [ -z "$NO_SIGN" ]; then
+ echo "Signing SHA256SUMS to produce SHA256SUMS.asc"
+ for i in *.SHA256SUMS; do
+ if [ ! -e "$i".asc ]; then
+ gpg --detach-sign \
+ --local-user "$gpg_key_name" \
+ --armor \
+ --output "$i".asc "$i"
+ else
+ echo "Signature already there"
+ fi
+ done
+ else
+ echo "Not signing SHA256SUMS as \$NO_SIGN is not empty"
+ fi
+ echo ""
+)
diff --git a/contrib/guix/guix-build.sh b/contrib/guix/guix-build
index 7af132b240..29d6701b25 100755
--- a/contrib/guix/guix-build.sh
+++ b/contrib/guix/guix-build
@@ -2,22 +2,26 @@
export LC_ALL=C
set -e -o pipefail
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
###################
-## Sanity Checks ##
+## SANITY CHECKS ##
###################
################
-# Check 1: Make sure that we can invoke required tools
+# Required non-builtin commands should be invocable
################
-for cmd in git make guix cat mkdir; do
- if ! command -v "$cmd" > /dev/null 2>&1; then
- echo "ERR: This script requires that '$cmd' is installed and available in your \$PATH"
- exit 1
- fi
-done
+
+check_tools cat mkdir make git guix
################
-# Check 2: Make sure GUIX_BUILD_OPTIONS is empty
+# GUIX_BUILD_OPTIONS should be empty
################
#
# GUIX_BUILD_OPTIONS is an environment variable recognized by guix commands that
@@ -45,8 +49,9 @@ exit 1
fi
################
-# Check 3: Make sure that we're not in a dirty worktree
+# The git worktree should not be dirty
################
+
if ! git diff-index --quiet HEAD -- && [ -z "$FORCE_DIRTY_WORKTREE" ]; then
cat << EOF
ERR: The current git worktree is dirty, which may lead to broken builds.
@@ -60,12 +65,12 @@ Hint: To make your git worktree clean, You may want to:
using a dirty worktree
EOF
exit 1
-else
- GIT_COMMIT=$(git rev-parse --short=12 HEAD)
fi
+mkdir -p "$VERSION_BASE"
+
################
-# Check 4: Make sure that build directories do not exist
+# Build directories should not exist
################
# Default to building for all supported HOSTs (overridable by environment)
@@ -73,14 +78,12 @@ export HOSTS="${HOSTS:-x86_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu ri
x86_64-w64-mingw32
x86_64-apple-darwin18}"
-DISTSRC_BASE="${DISTSRC_BASE:-${PWD}}"
-
# Usage: distsrc_for_host HOST
#
# HOST: The current platform triple we're building for
#
distsrc_for_host() {
- echo "${DISTSRC_BASE}/distsrc-${GIT_COMMIT}-${1}"
+ echo "${DISTSRC_BASE}/distsrc-${VERSION}-${1}"
}
# Accumulate a list of build directories that already exist...
@@ -100,24 +103,31 @@ ERR: Build directories for this commit already exist for the following platform
Aborting...
+Hint: To blow everything away, you may want to use:
+
+ $ ./contrib/guix/guix-clean
+
+Specifically, this will remove all files without an entry in the index,
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
EOF
for host in $hosts_distsrc_exists; do
echo " ${host} '$(distsrc_for_host "$host")'"
done
exit 1
else
-
mkdir -p "$DISTSRC_BASE"
fi
################
-# Check 5: When building for darwin, make sure that the macOS SDK exists
+# When building for darwin, the macOS SDK should exists
################
for host in $HOSTS; do
case "$host" in
*darwin*)
- OSX_SDK="$(make -C "${PWD}/depends" --no-print-directory HOST="$host" print-OSX_SDK | sed 's@^[^=]\+=[[:space:]]\+@@g')"
+ OSX_SDK="$(make -C "${PWD}/depends" --no-print-directory HOST="$host" print-OSX_SDK | sed 's@^[^=]\+=@@g')"
if [ -e "$OSX_SDK" ]; then
echo "Found macOS SDK at '${OSX_SDK}', using..."
else
@@ -128,13 +138,62 @@ for host in $HOSTS; do
esac
done
+################
+# VERSION_BASE should have enough space
+################
+
+avail_KiB="$(df -Pk "$VERSION_BASE" | sed 1d | tr -s ' ' | cut -d' ' -f4)"
+total_required_KiB=0
+for host in $HOSTS; do
+ case "$host" in
+ *darwin*) required_KiB=440000 ;;
+ *mingw*) required_KiB=7600000 ;;
+ *) required_KiB=6400000 ;;
+ esac
+ total_required_KiB=$((total_required_KiB+required_KiB))
+done
+
+if (( total_required_KiB > avail_KiB )); then
+ total_required_GiB=$((total_required_KiB / 1048576))
+ avail_GiB=$((avail_KiB / 1048576))
+ echo "Performing a Bitcoin Core Guix build for the selected HOSTS requires ${total_required_GiB} GiB, however, only ${avail_GiB} GiB is available. Please free up some disk space before performing the build."
+ exit 1
+fi
+
+################
+# Check that we can connect to the guix-daemon
+################
+
+cat << EOF
+Checking that we can connect to the guix-daemon...
+
+Hint: If this hangs, you may want to try turning your guix-daemon off and on
+ again.
+
+EOF
+if ! guix gc --list-failures > /dev/null; then
+cat << EOF
+
+ERR: Failed to connect to the guix-daemon, please ensure that one is running and
+ reachable.
+EOF
+exit 1
+fi
+
+# Developer note: we could use `guix repl` for this check and run:
+#
+# (import (guix store)) (close-connection (open-connection))
+#
+# However, the internal API is likely to change more than the CLI invocation
+
+
#########
-# Setup #
+# SETUP #
#########
# Determine the maximum number of jobs to run simultaneously (overridable by
# environment)
-MAX_JOBS="${MAX_JOBS:-$(nproc)}"
+JOBS="${JOBS:-$(nproc)}"
# Usage: host_to_commonname HOST
#
@@ -149,12 +208,6 @@ host_to_commonname() {
esac
}
-# Download the depends sources now as we won't have internet access in the build
-# container
-for host in $HOSTS; do
- make -C "${PWD}/depends" -j"$MAX_JOBS" download-"$(host_to_commonname "$host")" ${V:+V=1} ${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"}
-done
-
# Determine the reference time used for determinism (overridable by environment)
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
@@ -163,20 +216,98 @@ SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
time-machine() {
# shellcheck disable=SC2086
guix time-machine --url=https://github.com/dongcarl/guix.git \
- --commit=6c9d16db962a6f7155571b36eced681fd2889e23 \
- --max-jobs="$MAX_JOBS" \
+ --commit=490e39ff303f4f6873a04bfb8253755bdae1b29c \
+ --cores="$JOBS" \
--keep-failed \
+ --fallback \
${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_TIMEMACHINE_FLAGS} \
-- "$@"
}
+
+# Precious directories are those which should not be cleaned between successive
+# guix builds
+depends_precious_dir_names='SOURCES_PATH BASE_CACHE SDK_PATH'
+precious_dir_names="${depends_precious_dir_names} OUTDIR_BASE PROFILES_BASE"
+
+# Usage: contains IFS-SEPARATED-LIST ITEM
+contains() {
+ for i in ${1}; do
+ if [ "$i" = "${2}" ]; then
+ return 0 # Found!
+ fi
+ done
+ return 1
+}
+
+# If the user explicitly specified a precious directory, create it so we
+# can map it into the container
+for precious_dir_name in $precious_dir_names; do
+ precious_dir_path="${!precious_dir_name}"
+ if [ -n "$precious_dir_path" ]; then
+ if [ ! -e "$precious_dir_path" ]; then
+ mkdir -p "$precious_dir_path"
+ elif [ -L "$precious_dir_path" ]; then
+ echo "ERR: ${precious_dir_name} cannot be a symbolic link"
+ exit 1
+ elif [ ! -d "$precious_dir_path" ]; then
+ echo "ERR: ${precious_dir_name} must be a directory"
+ exit 1
+ fi
+ fi
+done
+
+mkdir -p "$VAR_BASE"
+
+# Record the _effective_ values of precious directories such that guix-clean can
+# avoid clobbering them if appropriate.
+#
+# shellcheck disable=SC2046,SC2086
+{
+ # Get depends precious dir definitions from depends
+ make -C "${PWD}/depends" \
+ --no-print-directory \
+ -- $(printf "print-%s\n" $depends_precious_dir_names)
+
+ # Get remaining precious dir definitions from the environment
+ for precious_dir_name in $precious_dir_names; do
+ precious_dir_path="${!precious_dir_name}"
+ if ! contains "$depends_precious_dir_names" "$precious_dir_name"; then
+ echo "${precious_dir_name}=${precious_dir_path}"
+ fi
+ done
+} > "${VAR_BASE}/precious_dirs"
+
# Make sure an output directory exists for our builds
-OUTDIR="${OUTDIR:-${PWD}/output}"
-[ -e "$OUTDIR" ] || mkdir -p "$OUTDIR"
+OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
+mkdir -p "$OUTDIR_BASE"
+
+# Download the depends sources now as we won't have internet access in the build
+# container
+for host in $HOSTS; do
+ make -C "${PWD}/depends" -j"$JOBS" download-"$(host_to_commonname "$host")" ${V:+V=1} ${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"}
+done
+
+# Usage: outdir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+outdir_for_host() {
+ echo "${OUTDIR_BASE}/${1}${2:+-${2}}"
+}
+
+# Usage: profiledir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+profiledir_for_host() {
+ echo "${PROFILES_BASE}/${1}${2:+-${2}}"
+}
+
#########
-# Build #
+# BUILD #
#########
# Function to be called when building for host ${1} and the user interrupts the
@@ -184,23 +315,19 @@ OUTDIR="${OUTDIR:-${PWD}/output}"
int_trap() {
cat << EOF
** INT received while building ${1}, you may want to clean up the relevant
- output, deploy, and distsrc-* directories before rebuilding
+ work directories (e.g. distsrc-*) before rebuilding
Hint: To blow everything away, you may want to use:
- $ git clean -xdff --exclude='/depends/SDKs/*'
+ $ ./contrib/guix/guix-clean
Specifically, this will remove all files without an entry in the index,
-excluding the SDK directory. Practically speaking, this means that all ignored
-and untracked files and directories will be wiped, allowing you to start anew.
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
EOF
}
-# Create SOURCES_PATH and BASE_CACHE if they are non-empty so that we can map
-# them into the container
-[ -z "$SOURCES_PATH" ] || mkdir -p "$SOURCES_PATH"
-[ -z "$BASE_CACHE" ] || mkdir -p "$BASE_CACHE"
-
# Deterministically build Bitcoin Core
# shellcheck disable=SC2153
for host in $HOSTS; do
@@ -215,15 +342,15 @@ for host in $HOSTS; do
# shellcheck disable=SC2030
cat << EOF
-INFO: Building commit ${GIT_COMMIT:?not set} for platform triple ${HOST:?not set}:
+INFO: Building ${VERSION:?not set} for platform triple ${HOST:?not set}:
...using reference timestamp: ${SOURCE_DATE_EPOCH:?not set}
- ...running at most ${MAX_JOBS:?not set} jobs
+ ...running at most ${JOBS:?not set} jobs
...from worktree directory: '${PWD}'
...bind-mounted in container to: '/bitcoin'
...in build directory: '$(distsrc_for_host "$HOST")'
...bind-mounted in container to: '$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")'
- ...outputting in: '${OUTDIR:?not set}'
- ...bind-mounted in container to: '/outdir'
+ ...outputting in: '$(outdir_for_host "$HOST")'
+ ...bind-mounted in container to: '$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST")'
EOF
# Run the build script 'contrib/guix/libexec/build.sh' in the build
@@ -298,22 +425,29 @@ EOF
--no-cwd \
--share="$PWD"=/bitcoin \
--share="$DISTSRC_BASE"=/distsrc-base \
- --share="$OUTDIR"=/outdir \
+ --share="$OUTDIR_BASE"=/outdir-base \
--expose="$(git rev-parse --git-common-dir)" \
${SOURCES_PATH:+--share="$SOURCES_PATH"} \
${BASE_CACHE:+--share="$BASE_CACHE"} \
- --max-jobs="$MAX_JOBS" \
+ ${SDK_PATH:+--share="$SDK_PATH"} \
+ --cores="$JOBS" \
--keep-failed \
+ --fallback \
+ --link-profile \
+ --root="$(profiledir_for_host "${HOST}")" \
${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_ENVIRONMENT_FLAGS} \
-- env HOST="$host" \
- MAX_JOBS="$MAX_JOBS" \
+ DISTNAME="$DISTNAME" \
+ JOBS="$JOBS" \
SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:?unable to determine value}" \
${V:+V=1} \
${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"} \
${BASE_CACHE:+BASE_CACHE="$BASE_CACHE"} \
+ ${SDK_PATH:+SDK_PATH="$SDK_PATH"} \
DISTSRC="$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")" \
- OUTDIR=/outdir \
+ OUTDIR="$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST")" \
+ DIST_ARCHIVE_BASE=/outdir-base/dist-archive \
bash -c "cd /bitcoin && bash contrib/guix/libexec/build.sh"
)
diff --git a/contrib/guix/guix-clean b/contrib/guix/guix-clean
new file mode 100755
index 0000000000..9fa17191e8
--- /dev/null
+++ b/contrib/guix/guix-clean
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## Sanity Checks ##
+###################
+
+################
+# Required non-builtin commands should be invokable
+################
+
+check_tools cat mkdir make git guix
+
+
+#############
+## Clean ##
+#############
+
+# Usage: under_dir MAYBE_PARENT MAYBE_CHILD
+#
+# If MAYBE_CHILD is a subdirectory of MAYBE_PARENT, print the relative path
+# from MAYBE_PARENT to MAYBE_CHILD. Otherwise, return 1 as the error code.
+#
+# NOTE: This does not perform any symlink-resolving or path canonicalization.
+#
+under_dir() {
+ local path_residue
+ path_residue="${2##${1}}"
+ if [ -z "$path_residue" ] || [ "$path_residue" = "$2" ]; then
+ return 1
+ else
+ echo "$path_residue"
+ fi
+}
+
+# Usage: dir_under_git_root MAYBE_CHILD
+#
+# If MAYBE_CHILD is under the current git repository and exists, print the
+# relative path from the git repository's top-level directory to MAYBE_CHILD,
+# otherwise, exit with an error code.
+#
+dir_under_git_root() {
+ local rv
+ rv="$(under_dir "$(git_root)" "$1")"
+ [ -n "$rv" ] && echo "$rv"
+}
+
+shopt -s nullglob
+found_precious_dirs_files=( "${version_base_prefix}"*/"${var_base_basename}/precious_dirs" ) # This expands to an array of directories...
+shopt -u nullglob
+
+exclude_flags=()
+
+for precious_dirs_file in "${found_precious_dirs_files[@]}"; do
+ # Make sure the precious directories (e.g. SOURCES_PATH, BASE_CACHE, SDK_PATH)
+ # are excluded from git-clean
+ echo "Found precious_dirs file: '${precious_dirs_file}'"
+
+ # Exclude the precious_dirs file itself
+ if dirs_file_exclude_fragment=$(dir_under_git_root "$(dirname "$precious_dirs_file")"); then
+ exclude_flags+=( --exclude="${dirs_file_exclude_fragment}/precious_dirs" )
+ fi
+
+ # Read each 'name=dir' pair from the precious_dirs file
+ while IFS='=' read -r name dir; do
+ # Add an exclusion flag if the precious directory is under the git root.
+ if under=$(dir_under_git_root "$dir"); then
+ echo "Avoiding ${name}: ${under}"
+ exclude_flags+=( --exclude="$under" )
+ fi
+ done < "$precious_dirs_file"
+done
+
+git clean -xdff "${exclude_flags[@]}"
diff --git a/contrib/guix/guix-codesign b/contrib/guix/guix-codesign
new file mode 100755
index 0000000000..62853dbf4d
--- /dev/null
+++ b/contrib/guix/guix-codesign
@@ -0,0 +1,392 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## SANITY CHECKS ##
+###################
+
+################
+# Required non-builtin commands should be invocable
+################
+
+check_tools cat mkdir git guix
+
+################
+# Required env vars should be non-empty
+################
+
+cmd_usage() {
+ cat <<EOF
+Synopsis:
+
+ env DETACHED_SIGS_REPO=<path/to/bitcoin-detached-sigs> \\
+ ./contrib/guix/guix-codesign
+
+EOF
+}
+
+if [ -z "$DETACHED_SIGS_REPO" ]; then
+ cmd_usage
+ exit 1
+fi
+
+################
+# GUIX_BUILD_OPTIONS should be empty
+################
+#
+# GUIX_BUILD_OPTIONS is an environment variable recognized by guix commands that
+# can perform builds. This seems like what we want instead of
+# ADDITIONAL_GUIX_COMMON_FLAGS, but the value of GUIX_BUILD_OPTIONS is actually
+# _appended_ to normal command-line options. Meaning that they will take
+# precedence over the command-specific ADDITIONAL_GUIX_<CMD>_FLAGS.
+#
+# This seems like a poor user experience. Thus we check for GUIX_BUILD_OPTIONS's
+# existence here and direct users of this script to use our (more flexible)
+# custom environment variables.
+if [ -n "$GUIX_BUILD_OPTIONS" ]; then
+cat << EOF
+Error: Environment variable GUIX_BUILD_OPTIONS is not empty:
+ '$GUIX_BUILD_OPTIONS'
+
+Unfortunately this script is incompatible with GUIX_BUILD_OPTIONS, please unset
+GUIX_BUILD_OPTIONS and use ADDITIONAL_GUIX_COMMON_FLAGS to set build options
+across guix commands or ADDITIONAL_GUIX_<CMD>_FLAGS to set build options for a
+specific guix command.
+
+See contrib/guix/README.md for more details.
+EOF
+exit 1
+fi
+
+################
+# The codesignature git worktree should not be dirty
+################
+
+if ! git -C "$DETACHED_SIGS_REPO" diff-index --quiet HEAD -- && [ -z "$FORCE_DIRTY_WORKTREE" ]; then
+ cat << EOF
+ERR: The DETACHED CODESIGNATURE git worktree is dirty, which may lead to broken builds.
+
+ Aborting...
+
+Hint: To make your git worktree clean, You may want to:
+ 1. Commit your changes,
+ 2. Stash your changes, or
+ 3. Set the 'FORCE_DIRTY_WORKTREE' environment variable if you insist on
+ using a dirty worktree
+EOF
+ exit 1
+fi
+
+################
+# Build directories should not exist
+################
+
+# Default to building for all supported HOSTs (overridable by environment)
+export HOSTS="${HOSTS:-x86_64-w64-mingw32 x86_64-apple-darwin18}"
+
+# Usage: distsrc_for_host HOST
+#
+# HOST: The current platform triple we're building for
+#
+distsrc_for_host() {
+ echo "${DISTSRC_BASE}/distsrc-${VERSION}-${1}-codesigned"
+}
+
+# Accumulate a list of build directories that already exist...
+hosts_distsrc_exists=""
+for host in $HOSTS; do
+ if [ -e "$(distsrc_for_host "$host")" ]; then
+ hosts_distsrc_exists+=" ${host}"
+ fi
+done
+
+if [ -n "$hosts_distsrc_exists" ]; then
+# ...so that we can print them out nicely in an error message
+cat << EOF
+ERR: Build directories for this commit already exist for the following platform
+ triples you're attempting to build, probably because of previous builds.
+ Please remove, or otherwise deal with them prior to starting another build.
+
+ Aborting...
+
+Hint: To blow everything away, you may want to use:
+
+ $ ./contrib/guix/guix-clean
+
+Specifically, this will remove all files without an entry in the index,
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
+EOF
+for host in $hosts_distsrc_exists; do
+ echo " ${host} '$(distsrc_for_host "$host")'"
+done
+exit 1
+else
+ mkdir -p "$DISTSRC_BASE"
+fi
+
+
+################
+# Unsigned tarballs SHOULD exist
+################
+
+# Usage: outdir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+outdir_for_host() {
+ echo "${OUTDIR_BASE}/${1}${2:+-${2}}"
+}
+
+
+unsigned_tarball_for_host() {
+ case "$1" in
+ *mingw*)
+ echo "$(outdir_for_host "$1")/${DISTNAME}-win-unsigned.tar.gz"
+ ;;
+ *darwin*)
+ echo "$(outdir_for_host "$1")/${DISTNAME}-osx-unsigned.tar.gz"
+ ;;
+ *)
+ exit 1
+ ;;
+ esac
+}
+
+# Accumulate a list of build directories that already exist...
+hosts_unsigned_tarball_missing=""
+for host in $HOSTS; do
+ if [ ! -e "$(unsigned_tarball_for_host "$host")" ]; then
+ hosts_unsigned_tarball_missing+=" ${host}"
+ fi
+done
+
+if [ -n "$hosts_unsigned_tarball_missing" ]; then
+ # ...so that we can print them out nicely in an error message
+ cat << EOF
+ERR: Unsigned tarballs do not exist
+...
+
+EOF
+for host in $hosts_unsigned_tarball_missing; do
+ echo " ${host} '$(unsigned_tarball_for_host "$host")'"
+done
+exit 1
+fi
+
+################
+# Check that we can connect to the guix-daemon
+################
+
+cat << EOF
+Checking that we can connect to the guix-daemon...
+
+Hint: If this hangs, you may want to try turning your guix-daemon off and on
+ again.
+
+EOF
+if ! guix gc --list-failures > /dev/null; then
+ cat << EOF
+
+ERR: Failed to connect to the guix-daemon, please ensure that one is running and
+ reachable.
+EOF
+ exit 1
+fi
+
+# Developer note: we could use `guix repl` for this check and run:
+#
+# (import (guix store)) (close-connection (open-connection))
+#
+# However, the internal API is likely to change more than the CLI invocation
+
+
+#########
+# SETUP #
+#########
+
+# Determine the maximum number of jobs to run simultaneously (overridable by
+# environment)
+JOBS="${JOBS:-$(nproc)}"
+
+# Determine the reference time used for determinism (overridable by environment)
+SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git log --format=%at -1)}"
+
+# Execute "$@" in a pinned, possibly older version of Guix, for reproducibility
+# across time.
+time-machine() {
+ # shellcheck disable=SC2086
+ guix time-machine --url=https://github.com/dongcarl/guix.git \
+ --commit=490e39ff303f4f6873a04bfb8253755bdae1b29c \
+ --cores="$JOBS" \
+ --keep-failed \
+ --fallback \
+ ${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
+ ${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_TIMEMACHINE_FLAGS} \
+ -- "$@"
+}
+
+# Make sure an output directory exists for our builds
+OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
+mkdir -p "$OUTDIR_BASE"
+
+# Usage: profiledir_for_host HOST SUFFIX
+#
+# HOST: The current platform triple we're building for
+#
+profiledir_for_host() {
+ echo "${PROFILES_BASE}/${1}${2:+-${2}}"
+}
+
+#########
+# BUILD #
+#########
+
+# Function to be called when codesigning for host ${1} and the user interrupts
+# the codesign
+int_trap() {
+cat << EOF
+** INT received while codesigning ${1}, you may want to clean up the relevant
+ work directories (e.g. distsrc-*) before recodesigning
+
+Hint: To blow everything away, you may want to use:
+
+ $ ./contrib/guix/guix-clean
+
+Specifically, this will remove all files without an entry in the index,
+excluding the SDK directory, the depends download cache, the depends built
+packages cache, the garbage collector roots for Guix environments, and the
+output directory.
+EOF
+}
+
+# Deterministically build Bitcoin Core
+# shellcheck disable=SC2153
+for host in $HOSTS; do
+
+ # Display proper warning when the user interrupts the build
+ trap 'int_trap ${host}' INT
+
+ (
+ # Required for 'contrib/guix/manifest.scm' to output the right manifest
+ # for the particular $HOST we're building for
+ export HOST="$host"
+
+ # shellcheck disable=SC2030
+cat << EOF
+INFO: Codesigning ${VERSION:?not set} for platform triple ${HOST:?not set}:
+ ...using reference timestamp: ${SOURCE_DATE_EPOCH:?not set}
+ ...from worktree directory: '${PWD}'
+ ...bind-mounted in container to: '/bitcoin'
+ ...in build directory: '$(distsrc_for_host "$HOST")'
+ ...bind-mounted in container to: '$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")'
+ ...outputting in: '$(outdir_for_host "$HOST" codesigned)'
+ ...bind-mounted in container to: '$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST" codesigned)'
+ ...using detached signatures in: '${DETACHED_SIGS_REPO:?not set}'
+ ...bind-mounted in container to: '/detached-sigs'
+EOF
+
+
+ # Run the build script 'contrib/guix/libexec/build.sh' in the build
+ # container specified by 'contrib/guix/manifest.scm'.
+ #
+ # Explanation of `guix environment` flags:
+ #
+ # --container run command within an isolated container
+ #
+ # Running in an isolated container minimizes build-time differences
+ # between machines and improves reproducibility
+ #
+ # --pure unset existing environment variables
+ #
+ # Same rationale as --container
+ #
+ # --no-cwd do not share current working directory with an
+ # isolated container
+ #
+ # When --container is specified, the default behavior is to share
+ # the current working directory with the isolated container at the
+ # same exact path (e.g. mapping '/home/satoshi/bitcoin/' to
+ # '/home/satoshi/bitcoin/'). This means that the $PWD inside the
+ # container becomes a source of irreproducibility. --no-cwd disables
+ # this behaviour.
+ #
+ # --share=SPEC for containers, share writable host file system
+ # according to SPEC
+ #
+ # --share="$PWD"=/bitcoin
+ #
+ # maps our current working directory to /bitcoin
+ # inside the isolated container, which we later cd
+ # into.
+ #
+ # While we don't want to map our current working directory to the
+ # same exact path (as this introduces irreproducibility), we do want
+ # it to be at a _fixed_ path _somewhere_ inside the isolated
+ # container so that we have something to build. '/bitcoin' was
+ # chosen arbitrarily.
+ #
+ # ${SOURCES_PATH:+--share="$SOURCES_PATH"}
+ #
+ # make the downloaded depends sources path available
+ # inside the isolated container
+ #
+ # The isolated container has no network access as it's in a
+ # different network namespace from the main machine, so we have to
+ # make the downloaded depends sources available to it. The sources
+ # should have been downloaded prior to this invocation.
+ #
+ # ${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"}
+ #
+ # fetch substitute from SUBSTITUTE_URLS if they are
+ # authorized
+ #
+ # Depending on the user's security model, it may be desirable to use
+ # substitutes (pre-built packages) from servers that the user trusts.
+ # Please read the README.md in the same directory as this file for
+ # more information.
+ #
+ # shellcheck disable=SC2086,SC2031
+ time-machine environment --manifest="${PWD}/contrib/guix/manifest.scm" \
+ --container \
+ --pure \
+ --no-cwd \
+ --share="$PWD"=/bitcoin \
+ --share="$DISTSRC_BASE"=/distsrc-base \
+ --share="$OUTDIR_BASE"=/outdir-base \
+ --share="$DETACHED_SIGS_REPO"=/detached-sigs \
+ --expose="$(git rev-parse --git-common-dir)" \
+ --expose="$(git -C "$DETACHED_SIGS_REPO" rev-parse --git-common-dir)" \
+ ${SOURCES_PATH:+--share="$SOURCES_PATH"} \
+ --cores="$JOBS" \
+ --keep-failed \
+ --fallback \
+ --link-profile \
+ --root="$(profiledir_for_host "${HOST}" codesigned)" \
+ ${SUBSTITUTE_URLS:+--substitute-urls="$SUBSTITUTE_URLS"} \
+ ${ADDITIONAL_GUIX_COMMON_FLAGS} ${ADDITIONAL_GUIX_ENVIRONMENT_FLAGS} \
+ -- env HOST="$host" \
+ DISTNAME="$DISTNAME" \
+ JOBS="$JOBS" \
+ SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:?unable to determine value}" \
+ ${V:+V=1} \
+ ${SOURCES_PATH:+SOURCES_PATH="$SOURCES_PATH"} \
+ DISTSRC="$(DISTSRC_BASE=/distsrc-base && distsrc_for_host "$HOST")" \
+ OUTDIR="$(OUTDIR_BASE=/outdir-base && outdir_for_host "$HOST" codesigned)" \
+ DIST_ARCHIVE_BASE=/outdir-base/dist-archive \
+ DETACHED_SIGS_REPO=/detached-sigs \
+ UNSIGNED_TARBALL="$(OUTDIR_BASE=/outdir-base && unsigned_tarball_for_host "$HOST")" \
+ bash -c "cd /bitcoin && bash contrib/guix/libexec/codesign.sh"
+ )
+
+done
diff --git a/contrib/guix/guix-verify b/contrib/guix/guix-verify
new file mode 100755
index 0000000000..a6e2c4065e
--- /dev/null
+++ b/contrib/guix/guix-verify
@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# Source the common prelude, which:
+# 1. Checks if we're at the top directory of the Bitcoin Core repository
+# 2. Defines a few common functions and variables
+#
+# shellcheck source=libexec/prelude.bash
+source "$(dirname "${BASH_SOURCE[0]}")/libexec/prelude.bash"
+
+
+###################
+## Sanity Checks ##
+###################
+
+################
+# Required non-builtin commands should be invokable
+################
+
+check_tools cat diff gpg
+
+################
+# Required env vars should be non-empty
+################
+
+cmd_usage() {
+cat <<EOF
+Synopsis:
+
+ env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify
+
+EOF
+}
+
+if [ -z "$GUIX_SIGS_REPO" ]; then
+ cmd_usage
+ exit 1
+fi
+
+################
+# GUIX_SIGS_REPO should exist as a directory
+################
+
+if [ ! -d "$GUIX_SIGS_REPO" ]; then
+cat << EOF
+ERR: The specified GUIX_SIGS_REPO is not an existent directory:
+
+ '$GUIX_SIGS_REPO'
+
+Hint: Please clone the guix.sigs repository and point to it with the
+ GUIX_SIGS_REPO environment variable.
+
+EOF
+cmd_usage
+exit 1
+fi
+
+##############
+## Verify ##
+##############
+
+OUTSIGDIR_BASE="${GUIX_SIGS_REPO}/${VERSION}"
+echo "Looking for signature directories in '${OUTSIGDIR_BASE}'"
+echo ""
+
+# Usage: verify compare_manifest current_manifest
+verify() {
+ local compare_manifest="$1"
+ local current_manifest="$2"
+ if ! gpg --quiet --batch --verify "$current_manifest".asc "$current_manifest" 1>&2; then
+ echo "ERR: Failed to verify GPG signature in '${current_manifest}'"
+ echo ""
+ echo "Hint: Either the signature is invalid or the public key is missing"
+ echo ""
+ elif ! diff --report-identical "$compare_manifest" "$current_manifest" 1>&2; then
+ echo "ERR: The SHA256SUMS attestation in these two directories differ:"
+ echo " '${compare_manifest}'"
+ echo " '${current_manifest}'"
+ echo ""
+ else
+ echo "Verified: '${current_manifest}'"
+ echo ""
+ fi
+}
+
+shopt -s nullglob
+all_noncodesigned=( "$OUTSIGDIR_BASE"/*/noncodesigned.SHA256SUMS )
+shopt -u nullglob
+
+echo "--------------------"
+echo ""
+if (( ${#all_noncodesigned[@]} )); then
+ compare_noncodesigned="${all_noncodesigned[0]}"
+
+ for current_manifest in "${all_noncodesigned[@]}"; do
+ verify "$compare_noncodesigned" "$current_manifest"
+ done
+
+ echo "DONE: Checking output signatures for noncodesigned.SHA256SUMS"
+ echo ""
+else
+ echo "WARN: No signature directories with noncodesigned.SHA256SUMS found"
+ echo ""
+fi
+
+shopt -s nullglob
+all_all=( "$OUTSIGDIR_BASE"/*/all.SHA256SUMS )
+shopt -u nullglob
+
+echo "--------------------"
+echo ""
+if (( ${#all_all[@]} )); then
+ compare_all="${all_all[0]}"
+
+ for current_manifest in "${all_all[@]}"; do
+ verify "$compare_all" "$current_manifest"
+ done
+
+ # Sanity check: there should be no entries that exist in
+ # noncodesigned.SHA256SUMS that doesn't exist in all.SHA256SUMS
+ if [[ "$(comm -23 <(sort "$compare_noncodesigned") <(sort "$compare_all") | wc -c)" -ne 0 ]]; then
+ echo "ERR: There are unique lines in noncodesigned.SHA256SUMS which"
+ echo " do not exist in all.SHA256SUMS, something went very wrong."
+ exit 1
+ fi
+
+ echo "DONE: Checking output signatures for all.SHA256SUMS"
+ echo ""
+else
+ echo "WARN: No signature directories with all.SHA256SUMS found"
+ echo ""
+fi
+
+echo "===================="
+echo ""
+if (( ${#all_noncodesigned[@]} + ${#all_all[@]} == 0 )); then
+ echo "ERR: Unable to perform any verifications as no signature directories"
+ echo " were found"
+ echo ""
+ exit 1
+fi
diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 119fe04c75..0b96949a6b 100644..100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -3,7 +3,7 @@ export LC_ALL=C
set -e -o pipefail
export TZ=UTC
-# Althought Guix _does_ set umask when building its own packages (in our case,
+# Although Guix _does_ set umask when building its own packages (in our case,
# this is all packages in manifest.scm), it does not set it for `guix
# environment`. It does make sense for at least `guix environment --container`
# to set umask, so if that change gets merged upstream and we bump the
@@ -24,13 +24,18 @@ fi
# Check that required environment variables are set
cat << EOF
Required environment variables as seen inside the container:
+ DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
+ DISTNAME: ${DISTNAME:?not set}
HOST: ${HOST:?not set}
SOURCE_DATE_EPOCH: ${SOURCE_DATE_EPOCH:?not set}
- MAX_JOBS: ${MAX_JOBS:?not set}
+ JOBS: ${JOBS:?not set}
DISTSRC: ${DISTSRC:?not set}
OUTDIR: ${OUTDIR:?not set}
EOF
+ACTUAL_OUTDIR="${OUTDIR}"
+OUTDIR="${DISTSRC}/output"
+
#####################
# Environment Setup #
#####################
@@ -52,23 +57,36 @@ store_path() {
# Set environment variables to point the NATIVE toolchain to the right
# includes/libs
NATIVE_GCC="$(store_path gcc-toolchain)"
-export LIBRARY_PATH="${NATIVE_GCC}/lib:${NATIVE_GCC}/lib64"
-export CPATH="${NATIVE_GCC}/include"
+NATIVE_GCC_STATIC="$(store_path gcc-toolchain static)"
+
+unset LIBRARY_PATH
+unset CPATH
unset C_INCLUDE_PATH
unset CPLUS_INCLUDE_PATH
+unset OBJC_INCLUDE_PATH
+unset OBJCPLUS_INCLUDE_PATH
+
+export LIBRARY_PATH="${NATIVE_GCC}/lib:${NATIVE_GCC}/lib64:${NATIVE_GCC_STATIC}/lib:${NATIVE_GCC_STATIC}/lib64"
+export C_INCLUDE_PATH="${NATIVE_GCC}/include"
+export CPLUS_INCLUDE_PATH="${NATIVE_GCC}/include/c++:${NATIVE_GCC}/include"
+export OBJC_INCLUDE_PATH="${NATIVE_GCC}/include"
+export OBJCPLUS_INCLUDE_PATH="${NATIVE_GCC}/include/c++:${NATIVE_GCC}/include"
+
+prepend_to_search_env_var() {
+ export "${1}=${2}${!1:+:}${!1}"
+}
+
case "$HOST" in
*darwin*)
- # When targeting darwin, some native tools built by depends require
- # native packages not incorporated in depends
- #
- # libcap required by native_cdrkit/wodim
- # zlib, bzip2 required by native_cdrkit/genisoimage
- for native_pkg in libcap zlib bzip2; do
- native_pkg_store_path=$(store_path "$native_pkg")
- export LIBRARY_PATH="${native_pkg_store_path}/lib:${LIBRARY_PATH}"
- export CPATH="${native_pkg_store_path}/include:${CPATH}"
- done
- ;;
+ # When targeting darwin, zlib is required by native_libdmg-hfsplus.
+ zlib_store_path=$(store_path "zlib")
+ zlib_static_store_path=$(store_path "zlib" static)
+
+ prepend_to_search_env_var LIBRARY_PATH "${zlib_static_store_path}/lib:${zlib_store_path}/lib"
+ prepend_to_search_env_var C_INCLUDE_PATH "${zlib_store_path}/include"
+ prepend_to_search_env_var CPLUS_INCLUDE_PATH "${zlib_store_path}/include"
+ prepend_to_search_env_var OBJC_INCLUDE_PATH "${zlib_store_path}/include"
+ prepend_to_search_env_var OBJCPLUS_INCLUDE_PATH "${zlib_store_path}/include"
esac
# Set environment variables to point the CROSS toolchain to the right
@@ -160,8 +178,6 @@ case "$HOST" in
esac
# Environment variables for determinism
-export QT_RCC_TEST=1
-export QT_RCC_SOURCE_DATE_OVERRIDE=1
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
export TZ="UTC"
case "$HOST" in
@@ -180,10 +196,11 @@ esac
####################
# Build the depends tree, overriding variables that assume multilib gcc
-make -C depends --jobs="$MAX_JOBS" HOST="$HOST" \
+make -C depends --jobs="$JOBS" HOST="$HOST" \
${V:+V=1} \
${SOURCES_PATH+SOURCES_PATH="$SOURCES_PATH"} \
${BASE_CACHE+BASE_CACHE="$BASE_CACHE"} \
+ ${SDK_PATH+SDK_PATH="$SDK_PATH"} \
i686_linux_CC=i686-linux-gnu-gcc \
i686_linux_CXX=i686-linux-gnu-g++ \
i686_linux_AR=i686-linux-gnu-ar \
@@ -197,6 +214,7 @@ make -C depends --jobs="$MAX_JOBS" HOST="$HOST" \
x86_64_linux_NM=x86_64-linux-gnu-nm \
x86_64_linux_STRIP=x86_64-linux-gnu-strip \
qt_config_opts_i686_linux='-platform linux-g++ -xplatform bitcoin-linux-g++' \
+ qt_config_opts_x86_64_linux='-platform linux-g++ -xplatform bitcoin-linux-g++' \
FORCE_USE_SYSTEM_CLANG=1
@@ -204,18 +222,17 @@ make -C depends --jobs="$MAX_JOBS" HOST="$HOST" \
# Source Tarball Building #
###########################
-# Define DISTNAME variable.
-# shellcheck source=contrib/gitian-descriptors/assign_DISTNAME
-source contrib/gitian-descriptors/assign_DISTNAME
-
-GIT_ARCHIVE="${OUTDIR}/src/${DISTNAME}.tar.gz"
+GIT_ARCHIVE="${DIST_ARCHIVE_BASE}/${DISTNAME}.tar.gz"
# Create the source tarball if not already there
if [ ! -e "$GIT_ARCHIVE" ]; then
mkdir -p "$(dirname "$GIT_ARCHIVE")"
+ touch "${DIST_ARCHIVE_BASE}"/SKIPATTEST.TAG
git archive --prefix="${DISTNAME}/" --output="$GIT_ARCHIVE" HEAD
fi
+mkdir -p "$OUTDIR"
+
###########################
# Binary Tarball Building #
###########################
@@ -223,7 +240,7 @@ fi
# CONFIGFLAGS
CONFIGFLAGS="--enable-reduce-exports --disable-bench --disable-gui-tests --disable-fuzz-binary"
case "$HOST" in
- *linux*) CONFIGFLAGS+=" --enable-glibc-back-compat" ;;
+ *linux*) CONFIGFLAGS+=" --disable-threadlocal" ;;
esac
# CFLAGS
@@ -243,8 +260,15 @@ case "$HOST" in
*mingw*) HOST_LDFLAGS="-Wl,--no-insert-timestamp" ;;
esac
+# Using --no-tls-get-addr-optimize retains compatibility with glibc 2.17, by
+# avoiding a PowerPC64 optimisation available in glibc 2.22 and later.
+# https://sourceware.org/binutils/docs-2.35/ld/PowerPC64-ELF64.html
+case "$HOST" in
+ *powerpc64*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,--no-tls-get-addr-optimize" ;;
+esac
+
case "$HOST" in
- powerpc64-linux-*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;
+ powerpc64-linux-*|riscv64-linux-*) HOST_LDFLAGS="${HOST_LDFLAGS} -Wl,-z,noexecstack" ;;
esac
# Make $HOST-specific native binaries from depends available in $PATH
@@ -273,14 +297,17 @@ mkdir -p "$DISTSRC"
sed -i.old 's/-lstdc++ //g' config.status libtool src/univalue/config.status src/univalue/libtool
# Build Bitcoin Core
- make --jobs="$MAX_JOBS" ${V:+V=1}
+ make --jobs="$JOBS" ${V:+V=1}
- # Perform basic ELF security checks on a series of executables.
+ # Check that symbol/security checks tools are sane.
+ make test-security-check ${V:+V=1}
+ # Perform basic security checks on a series of executables.
make -C src --jobs=1 check-security ${V:+V=1}
- # Check that executables only contain allowed gcc, glibc and libstdc++
- # version symbols for Linux distro back-compatibility.
+ # Check that executables only contain allowed version symbols.
make -C src --jobs=1 check-symbols ${V:+V=1}
+ mkdir -p "$OUTDIR"
+
# Make the os-specific installers
case "$HOST" in
*mingw*)
@@ -312,9 +339,6 @@ mkdir -p "$DISTSRC"
osx_volname \
contrib/macdeploy/detached-sig-{apply,create}.sh \
"${BASEPREFIX}/${HOST}"/native/bin/dmg
- for util in codesign_allocate pagestuff; do
- cp --no-target-directory {"${BASEPREFIX}/${HOST}/native/bin/${HOST}-","unsigned-app-${HOST}/"}"$util"
- done
mv --target-directory="unsigned-app-${HOST}" dist
(
cd "unsigned-app-${HOST}"
@@ -350,7 +374,7 @@ mkdir -p "$DISTSRC"
{
find "${DISTNAME}/bin" -type f -executable -print0
find "${DISTNAME}/lib" -type f -print0
- } | xargs -0 -n1 -P"$MAX_JOBS" -I{} "${DISTSRC}/contrib/devtools/split-debug.sh" {} {} {}.dbg
+ } | xargs -0 -n1 -P"$JOBS" -I{} "${DISTSRC}/contrib/devtools/split-debug.sh" {} {} {}.dbg
;;
esac
@@ -400,21 +424,36 @@ mkdir -p "$DISTSRC"
|| ( rm -f "${OUTDIR}/${DISTNAME}-${HOST//x86_64-apple-darwin18/osx64}.tar.gz" && exit 1 )
;;
esac
- )
-)
+ ) # $DISTSRC/installed
-case "$HOST" in
- *mingw*)
- cp -rf --target-directory=. contrib/windeploy
- (
- cd ./windeploy
- mkdir unsigned
- cp --target-directory=unsigned/ "${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe"
- find . -print0 \
- | sort --zero-terminated \
- | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
- | gzip -9n > "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" \
- || ( rm -f "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" && exit 1 )
- )
- ;;
-esac
+ case "$HOST" in
+ *mingw*)
+ cp -rf --target-directory=. contrib/windeploy
+ (
+ cd ./windeploy
+ mkdir -p unsigned
+ cp --target-directory=unsigned/ "${OUTDIR}/${DISTNAME}-win64-setup-unsigned.exe"
+ find . -print0 \
+ | sort --zero-terminated \
+ | tar --create --no-recursion --mode='u+rw,go+r-w,a+X' --null --files-from=- \
+ | gzip -9n > "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" \
+ || ( rm -f "${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz" && exit 1 )
+ )
+ ;;
+ esac
+) # $DISTSRC
+
+rm -rf "$ACTUAL_OUTDIR"
+mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
+ || ( rm -rf "$ACTUAL_OUTDIR" && exit 1 )
+
+(
+ cd /outdir-base
+ {
+ echo "$GIT_ARCHIVE"
+ find "$ACTUAL_OUTDIR" -type f
+ } | xargs realpath --relative-base="$PWD" \
+ | xargs sha256sum \
+ | sort -k2 \
+ | sponge "$ACTUAL_OUTDIR"/SHA256SUMS.part
+)
diff --git a/contrib/guix/libexec/codesign.sh b/contrib/guix/libexec/codesign.sh
new file mode 100755
index 0000000000..f484ac5774
--- /dev/null
+++ b/contrib/guix/libexec/codesign.sh
@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+export TZ=UTC
+
+# Although Guix _does_ set umask when building its own packages (in our case,
+# this is all packages in manifest.scm), it does not set it for `guix
+# environment`. It does make sense for at least `guix environment --container`
+# to set umask, so if that change gets merged upstream and we bump the
+# time-machine to a commit which includes the aforementioned change, we can
+# remove this line.
+#
+# This line should be placed before any commands which creates files.
+umask 0022
+
+if [ -n "$V" ]; then
+ # Print both unexpanded (-v) and expanded (-x) forms of commands as they are
+ # read from this file.
+ set -vx
+ # Set VERBOSE for CMake-based builds
+ export VERBOSE="$V"
+fi
+
+# Check that required environment variables are set
+cat << EOF
+Required environment variables as seen inside the container:
+ UNSIGNED_TARBALL: ${UNSIGNED_TARBALL:?not set}
+ DETACHED_SIGS_REPO: ${DETACHED_SIGS_REPO:?not set}
+ DIST_ARCHIVE_BASE: ${DIST_ARCHIVE_BASE:?not set}
+ DISTNAME: ${DISTNAME:?not set}
+ HOST: ${HOST:?not set}
+ SOURCE_DATE_EPOCH: ${SOURCE_DATE_EPOCH:?not set}
+ DISTSRC: ${DISTSRC:?not set}
+ OUTDIR: ${OUTDIR:?not set}
+EOF
+
+ACTUAL_OUTDIR="${OUTDIR}"
+OUTDIR="${DISTSRC}/output"
+
+git_head_version() {
+ local recent_tag
+ if recent_tag="$(git -C "$1" describe --exact-match HEAD 2> /dev/null)"; then
+ echo "${recent_tag#v}"
+ else
+ git -C "$1" rev-parse --short=12 HEAD
+ fi
+}
+
+CODESIGNATURE_GIT_ARCHIVE="${DIST_ARCHIVE_BASE}/${DISTNAME}-codesignatures-$(git_head_version "$DETACHED_SIGS_REPO").tar.gz"
+
+# Create the codesignature tarball if not already there
+if [ ! -e "$CODESIGNATURE_GIT_ARCHIVE" ]; then
+ mkdir -p "$(dirname "$CODESIGNATURE_GIT_ARCHIVE")"
+ git -C "$DETACHED_SIGS_REPO" archive --output="$CODESIGNATURE_GIT_ARCHIVE" HEAD
+fi
+
+mkdir -p "$OUTDIR"
+
+mkdir -p "$DISTSRC"
+(
+ cd "$DISTSRC"
+
+ tar -xf "$UNSIGNED_TARBALL"
+
+ mkdir -p codesignatures
+ tar -C codesignatures -xf "$CODESIGNATURE_GIT_ARCHIVE"
+
+ case "$HOST" in
+ *mingw*)
+ find "$PWD" -name "*-unsigned.exe" | while read -r infile; do
+ infile_base="$(basename "$infile")"
+
+ # Codesigned *-unsigned.exe and output to OUTDIR
+ osslsigncode attach-signature \
+ -in "$infile" \
+ -out "${OUTDIR}/${infile_base/-unsigned}" \
+ -sigin codesignatures/win/"$infile_base".pem
+ done
+ ;;
+ *darwin*)
+ # Apply detached codesignatures to dist/ (in-place)
+ signapple apply dist/Bitcoin-Qt.app codesignatures/osx/dist
+
+ # Make an uncompressed DMG from dist/
+ xorrisofs -D -l -V "$(< osx_volname)" -no-pad -r -dir-mode 0755 \
+ -o uncompressed.dmg \
+ dist \
+ -- -volume_date all_file_dates ="$SOURCE_DATE_EPOCH"
+
+ # Compress uncompressed.dmg and output to OUTDIR
+ ./dmg dmg uncompressed.dmg "${OUTDIR}/${DISTNAME}-osx-signed.dmg"
+ ;;
+ *)
+ exit 1
+ ;;
+ esac
+) # $DISTSRC
+
+rm -rf "$ACTUAL_OUTDIR"
+mv --no-target-directory "$OUTDIR" "$ACTUAL_OUTDIR" \
+ || ( rm -rf "$ACTUAL_OUTDIR" && exit 1 )
+
+(
+ cd /outdir-base
+ {
+ echo "$UNSIGNED_TARBALL"
+ echo "$CODESIGNATURE_GIT_ARCHIVE"
+ find "$ACTUAL_OUTDIR" -type f
+ } | xargs realpath --relative-base="$PWD" \
+ | xargs sha256sum \
+ | sort -k2 \
+ | sponge "$ACTUAL_OUTDIR"/SHA256SUMS.part
+)
diff --git a/contrib/guix/libexec/prelude.bash b/contrib/guix/libexec/prelude.bash
new file mode 100644
index 0000000000..9705607119
--- /dev/null
+++ b/contrib/guix/libexec/prelude.bash
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+export LC_ALL=C
+set -e -o pipefail
+
+# shellcheck source=../../shell/realpath.bash
+source contrib/shell/realpath.bash
+
+# shellcheck source=../../shell/git-utils.bash
+source contrib/shell/git-utils.bash
+
+################
+# Required non-builtin commands should be invocable
+################
+
+check_tools() {
+ for cmd in "$@"; do
+ if ! command -v "$cmd" > /dev/null 2>&1; then
+ echo "ERR: This script requires that '$cmd' is installed and available in your \$PATH"
+ exit 1
+ fi
+ done
+}
+
+check_tools cat env readlink dirname basename git
+
+################
+# We should be at the top directory of the repository
+################
+
+same_dir() {
+ local resolved1 resolved2
+ resolved1="$(bash_realpath "${1}")"
+ resolved2="$(bash_realpath "${2}")"
+ [ "$resolved1" = "$resolved2" ]
+}
+
+if ! same_dir "${PWD}" "$(git_root)"; then
+cat << EOF
+ERR: This script must be invoked from the top level of the git repository
+
+Hint: This may look something like:
+ env FOO=BAR ./contrib/guix/guix-<blah>
+
+EOF
+exit 1
+fi
+
+################
+# Set common variables
+################
+
+VERSION="${VERSION:-$(git_head_version)}"
+DISTNAME="${DISTNAME:-bitcoin-${VERSION}}"
+
+version_base_prefix="${PWD}/guix-build-"
+VERSION_BASE="${version_base_prefix}${VERSION}" # TOP
+
+DISTSRC_BASE="${DISTSRC_BASE:-${VERSION_BASE}}"
+
+OUTDIR_BASE="${OUTDIR_BASE:-${VERSION_BASE}/output}"
+
+var_base_basename="var"
+VAR_BASE="${VAR_BASE:-${VERSION_BASE}/${var_base_basename}}"
+
+profiles_base_basename="profiles"
+PROFILES_BASE="${PROFILES_BASE:-${VAR_BASE}/${profiles_base_basename}}"
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index fb585b7f25..e71cf52533 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -3,12 +3,15 @@
(gnu packages autotools)
(gnu packages base)
(gnu packages bash)
+ (gnu packages bison)
+ (gnu packages certs)
(gnu packages cdrom)
(gnu packages check)
(gnu packages cmake)
(gnu packages commencement)
(gnu packages compression)
(gnu packages cross-base)
+ (gnu packages curl)
(gnu packages file)
(gnu packages gawk)
(gnu packages gcc)
@@ -19,16 +22,21 @@
(gnu packages linux)
(gnu packages llvm)
(gnu packages mingw)
+ (gnu packages moreutils)
(gnu packages perl)
(gnu packages pkg-config)
(gnu packages python)
+ (gnu packages python-web)
(gnu packages shells)
+ (gnu packages tls)
(gnu packages version-control)
(guix build-system font)
(guix build-system gnu)
+ (guix build-system python)
(guix build-system trivial)
(guix download)
(guix gexp)
+ (guix git-download)
((guix licenses) #:prefix license:)
(guix packages)
(guix profiles)
@@ -49,28 +57,32 @@ we link against libssp.so, and thus will ensure that this works properly.
Taken from:
http://www.linuxfromscratch.org/hlfs/view/development/chapter05/gcc-pass1.html"
(package
- (inherit xgcc)
- (arguments
- (substitute-keyword-arguments (package-arguments xgcc)
- ((#:make-flags flags)
- `(cons "gcc_cv_libc_provides_ssp=yes" ,flags))))))
+ (inherit xgcc)
+ (arguments
+ (substitute-keyword-arguments (package-arguments xgcc)
+ ((#:make-flags flags)
+ `(cons "gcc_cv_libc_provides_ssp=yes" ,flags))))))
(define (make-gcc-rpath-link xgcc)
"Given a XGCC package, return a modified package that replace each instance of
-rpath in the default system spec that's inserted by Guix with -rpath-link"
(package
- (inherit xgcc)
- (arguments
- (substitute-keyword-arguments (package-arguments xgcc)
- ((#:phases phases)
- `(modify-phases ,phases
- (add-after 'pre-configure 'replace-rpath-with-rpath-link
- (lambda _
- (substitute* (cons "gcc/config/rs6000/sysv4.h"
- (find-files "gcc/config"
- "^gnu-user.*\\.h$"))
- (("-rpath=") "-rpath-link="))
- #t))))))))
+ (inherit xgcc)
+ (arguments
+ (substitute-keyword-arguments (package-arguments xgcc)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-after 'pre-configure 'replace-rpath-with-rpath-link
+ (lambda _
+ (substitute* (cons "gcc/config/rs6000/sysv4.h"
+ (find-files "gcc/config"
+ "^gnu-user.*\\.h$"))
+ (("-rpath=") "-rpath-link="))
+ #t))))))))
+
+(define (make-binutils-with-mingw-w64-disable-flags xbinutils)
+ (package-with-extra-patches xbinutils
+ (search-our-patches "binutils-mingw-w64-disable-flags.patch")))
(define (make-cross-toolchain target
base-gcc-for-libc
@@ -123,30 +135,48 @@ chain for " target " development."))
(home-page (package-home-page xgcc))
(license (package-license xgcc)))))
+(define base-gcc
+ (package-with-extra-patches gcc-8
+ (search-our-patches "gcc-8-sort-libtool-find-output.patch")))
+
+;; Building glibc with stack smashing protector first landed in glibc 2.25, use
+;; this function to disable for older glibcs
+;;
+;; From glibc 2.25 changelog:
+;;
+;; * Most of glibc can now be built with the stack smashing protector enabled.
+;; It is recommended to build glibc with --enable-stack-protector=strong.
+;; Implemented by Nick Alcock (Oracle).
+(define (make-glibc-without-ssp xglibc)
+ (package-with-extra-configure-variable
+ (package-with-extra-configure-variable
+ xglibc "libc_cv_ssp" "no")
+ "libc_cv_ssp_strong" "no"))
+
(define* (make-bitcoin-cross-toolchain target
- #:key
- (base-gcc-for-libc gcc-5)
- (base-kernel-headers linux-libre-headers-4.19)
- (base-libc glibc-2.27)
- (base-gcc (make-gcc-rpath-link gcc-9)))
+ #:key
+ (base-gcc-for-libc gcc-7)
+ (base-kernel-headers linux-libre-headers-5.4)
+ (base-libc (make-glibc-without-ssp glibc-2.24))
+ (base-gcc (make-gcc-rpath-link base-gcc)))
"Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
desirable for building Bitcoin Core release binaries."
(make-cross-toolchain target
- base-gcc-for-libc
- base-kernel-headers
- base-libc
- base-gcc))
+ base-gcc-for-libc
+ base-kernel-headers
+ base-libc
+ base-gcc))
(define (make-gcc-with-pthreads gcc)
(package-with-extra-configure-variable gcc "--enable-threads" "posix"))
(define (make-mingw-pthreads-cross-toolchain target)
"Create a cross-compilation toolchain package for TARGET"
- (let* ((xbinutils (cross-binutils target))
+ (let* ((xbinutils (make-binutils-with-mingw-w64-disable-flags (cross-binutils target)))
(pthreads-xlibc mingw-w64-x86_64-winpthreads)
(pthreads-xgcc (make-gcc-with-pthreads
(cross-gcc target
- #:xgcc (make-ssp-fixed-gcc gcc-9)
+ #:xgcc (make-ssp-fixed-gcc base-gcc)
#:xbinutils xbinutils
#:libc pthreads-xlibc))))
;; Define a meta-package that propagates the resulting XBINUTILS, XLIBC, and
@@ -174,22 +204,398 @@ chain for " target " development."))
(define-public font-tuffy
(package
- (name "font-tuffy")
- (version "20120614")
+ (name "font-tuffy")
+ (version "20120614")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "http://tulrich.com/fonts/tuffy-" version ".tar.gz"))
+ (file-name (string-append name "-" version ".tar.gz"))
+ (sha256
+ (base32
+ "02vf72bgrp30vrbfhxjw82s115z27dwfgnmmzfb0n9wfhxxfpyf6"))))
+ (build-system font-build-system)
+ (home-page "http://tulrich.com/fonts/")
+ (synopsis "The Tuffy Truetype Font Family")
+ (description
+ "Thatcher Ulrich's first outline font design. He started with the goal of producing a neutral, readable sans-serif text font. There are lots of \"expressive\" fonts out there, but he wanted to start with something very plain and clean, something he might want to actually use. ")
+ (license license:public-domain)))
+
+(define-public lief
+ (package
+ (name "python-lief")
+ (version "0.11.5")
(source
(origin
- (method url-fetch)
- (uri (string-append "http://tulrich.com/fonts/tuffy-" version ".tar.gz"))
- (file-name (string-append name "-" version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/lief-project/LIEF.git")
+ (commit version)))
+ (file-name (git-file-name name version))
(sha256
(base32
- "02vf72bgrp30vrbfhxjw82s115z27dwfgnmmzfb0n9wfhxxfpyf6"))))
- (build-system font-build-system)
- (home-page "http://tulrich.com/fonts/")
- (synopsis "The Tuffy Truetype Font Family")
- (description
- "Thatcher Ulrich's first outline font design. He started with the goal of producing a neutral, readable sans-serif text font. There are lots of \"expressive\" fonts out there, but he wanted to start with something very plain and clean, something he might want to actually use. ")
- (license license:public-domain)))
+ "0qahjfg1n0x76ps2mbyljvws1l3qhkqvmxqbahps4qgywl2hbdkj"))))
+ (build-system python-build-system)
+ (native-inputs
+ `(("cmake" ,cmake)))
+ (home-page "https://github.com/lief-project/LIEF")
+ (synopsis "Library to Instrument Executable Formats")
+ (description "Python library to to provide a cross platform library which can
+parse, modify and abstract ELF, PE and MachO formats.")
+ (license license:asl2.0)))
+
+(define osslsigncode
+ (package
+ (name "osslsigncode")
+ (version "2.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/mtrojnar/"
+ name "/archive/" version ".tar.gz"))
+ (sha256
+ (base32
+ "0byri6xny770wwb2nciq44j5071122l14bvv65axdd70nfjf0q2s"))))
+ (build-system gnu-build-system)
+ (native-inputs
+ `(("pkg-config" ,pkg-config)
+ ("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("libtool" ,libtool)))
+ (inputs
+ `(("openssl" ,openssl)))
+ (arguments
+ `(#:configure-flags
+ `("--without-gsf"
+ "--without-curl"
+ "--disable-dependency-tracking")))
+ (home-page "https://github.com/mtrojnar/osslsigncode")
+ (synopsis "Authenticode signing and timestamping tool")
+ (description "osslsigncode is a small tool that implements part of the
+functionality of the Microsoft tool signtool.exe - more exactly the Authenticode
+signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and
+thus should be able to compile on most platforms where these exist.")
+ (license license:gpl3+))) ; license is with openssl exception
+
+(define-public python-asn1crypto
+ (package
+ (name "python-asn1crypto")
+ (version "1.4.0")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/wbond/asn1crypto")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "19abibn6jw20mzi1ln4n9jjvpdka8ygm4m439hplyrdfqbvgm01r"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases
+ (modify-phases %standard-phases
+ (replace 'check
+ (lambda _
+ (invoke "python" "run.py" "tests"))))))
+ (home-page "https://github.com/wbond/asn1crypto")
+ (synopsis "ASN.1 parser and serializer in Python")
+ (description "asn1crypto is an ASN.1 parser and serializer with definitions
+for private keys, public keys, certificates, CRL, OCSP, CMS, PKCS#3, PKCS#7,
+PKCS#8, PKCS#12, PKCS#5, X.509 and TSP.")
+ (license license:expat)))
+
+(define-public python-elfesteem
+ (let ((commit "87bbd79ab7e361004c98cc8601d4e5f029fd8bd5"))
+ (package
+ (name "python-elfesteem")
+ (version (git-version "0.1" "1" commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/LRGH/elfesteem")
+ (commit commit)))
+ (file-name (git-file-name name commit))
+ (sha256
+ (base32
+ "1nyvjisvyxyxnd0023xjf5846xd03lwawp5pfzr8vrky7wwm5maz"))))
+ (build-system python-build-system)
+ ;; There are no tests, but attempting to run python setup.py test leads to
+ ;; PYTHONPATH problems, just disable the test
+ (arguments '(#:tests? #f))
+ (home-page "https://github.com/LRGH/elfesteem")
+ (synopsis "ELF/PE/Mach-O parsing library")
+ (description "elfesteem parses ELF, PE and Mach-O files.")
+ (license license:lgpl2.1))))
+
+(define-public python-oscrypto
+ (package
+ (name "python-oscrypto")
+ (version "1.2.1")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/wbond/oscrypto")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1d4d8s4z340qhvb3g5m5v3436y3a71yc26wk4749q64m09kxqc3l"))
+ (patches (search-our-patches "oscrypto-hard-code-openssl.patch"))))
+ (build-system python-build-system)
+ (native-search-paths
+ (list (search-path-specification
+ (variable "SSL_CERT_FILE")
+ (file-type 'regular)
+ (separator #f) ;single entry
+ (files '("etc/ssl/certs/ca-certificates.crt")))))
+
+ (propagated-inputs
+ `(("python-asn1crypto" ,python-asn1crypto)
+ ("openssl" ,openssl)))
+ (arguments
+ `(#:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'hard-code-path-to-libscrypt
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((openssl (assoc-ref inputs "openssl")))
+ (substitute* "oscrypto/__init__.py"
+ (("@GUIX_OSCRYPTO_USE_OPENSSL@")
+ (string-append openssl "/lib/libcrypto.so" "," openssl "/lib/libssl.so")))
+ #t)))
+ (add-after 'unpack 'disable-broken-tests
+ (lambda _
+ ;; This test is broken as there is no keyboard interrupt.
+ (substitute* "tests/test_trust_list.py"
+ (("^(.*)class TrustListTests" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_tls.py"
+ (("^(.*)class TLSTests" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ #t))
+ (replace 'check
+ (lambda _
+ (invoke "python" "run.py" "tests")
+ #t)))))
+ (home-page "https://github.com/wbond/oscrypto")
+ (synopsis "Compiler-free Python crypto library backed by the OS")
+ (description "oscrypto is a compilation-free, always up-to-date encryption library for Python.")
+ (license license:expat)))
+
+(define-public python-oscryptotests
+ (package (inherit python-oscrypto)
+ (name "python-oscryptotests")
+ (arguments
+ `(#:tests? #f
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'hard-code-path-to-libscrypt
+ (lambda* (#:key inputs #:allow-other-keys)
+ (chdir "tests")
+ #t)))))))
+
+(define-public python-certvalidator
+ (let ((commit "e5bdb4bfcaa09fa0af355eb8867d00dfeecba08c"))
+ (package
+ (name "python-certvalidator")
+ (version (git-version "0.1" "1" commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/achow101/certvalidator")
+ (commit commit)))
+ (file-name (git-file-name name commit))
+ (sha256
+ (base32
+ "18pvxkvpkfkzgvfylv0kx65pmxfcv1hpsg03cip93krfvrrl4c75"))))
+ (build-system python-build-system)
+ (propagated-inputs
+ `(("python-asn1crypto" ,python-asn1crypto)
+ ("python-oscrypto" ,python-oscrypto)
+ ("python-oscryptotests", python-oscryptotests))) ;; certvalidator tests import oscryptotests
+ (arguments
+ `(#:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'disable-broken-tests
+ (lambda _
+ (substitute* "tests/test_certificate_validator.py"
+ (("^(.*)class CertificateValidatorTests" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_crl_client.py"
+ (("^(.*)def test_fetch_crl" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_ocsp_client.py"
+ (("^(.*)def test_fetch_ocsp" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_registry.py"
+ (("^(.*)def test_build_paths" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "tests/test_validate.py"
+ (("^(.*)def test_revocation_mode_hard" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ #t))
+ (replace 'check
+ (lambda _
+ (invoke "python" "run.py" "tests")
+ #t)))))
+ (home-page "https://github.com/wbond/certvalidator")
+ (synopsis "Python library for validating X.509 certificates and paths")
+ (description "certvalidator is a Python library for validating X.509
+certificates or paths. Supports various options, including: validation at a
+specific moment in time, whitelisting and revocation checks.")
+ (license license:expat))))
+
+(define-public python-requests-2.25.1
+ (package (inherit python-requests)
+ (version "2.25.1")
+ (source (origin
+ (method url-fetch)
+ (uri (pypi-uri "requests" version))
+ (sha256
+ (base32
+ "015qflyqsgsz09gnar69s6ga74ivq5kch69s4qxz3904m7a3v5r7"))))))
+
+(define-public python-altgraph
+ (package
+ (name "python-altgraph")
+ (version "0.17")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/ronaldoussoren/altgraph")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "09sm4srvvkw458pn48ga9q7ykr4xlz7q8gh1h9w7nxpf001qgpwb"))))
+ (build-system python-build-system)
+ (home-page "https://github.com/ronaldoussoren/altgraph")
+ (synopsis "Python graph (network) package")
+ (description "altgraph is a fork of graphlib: a graph (network) package for
+constructing graphs, BFS and DFS traversals, topological sort, shortest paths,
+etc. with graphviz output.")
+ (license license:expat)))
+
+
+(define-public python-macholib
+ (package
+ (name "python-macholib")
+ (version "1.14")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/ronaldoussoren/macholib")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0aislnnfsza9wl4f0vp45ivzlc0pzhp9d4r08700slrypn5flg42"))))
+ (build-system python-build-system)
+ (propagated-inputs
+ `(("python-altgraph" ,python-altgraph)))
+ (arguments
+ '(#:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'disable-broken-tests
+ (lambda _
+ ;; This test is broken as there is no keyboard interrupt.
+ (substitute* "macholib_tests/test_command_line.py"
+ (("^(.*)class TestCmdLine" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line)))
+ (substitute* "macholib_tests/test_dyld.py"
+ (("^(.*)def test_\\S+_find" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line))
+ (("^(.*)def testBasic" line indent)
+ (string-append indent
+ "@unittest.skip(\"Disabled by Guix\")\n"
+ line))
+ )
+ #t)))))
+ (home-page "https://github.com/ronaldoussoren/macholib")
+ (synopsis "Python library for analyzing and editing Mach-O headers")
+ (description "macholib is a Macho-O header analyzer and editor. It's
+typically used as a dependency analysis tool, and also to rewrite dylib
+references in Mach-O headers to be @executable_path relative. Though this tool
+targets a platform specific file format, it is pure python code that is platform
+and endian independent.")
+ (license license:expat)))
+
+(define-public python-signapple
+ (let ((commit "b084cbbf44d5330448ffce0c7d118f75781b64bd"))
+ (package
+ (name "python-signapple")
+ (version (git-version "0.1" "1" commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/achow101/signapple")
+ (commit commit)))
+ (file-name (git-file-name name commit))
+ (sha256
+ (base32
+ "0k7inccl2mzac3wq4asbr0kl8s4cghm8982z54kfascqg45shv01"))))
+ (build-system python-build-system)
+ (propagated-inputs
+ `(("python-asn1crypto" ,python-asn1crypto)
+ ("python-oscrypto" ,python-oscrypto)
+ ("python-certvalidator" ,python-certvalidator)
+ ("python-elfesteem" ,python-elfesteem)
+ ("python-requests" ,python-requests-2.25.1)
+ ("python-macholib" ,python-macholib)
+ ("libcrypto" ,openssl)))
+ ;; There are no tests, but attempting to run python setup.py test leads to
+ ;; problems, just disable the test
+ (arguments '(#:tests? #f))
+ (home-page "https://github.com/achow101/signapple")
+ (synopsis "Mach-O binary signature tool")
+ (description "signapple is a Python tool for creating, verifying, and
+inspecting signatures in Mach-O binaries.")
+ (license license:expat))))
+
+(define-public glibc-2.24
+ (package
+ (inherit glibc)
+ (version "2.24")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://sourceware.org/git/glibc.git")
+ (commit "0d7f1ed30969886c8dde62fbf7d2c79967d4bace")))
+ (file-name (git-file-name "glibc" "0d7f1ed30969886c8dde62fbf7d2c79967d4bace"))
+ (sha256
+ (base32
+ "0g5hryia5v1k0qx97qffgwzrz4lr4jw3s5kj04yllhswsxyjbic3"))
+ (patches (search-our-patches "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch"
+ "glibc-2.24-no-build-time-cxx-header-run.patch"))))))
+
+(define glibc-2.27/bitcoin-patched
+ (package-with-extra-patches glibc-2.27
+ (search-our-patches "glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch")))
(packages->manifest
(append
@@ -207,39 +613,43 @@ chain for " target " development."))
patch
gawk
sed
+ moreutils
;; Compression and archiving
tar
bzip2
gzip
xz
zlib
+ (list zlib "static")
;; Build tools
gnu-make
libtool
autoconf
automake
pkg-config
+ bison
;; Scripting
perl
python-3
;; Git
git
+ ;; Tests
+ lief
;; Native gcc 7 toolchain
- gcc-toolchain-7)
+ gcc-toolchain-7
+ (list gcc-toolchain-7 "static"))
(let ((target (getenv "HOST")))
(cond ((string-suffix? "-mingw32" target)
;; Windows
(list zip
(make-mingw-pthreads-cross-toolchain "x86_64-w64-mingw32")
- (make-nsis-with-sde-support nsis-x86_64)))
- ((string-contains target "riscv64-linux-")
- (list (make-bitcoin-cross-toolchain target
- #:base-gcc-for-libc gcc-7)))
- ((string-contains target "powerpc64le-linux-")
- (list (make-bitcoin-cross-toolchain target
- #:base-gcc-for-libc gcc-7)))
+ (make-nsis-with-sde-support nsis-x86_64)
+ osslsigncode))
((string-contains target "-linux-")
- (list (make-bitcoin-cross-toolchain target)))
+ (list (cond ((string-contains target "riscv64-")
+ (make-bitcoin-cross-toolchain target #:base-libc glibc-2.27/bitcoin-patched))
+ (else
+ (make-bitcoin-cross-toolchain target)))))
((string-contains target "darwin")
- (list clang-8 libcap binutils imagemagick libtiff librsvg font-tuffy cmake xorriso))
+ (list clang-toolchain-10 binutils imagemagick libtiff librsvg font-tuffy cmake xorriso python-signapple))
(else '())))))
diff --git a/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch b/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch
new file mode 100644
index 0000000000..8f88eb9dfd
--- /dev/null
+++ b/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch
@@ -0,0 +1,171 @@
+Description: Add disable opposites to the security-related flags
+Author: Stephen Kitt <skitt@debian.org>
+
+This patch adds "no-" variants to disable the various security flags:
+"no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section".
+
+--- a/ld/emultempl/pe.em
++++ b/ld/emultempl/pe.em
+@@ -259,9 +261,11 @@
+ (OPTION_ENABLE_LONG_SECTION_NAMES + 1)
+ /* DLLCharacteristics flags. */
+ #define OPTION_DYNAMIC_BASE (OPTION_DISABLE_LONG_SECTION_NAMES + 1)
+-#define OPTION_FORCE_INTEGRITY (OPTION_DYNAMIC_BASE + 1)
++#define OPTION_NO_DYNAMIC_BASE (OPTION_DYNAMIC_BASE + 1)
++#define OPTION_FORCE_INTEGRITY (OPTION_NO_DYNAMIC_BASE + 1)
+ #define OPTION_NX_COMPAT (OPTION_FORCE_INTEGRITY + 1)
+-#define OPTION_NO_ISOLATION (OPTION_NX_COMPAT + 1)
++#define OPTION_NO_NX_COMPAT (OPTION_NX_COMPAT + 1)
++#define OPTION_NO_ISOLATION (OPTION_NO_NX_COMPAT + 1)
+ #define OPTION_NO_SEH (OPTION_NO_ISOLATION + 1)
+ #define OPTION_NO_BIND (OPTION_NO_SEH + 1)
+ #define OPTION_WDM_DRIVER (OPTION_NO_BIND + 1)
+@@ -271,6 +275,7 @@
+ #define OPTION_NO_INSERT_TIMESTAMP (OPTION_INSERT_TIMESTAMP + 1)
+ #define OPTION_BUILD_ID (OPTION_NO_INSERT_TIMESTAMP + 1)
+ #define OPTION_ENABLE_RELOC_SECTION (OPTION_BUILD_ID + 1)
++#define OPTION_DISABLE_RELOC_SECTION (OPTION_ENABLE_RELOC_SECTION + 1)
+
+ static void
+ gld${EMULATION_NAME}_add_options
+@@ -342,8 +347,10 @@
+ {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
+ {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
+ {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
++ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
+ {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
+ {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
++ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
+ {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
+ {"no-seh", no_argument, NULL, OPTION_NO_SEH},
+ {"no-bind", no_argument, NULL, OPTION_NO_BIND},
+@@ -351,6 +358,7 @@
+ {"tsaware", no_argument, NULL, OPTION_TERMINAL_SERVER_AWARE},
+ {"build-id", optional_argument, NULL, OPTION_BUILD_ID},
+ {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
++ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
+ {NULL, no_argument, NULL, 0}
+ };
+
+@@ -485,9 +494,12 @@
+ in object files\n"));
+ fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
+ address space layout randomization (ASLR)\n"));
++ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
+ fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
++ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
+ fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
+ fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
++ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
+ fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
+ fprintf (file, _(" --no-seh Image does not use SEH. No SE handler may\n\
+ be called in this image\n"));
+@@ -862,12 +874,21 @@
+ case OPTION_ENABLE_RELOC_SECTION:
+ pe_dll_enable_reloc_section = 1;
+ break;
++ case OPTION_DISABLE_RELOC_SECTION:
++ pe_dll_enable_reloc_section = 0;
++ /* fall through */
++ case OPTION_NO_DYNAMIC_BASE:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
++ break;
+ case OPTION_FORCE_INTEGRITY:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
+ break;
+ case OPTION_NX_COMPAT:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+ break;
++ case OPTION_NO_NX_COMPAT:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
++ break;
+ case OPTION_NO_ISOLATION:
+ pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
+ break;
+--- a/ld/emultempl/pep.em
++++ b/ld/emultempl/pep.em
+@@ -237,9 +240,12 @@
+ OPTION_ENABLE_LONG_SECTION_NAMES,
+ OPTION_DISABLE_LONG_SECTION_NAMES,
+ OPTION_HIGH_ENTROPY_VA,
++ OPTION_NO_HIGH_ENTROPY_VA,
+ OPTION_DYNAMIC_BASE,
++ OPTION_NO_DYNAMIC_BASE,
+ OPTION_FORCE_INTEGRITY,
+ OPTION_NX_COMPAT,
++ OPTION_NO_NX_COMPAT,
+ OPTION_NO_ISOLATION,
+ OPTION_NO_SEH,
+ OPTION_NO_BIND,
+@@ -248,7 +254,8 @@
+ OPTION_NO_INSERT_TIMESTAMP,
+ OPTION_TERMINAL_SERVER_AWARE,
+ OPTION_BUILD_ID,
+- OPTION_ENABLE_RELOC_SECTION
++ OPTION_ENABLE_RELOC_SECTION,
++ OPTION_DISABLE_RELOC_SECTION
+ };
+
+ static void
+@@ -315,9 +322,12 @@
+ {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
+ {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
+ {"high-entropy-va", no_argument, NULL, OPTION_HIGH_ENTROPY_VA},
++ {"no-high-entropy-va", no_argument, NULL, OPTION_NO_HIGH_ENTROPY_VA},
+ {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
++ {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
+ {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
+ {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
++ {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
+ {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
+ {"no-seh", no_argument, NULL, OPTION_NO_SEH},
+ {"no-bind", no_argument, NULL, OPTION_NO_BIND},
+@@ -327,6 +337,7 @@
+ {"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP},
+ {"build-id", optional_argument, NULL, OPTION_BUILD_ID},
+ {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
++ {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
+ {NULL, no_argument, NULL, 0}
+ };
+
+@@ -448,11 +461,15 @@
+ in object files\n"));
+ fprintf (file, _(" --high-entropy-va Image is compatible with 64-bit address space\n\
+ layout randomization (ASLR)\n"));
++ fprintf (file, _(" --no-high-entropy-va Image is not compatible with 64-bit ASLR\n"));
+ fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\
+ address space layout randomization (ASLR)\n"));
++ fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n"));
+ fprintf (file, _(" --enable-reloc-section Create the base relocation table\n"));
++ fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n"));
+ fprintf (file, _(" --forceinteg Code integrity checks are enforced\n"));
+ fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n"));
++ fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n"));
+ fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n"));
+ fprintf (file, _(" --no-seh Image does not use SEH; no SE handler may\n\
+ be called in this image\n"));
+@@ -809,12 +826,24 @@
+ case OPTION_ENABLE_RELOC_SECTION:
+ pep_dll_enable_reloc_section = 1;
+ break;
++ case OPTION_DISABLE_RELOC_SECTION:
++ pep_dll_enable_reloc_section = 0;
++ /* fall through */
++ case OPTION_NO_DYNAMIC_BASE:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
++ /* fall through */
++ case OPTION_NO_HIGH_ENTROPY_VA:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA;
++ break;
+ case OPTION_FORCE_INTEGRITY:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
+ break;
+ case OPTION_NX_COMPAT:
+ pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+ break;
++ case OPTION_NO_NX_COMPAT:
++ pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
++ break;
+ case OPTION_NO_ISOLATION:
+ pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
+ break;
diff --git a/contrib/guix/patches/gcc-8-sort-libtool-find-output.patch b/contrib/guix/patches/gcc-8-sort-libtool-find-output.patch
new file mode 100644
index 0000000000..f327c464f3
--- /dev/null
+++ b/contrib/guix/patches/gcc-8-sort-libtool-find-output.patch
@@ -0,0 +1,400 @@
+guix: repro: Sort find output in libtool for gcc-8
+
+Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not
+be reproducible and end up making the Bitcoin binaries non-reproducible
+as well.
+
+See: https://reproducible-builds.org/docs/archives/#gnu-libtool
+
+diff --git a/gcc/configure b/gcc/configure
+index 97ba7d7d69c..e37a96f0c0c 100755
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -19720,20 +19720,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libcc1/configure b/libcc1/configure
+index f53a121611c..5740ca90cab 100755
+--- a/libcc1/configure
++++ b/libcc1/configure
+@@ -12221,20 +12221,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libffi/configure b/libffi/configure
+index 790a291011f..54b1ac18306 100755
+--- a/libffi/configure
++++ b/libffi/configure
+@@ -12661,20 +12661,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libgo/config/libtool.m4 b/libgo/config/libtool.m4
+index f7005947454..8a84417b828 100644
+--- a/libgo/config/libtool.m4
++++ b/libgo/config/libtool.m4
+@@ -6010,20 +6010,20 @@ if test "$_lt_caught_CXX_error" != yes; then
+ _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libgo/config/ltmain.sh b/libgo/config/ltmain.sh
+index ce66b44906a..0f81c401407 100644
+--- a/libgo/config/ltmain.sh
++++ b/libgo/config/ltmain.sh
+@@ -2917,7 +2917,7 @@ func_extract_archives ()
+ darwin_file=
+ darwin_files=
+ for darwin_file in $darwin_filelist; do
+- darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
++ darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
+ $LIPO -create -output "$darwin_file" $darwin_files
+ done # $darwin_filelist
+ $RM -rf unfat-$$
+@@ -2932,7 +2932,7 @@ func_extract_archives ()
+ func_extract_an_archive "$my_xdir" "$my_xabs"
+ ;;
+ esac
+- my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
++ my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
+ done
+
+ func_extract_archives_result="$my_oldobjs"
+diff --git a/libhsail-rt/configure b/libhsail-rt/configure
+index a4fcc10c1f9..8e671229fcd 100755
+--- a/libhsail-rt/configure
++++ b/libhsail-rt/configure
+@@ -12244,20 +12244,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libitm/configure b/libitm/configure
+index dbf386db434..29d4f10611f 100644
+--- a/libitm/configure
++++ b/libitm/configure
+@@ -13067,20 +13067,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/liboffloadmic/configure b/liboffloadmic/configure
+index f873716991b..7aa9186b10e 100644
+--- a/liboffloadmic/configure
++++ b/liboffloadmic/configure
+@@ -12379,20 +12379,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/liboffloadmic/plugin/configure b/liboffloadmic/plugin/configure
+index c031eb3e7fa..67fc7368f21 100644
+--- a/liboffloadmic/plugin/configure
++++ b/liboffloadmic/plugin/configure
+@@ -12086,20 +12086,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libsanitizer/configure b/libsanitizer/configure
+index 4695bc7d4f7..cb7d25c07e6 100755
+--- a/libsanitizer/configure
++++ b/libsanitizer/configure
+@@ -13308,20 +13308,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libstdc++-v3/configure b/libstdc++-v3/configure
+index 61457e940ec..21ef1f61e41 100755
+--- a/libstdc++-v3/configure
++++ b/libstdc++-v3/configure
+@@ -13087,20 +13087,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libtool.m4 b/libtool.m4
+index 24d13f34409..940faaa161d 100644
+--- a/libtool.m4
++++ b/libtool.m4
+@@ -6005,20 +6005,20 @@ if test "$_lt_caught_CXX_error" != yes; then
+ _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/libvtv/configure b/libvtv/configure
+index a197f750453..31ab3a0637b 100755
+--- a/libvtv/configure
++++ b/libvtv/configure
+@@ -13339,20 +13339,20 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+ prelink_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~
+- compile_command="$compile_command `find $tpldir -name \*.o | $NL2SP`"'
++ compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"'
+ old_archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~
+- $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | $NL2SP`~
++ $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~
+ $RANLIB $oldlib'
+ archive_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+ archive_expsym_cmds_CXX='tpldir=Template.dir~
+ rm -rf $tpldir~
+ $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~
+- $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
++ $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+ ;;
+ *) # Version 6 and above use weak symbols
+ archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+diff --git a/ltmain.sh b/ltmain.sh
+index 9503ec85d70..79f9ba89af5 100644
+--- a/ltmain.sh
++++ b/ltmain.sh
+@@ -2917,7 +2917,7 @@ func_extract_archives ()
+ darwin_file=
+ darwin_files=
+ for darwin_file in $darwin_filelist; do
+- darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
++ darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP`
+ $LIPO -create -output "$darwin_file" $darwin_files
+ done # $darwin_filelist
+ $RM -rf unfat-$$
+@@ -2932,7 +2932,7 @@ func_extract_archives ()
+ func_extract_an_archive "$my_xdir" "$my_xabs"
+ ;;
+ esac
+- my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
++ my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
+ done
+
+ func_extract_archives_result="$my_oldobjs"
diff --git a/contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch b/contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch
new file mode 100644
index 0000000000..5c4d0c6ebe
--- /dev/null
+++ b/contrib/guix/patches/glibc-2.24-elfm-loadaddr-dynamic-rewrite.patch
@@ -0,0 +1,62 @@
+https://sourceware.org/git/?p=glibc.git;a=commit;h=a68ba2f3cd3cbe32c1f31e13c20ed13487727b32
+
+commit 6b02af31e9a721bb15a11380cd22d53b621711f8
+Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed Oct 18 17:26:23 2017 +0100
+
+ [AARCH64] Rewrite elf_machine_load_address using _DYNAMIC symbol
+
+ This patch rewrites aarch64 elf_machine_load_address to use special _DYNAMIC
+ symbol instead of _dl_start.
+
+ The static address of _DYNAMIC symbol is stored in the first GOT entry.
+ Here is the change which makes this solution work (part of binutils 2.24):
+ https://sourceware.org/ml/binutils/2013-06/msg00248.html
+
+ i386, x86_64 targets use the same method to do this as well.
+
+ The original implementation relies on a trick that R_AARCH64_ABS32 relocation
+ being resolved at link time and the static address fits in the 32bits.
+ However, in LP64, normally, the address is defined to be 64 bit.
+
+ Here is the C version one which should be portable in all cases.
+
+ * sysdeps/aarch64/dl-machine.h (elf_machine_load_address): Use
+ _DYNAMIC symbol to calculate load address.
+
+diff --git a/sysdeps/aarch64/dl-machine.h b/sysdeps/aarch64/dl-machine.h
+index e86d8b5b63..5a5b8a5de5 100644
+--- a/sysdeps/aarch64/dl-machine.h
++++ b/sysdeps/aarch64/dl-machine.h
+@@ -49,26 +49,11 @@ elf_machine_load_address (void)
+ /* To figure out the load address we use the definition that for any symbol:
+ dynamic_addr(symbol) = static_addr(symbol) + load_addr
+
+- The choice of symbol is arbitrary. The static address we obtain
+- by constructing a non GOT reference to the symbol, the dynamic
+- address of the symbol we compute using adrp/add to compute the
+- symbol's address relative to the PC.
+- This depends on 32bit relocations being resolved at link time
+- and that the static address fits in the 32bits. */
+-
+- ElfW(Addr) static_addr;
+- ElfW(Addr) dynamic_addr;
+-
+- asm (" \n"
+-" adrp %1, _dl_start; \n"
+-" add %1, %1, #:lo12:_dl_start \n"
+-" ldr %w0, 1f \n"
+-" b 2f \n"
+-"1: \n"
+-" .word _dl_start \n"
+-"2: \n"
+- : "=r" (static_addr), "=r" (dynamic_addr));
+- return dynamic_addr - static_addr;
++ _DYNAMIC sysmbol is used here as its link-time address stored in
++ the special unrelocated first GOT entry. */
++
++ extern ElfW(Dyn) _DYNAMIC[] attribute_hidden;
++ return (ElfW(Addr)) &_DYNAMIC - elf_machine_dynamic ();
+ }
+
+ /* Set up the loaded object described by L so its unrelocated PLT
diff --git a/contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch b/contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch
new file mode 100644
index 0000000000..11fe7fdc99
--- /dev/null
+++ b/contrib/guix/patches/glibc-2.24-no-build-time-cxx-header-run.patch
@@ -0,0 +1,100 @@
+https://sourceware.org/git/?p=glibc.git;a=commit;h=fc3e1337be1c6935ab58bd13520f97a535cf70cc
+
+commit dc23a45db566095e83ff0b7a57afc87fb5ca89a1
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Wed Sep 21 10:45:32 2016 +0200
+
+ Avoid running $(CXX) during build to obtain header file paths
+
+ This reduces the build time somewhat and is particularly noticeable
+ during rebuilds with few code changes.
+
+diff --git a/Makerules b/Makerules
+index 7e4077ee50..c338850de5 100644
+--- a/Makerules
++++ b/Makerules
+@@ -121,14 +121,10 @@ ifneq (,$(CXX))
+ # will be used instead of /usr/include/stdlib.h and /usr/include/math.h.
+ before-compile := $(common-objpfx)cstdlib $(common-objpfx)cmath \
+ $(before-compile)
+-cstdlib=$(shell echo "\#include <cstdlib>" | $(CXX) -M -MP -x c++ - \
+- | sed -n "/cstdlib:/{s/:$$//;p}")
+-$(common-objpfx)cstdlib: $(cstdlib)
++$(common-objpfx)cstdlib: $(c++-cstdlib-header)
+ $(INSTALL_DATA) $< $@T
+ $(move-if-change) $@T $@
+-cmath=$(shell echo "\#include <cmath>" | $(CXX) -M -MP -x c++ - \
+- | sed -n "/cmath:/{s/:$$//;p}")
+-$(common-objpfx)cmath: $(cmath)
++$(common-objpfx)cmath: $(c++-cmath-header)
+ $(INSTALL_DATA) $< $@T
+ $(move-if-change) $@T $@
+ endif
+diff --git a/config.make.in b/config.make.in
+index 95c6f36876..04a8b3ed7f 100644
+--- a/config.make.in
++++ b/config.make.in
+@@ -45,6 +45,8 @@ defines = @DEFINES@
+ sysheaders = @sysheaders@
+ sysincludes = @SYSINCLUDES@
+ c++-sysincludes = @CXX_SYSINCLUDES@
++c++-cstdlib-header = @CXX_CSTDLIB_HEADER@
++c++-cmath-header = @CXX_CMATH_HEADER@
+ all-warnings = @all_warnings@
+ enable-werror = @enable_werror@
+
+diff --git a/configure b/configure
+index 17625e1041..6ff252744b 100755
+--- a/configure
++++ b/configure
+@@ -635,6 +635,8 @@ BISON
+ INSTALL_INFO
+ PERL
+ BASH_SHELL
++CXX_CMATH_HEADER
++CXX_CSTDLIB_HEADER
+ CXX_SYSINCLUDES
+ SYSINCLUDES
+ AUTOCONF
+@@ -5054,6 +5056,18 @@ fi
+
+
+
++# Obtain some C++ header file paths. This is used to make a local
++# copy of those headers in Makerules.
++if test -n "$CXX"; then
++ find_cxx_header () {
++ echo "#include <$1>" | $CXX -M -MP -x c++ - | sed -n "/$1:/{s/:\$//;p}"
++ }
++ CXX_CSTDLIB_HEADER="$(find_cxx_header cstdlib)"
++ CXX_CMATH_HEADER="$(find_cxx_header cmath)"
++fi
++
++
++
+ # Test if LD_LIBRARY_PATH contains the notation for the current directory
+ # since this would lead to problems installing/building glibc.
+ # LD_LIBRARY_PATH contains the current directory if one of the following
+diff --git a/configure.ac b/configure.ac
+index 33bcd62180..9938ab0dc2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1039,6 +1039,18 @@ fi
+ AC_SUBST(SYSINCLUDES)
+ AC_SUBST(CXX_SYSINCLUDES)
+
++# Obtain some C++ header file paths. This is used to make a local
++# copy of those headers in Makerules.
++if test -n "$CXX"; then
++ find_cxx_header () {
++ echo "#include <$1>" | $CXX -M -MP -x c++ - | sed -n "/$1:/{s/:\$//;p}"
++ }
++ CXX_CSTDLIB_HEADER="$(find_cxx_header cstdlib)"
++ CXX_CMATH_HEADER="$(find_cxx_header cmath)"
++fi
++AC_SUBST(CXX_CSTDLIB_HEADER)
++AC_SUBST(CXX_CMATH_HEADER)
++
+ # Test if LD_LIBRARY_PATH contains the notation for the current directory
+ # since this would lead to problems installing/building glibc.
+ # LD_LIBRARY_PATH contains the current directory if one of the following
diff --git a/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch b/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch
new file mode 100644
index 0000000000..d6217157ee
--- /dev/null
+++ b/contrib/guix/patches/glibc-2.27-riscv64-Use-__has_include__-to-include-asm-syscalls.h.patch
@@ -0,0 +1,72 @@
+https://sourceware.org/git/?p=glibc.git;a=commit;h=0b9c84906f653978fb8768c7ebd0ee14a47e662e
+
+From 562c52cc81a4e456a62e6455feb32732049e9070 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 31 Dec 2018 09:26:42 -0800
+Subject: [PATCH] riscv: Use __has_include__ to include <asm/syscalls.h> [BZ
+ #24022]
+
+<asm/syscalls.h> has been removed by
+
+commit 27f8899d6002e11a6e2d995e29b8deab5aa9cc25
+Author: David Abdurachmanov <david.abdurachmanov@gmail.com>
+Date: Thu Nov 8 20:02:39 2018 +0100
+
+ riscv: add asm/unistd.h UAPI header
+
+ Marcin Juszkiewicz reported issues while generating syscall table for riscv
+ using 4.20-rc1. The patch refactors our unistd.h files to match some other
+ architectures.
+
+ - Add asm/unistd.h UAPI header, which has __ARCH_WANT_NEW_STAT only for 64-bit
+ - Remove asm/syscalls.h UAPI header and merge to asm/unistd.h
+ - Adjust kernel asm/unistd.h
+
+ So now asm/unistd.h UAPI header should show all syscalls for riscv.
+
+<asm/syscalls.h> may be restored by
+
+Subject: [PATCH] riscv: restore asm/syscalls.h UAPI header
+Date: Tue, 11 Dec 2018 09:09:35 +0100
+
+UAPI header asm/syscalls.h was merged into UAPI asm/unistd.h header,
+which did resolve issue with missing syscalls macros resulting in
+glibc (2.28) build failure. It also broke glibc in a different way:
+asm/syscalls.h is being used by glibc. I noticed this while doing
+Fedora 30/Rawhide mass rebuild.
+
+The patch returns asm/syscalls.h header and incl. it into asm/unistd.h.
+I plan to send a patch to glibc to use asm/unistd.h instead of
+asm/syscalls.h
+
+In the meantime, we use __has_include__, which was added to GCC 5, to
+check if <asm/syscalls.h> exists before including it. Tested with
+build-many-glibcs.py for riscv against kernel 4.19.12 and 4.20-rc7.
+
+ [BZ #24022]
+ * sysdeps/unix/sysv/linux/riscv/flush-icache.c: Check if
+ <asm/syscalls.h> exists with __has_include__ before including it.
+---
+ sysdeps/unix/sysv/linux/riscv/flush-icache.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sysdeps/unix/sysv/linux/riscv/flush-icache.c b/sysdeps/unix/sysv/linux/riscv/flush-icache.c
+index d612ef4c6c..0b2042620b 100644
+--- a/sysdeps/unix/sysv/linux/riscv/flush-icache.c
++++ b/sysdeps/unix/sysv/linux/riscv/flush-icache.c
+@@ -21,7 +21,11 @@
+ #include <stdlib.h>
+ #include <atomic.h>
+ #include <sys/cachectl.h>
+-#include <asm/syscalls.h>
++#if __has_include__ (<asm/syscalls.h>)
++# include <asm/syscalls.h>
++#else
++# include <asm/unistd.h>
++#endif
+
+ typedef int (*func_type) (void *, void *, unsigned long int);
+
+--
+2.31.1
+
diff --git a/contrib/guix/patches/glibc-ldd-x86_64.patch b/contrib/guix/patches/glibc-ldd-x86_64.patch
new file mode 100644
index 0000000000..b1b6d5a548
--- /dev/null
+++ b/contrib/guix/patches/glibc-ldd-x86_64.patch
@@ -0,0 +1,10 @@
+By default, 'RTDLLIST' in 'ldd' refers to 'lib64/ld-linux-x86-64.so', whereas
+it's in 'lib/' for us. This patch fixes that.
+
+--- glibc-2.17/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-12-25 04:02:13.000000000 +0100
++++ glibc-2.17/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2013-09-15 23:08:03.000000000 +0200
+@@ -1,3 +1,3 @@
+ /LD_TRACE_LOADED_OBJECTS=1/a\
+ add_env="$add_env LD_LIBRARY_VERSION=\\$verify_out"
+-s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\2\4\6 \264\4-x86-64\6 \2x32\4-x32\6"_
++s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\2\4\6 \2\4-x86-64\6 \2x32\4-x32\6"_
diff --git a/contrib/guix/patches/glibc-versioned-locpath.patch b/contrib/guix/patches/glibc-versioned-locpath.patch
new file mode 100644
index 0000000000..bc7652127f
--- /dev/null
+++ b/contrib/guix/patches/glibc-versioned-locpath.patch
@@ -0,0 +1,240 @@
+The format of locale data can be incompatible between libc versions, and
+loading incompatible data can lead to 'setlocale' returning EINVAL at best
+or triggering an assertion failure at worst. See
+https://lists.gnu.org/archive/html/guix-devel/2015-09/msg00717.html
+for background information.
+
+To address that, this patch changes libc to honor a new 'GUIX_LOCPATH'
+variable, and to look for locale data in version-specific sub-directories of
+that variable. So, if GUIX_LOCPATH=/foo:/bar, locale data is searched for in
+/foo/X.Y and /bar/X.Y, where X.Y is the libc version number.
+
+That way, a single 'GUIX_LOCPATH' setting can work even if different libc
+versions coexist on the system.
+
+--- a/locale/newlocale.c
++++ b/locale/newlocale.c
+@@ -30,6 +30,7 @@
+ /* Lock for protecting global data. */
+ __libc_rwlock_define (extern , __libc_setlocale_lock attribute_hidden)
+
++extern error_t compute_locale_search_path (char **, size_t *);
+
+ /* Use this when we come along an error. */
+ #define ERROR_RETURN \
+@@ -48,7 +49,6 @@ __newlocale (int category_mask, const char *locale, __locale_t base)
+ __locale_t result_ptr;
+ char *locale_path;
+ size_t locale_path_len;
+- const char *locpath_var;
+ int cnt;
+ size_t names_len;
+
+@@ -102,17 +102,8 @@ __newlocale (int category_mask, const char *locale, __locale_t base)
+ locale_path = NULL;
+ locale_path_len = 0;
+
+- locpath_var = getenv ("LOCPATH");
+- if (locpath_var != NULL && locpath_var[0] != '\0')
+- {
+- if (__argz_create_sep (locpath_var, ':',
+- &locale_path, &locale_path_len) != 0)
+- return NULL;
+-
+- if (__argz_add_sep (&locale_path, &locale_path_len,
+- _nl_default_locale_path, ':') != 0)
+- return NULL;
+- }
++ if (compute_locale_search_path (&locale_path, &locale_path_len) != 0)
++ return NULL;
+
+ /* Get the names for the locales we are interested in. We either
+ allow a composite name or a single name. */
+diff --git a/locale/setlocale.c b/locale/setlocale.c
+index ead030d..0c0e314 100644
+--- a/locale/setlocale.c
++++ b/locale/setlocale.c
+@@ -215,12 +215,65 @@ setdata (int category, struct __locale_data *data)
+ }
+ }
+
++/* Return in *LOCALE_PATH and *LOCALE_PATH_LEN the locale data search path as
++ a colon-separated list. Return ENOMEN on error, zero otherwise. */
++error_t
++compute_locale_search_path (char **locale_path, size_t *locale_path_len)
++{
++ char* guix_locpath_var = getenv ("GUIX_LOCPATH");
++ char *locpath_var = getenv ("LOCPATH");
++
++ if (guix_locpath_var != NULL && guix_locpath_var[0] != '\0')
++ {
++ /* Entries in 'GUIX_LOCPATH' take precedence over 'LOCPATH'. These
++ entries are systematically prefixed with "/X.Y" where "X.Y" is the
++ libc version. */
++ if (__argz_create_sep (guix_locpath_var, ':',
++ locale_path, locale_path_len) != 0
++ || __argz_suffix_entries (locale_path, locale_path_len,
++ "/" VERSION) != 0)
++ goto bail_out;
++ }
++
++ if (locpath_var != NULL && locpath_var[0] != '\0')
++ {
++ char *reg_locale_path = NULL;
++ size_t reg_locale_path_len = 0;
++
++ if (__argz_create_sep (locpath_var, ':',
++ &reg_locale_path, &reg_locale_path_len) != 0)
++ goto bail_out;
++
++ if (__argz_append (locale_path, locale_path_len,
++ reg_locale_path, reg_locale_path_len) != 0)
++ goto bail_out;
++
++ free (reg_locale_path);
++ }
++
++ if (*locale_path != NULL)
++ {
++ /* Append the system default locale directory. */
++ if (__argz_add_sep (locale_path, locale_path_len,
++ _nl_default_locale_path, ':') != 0)
++ goto bail_out;
++ }
++
++ return 0;
++
++ bail_out:
++ free (*locale_path);
++ *locale_path = NULL;
++ *locale_path_len = 0;
++
++ return ENOMEM;
++}
++
+ char *
+ setlocale (int category, const char *locale)
+ {
+ char *locale_path;
+ size_t locale_path_len;
+- const char *locpath_var;
+ char *composite;
+
+ /* Sanity check for CATEGORY argument. */
+@@ -251,17 +304,10 @@ setlocale (int category, const char *locale)
+ locale_path = NULL;
+ locale_path_len = 0;
+
+- locpath_var = getenv ("LOCPATH");
+- if (locpath_var != NULL && locpath_var[0] != '\0')
++ if (compute_locale_search_path (&locale_path, &locale_path_len) != 0)
+ {
+- if (__argz_create_sep (locpath_var, ':',
+- &locale_path, &locale_path_len) != 0
+- || __argz_add_sep (&locale_path, &locale_path_len,
+- _nl_default_locale_path, ':') != 0)
+- {
+- __libc_rwlock_unlock (__libc_setlocale_lock);
+- return NULL;
+- }
++ __libc_rwlock_unlock (__libc_setlocale_lock);
++ return NULL;
+ }
+
+ if (category == LC_ALL)
+diff --git a/string/Makefile b/string/Makefile
+index 8424a61..f925503 100644
+--- a/string/Makefile
++++ b/string/Makefile
+@@ -38,7 +38,7 @@ routines := strcat strchr strcmp strcoll strcpy strcspn \
+ swab strfry memfrob memmem rawmemchr strchrnul \
+ $(addprefix argz-,append count create ctsep next \
+ delete extract insert stringify \
+- addsep replace) \
++ addsep replace suffix) \
+ envz basename \
+ strcoll_l strxfrm_l string-inlines memrchr \
+ xpg-strerror strerror_l
+diff --git a/string/argz-suffix.c b/string/argz-suffix.c
+new file mode 100644
+index 0000000..505b0f2
+--- /dev/null
++++ b/string/argz-suffix.c
+@@ -0,0 +1,56 @@
++/* Copyright (C) 2015 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++ Contributed by Ludovic Courtès <ludo@gnu.org>.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <argz.h>
++#include <errno.h>
++#include <stdlib.h>
++#include <string.h>
++
++
++error_t
++__argz_suffix_entries (char **argz, size_t *argz_len, const char *suffix)
++
++{
++ size_t suffix_len = strlen (suffix);
++ size_t count = __argz_count (*argz, *argz_len);
++ size_t new_argz_len = *argz_len + count * suffix_len;
++ char *new_argz = malloc (new_argz_len);
++
++ if (new_argz)
++ {
++ char *p = new_argz, *entry;
++
++ for (entry = *argz;
++ entry != NULL;
++ entry = argz_next (*argz, *argz_len, entry))
++ {
++ p = stpcpy (p, entry);
++ p = stpcpy (p, suffix);
++ p++;
++ }
++
++ free (*argz);
++ *argz = new_argz;
++ *argz_len = new_argz_len;
++
++ return 0;
++ }
++ else
++ return ENOMEM;
++}
++weak_alias (__argz_suffix_entries, argz_suffix_entries)
+diff --git a/string/argz.h b/string/argz.h
+index bb62a31..d276a35 100644
+--- a/string/argz.h
++++ b/string/argz.h
+@@ -134,6 +134,16 @@ extern error_t argz_replace (char **__restrict __argz,
+ const char *__restrict __str,
+ const char *__restrict __with,
+ unsigned int *__restrict __replace_count);
++
++/* Suffix each entry of ARGZ & ARGZ_LEN with SUFFIX. Return 0 on success,
++ and ENOMEN if memory cannot be allocated. */
++extern error_t __argz_suffix_entries (char **__restrict __argz,
++ size_t *__restrict __argz_len,
++ const char *__restrict __suffix);
++extern error_t argz_suffix_entries (char **__restrict __argz,
++ size_t *__restrict __argz_len,
++ const char *__restrict __suffix);
++
+
+ /* Returns the next entry in ARGZ & ARGZ_LEN after ENTRY, or NULL if there
+ are no more. If entry is NULL, then the first entry is returned. This
diff --git a/contrib/guix/patches/nsis-SConstruct-sde-support.patch b/contrib/guix/patches/nsis-SConstruct-sde-support.patch
index 5edf1b7c8e..f58406a7a0 100644
--- a/contrib/guix/patches/nsis-SConstruct-sde-support.patch
+++ b/contrib/guix/patches/nsis-SConstruct-sde-support.patch
@@ -1,3 +1,6 @@
+https://github.com/kichik/nsis/pull/13
+https://sourceforge.net/p/nsis/code/7248/
+
diff --git a/SConstruct b/SConstruct
index e8252c9..41786f2 100755
--- a/SConstruct
diff --git a/contrib/guix/patches/oscrypto-hard-code-openssl.patch b/contrib/guix/patches/oscrypto-hard-code-openssl.patch
new file mode 100644
index 0000000000..32027f2d09
--- /dev/null
+++ b/contrib/guix/patches/oscrypto-hard-code-openssl.patch
@@ -0,0 +1,13 @@
+diff --git a/oscrypto/__init__.py b/oscrypto/__init__.py
+index eb27313..371ab24 100644
+--- a/oscrypto/__init__.py
++++ b/oscrypto/__init__.py
+@@ -302,3 +302,8 @@ def load_order():
+ 'oscrypto._win.tls',
+ 'oscrypto.tls',
+ ]
++
++
++paths = '@GUIX_OSCRYPTO_USE_OPENSSL@'.split(',')
++assert len(paths) == 2, 'Value for OSCRYPTO_USE_OPENSSL env var must be two paths separated by a comma'
++use_openssl(*paths)
generated by cgit v1.2.3 (git 2.26.2) at 2024-07-19 18:34:44 +0000