From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 0A9088C0D; Wed, 29 Oct 2025 12:21:11 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id CCCFC8BA4; Wed, 29 Oct 2025 12:21:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-b2-smtp.messagingengine.com (fhigh-b2-smtp.messagingengine.com [202.12.124.153]) by atuin.qyliss.net (Postfix) with ESMTPS id DF4298BA3 for ; Wed, 29 Oct 2025 12:21:07 +0000 (UTC) Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfhigh.stl.internal (Postfix) with ESMTP id BBD257A01B8; Wed, 29 Oct 2025 08:21:06 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Wed, 29 Oct 2025 08:21:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1761740466; x=1761826866; bh=7TvDb2PqU9 GCaV3RwHqiAvAUpLZdE0KpWg2MHPaUp3E=; b=D9E+ZMj9Vg5LnF6rPkRiT4KpTH plefmlbZ60brnDrfr98GR9DvL8+MI3I/l3nGlR6WuFhGg4Trw7chqRU281mp+ddw bA4nERwRmx2W7FLYGeQcBzAT4F7ClD4gYnhbSfQUX4wIvpeOTsKJmbFwFUstld/K PgrxGobwyrVkTZMnhX3goebcWZGuGJGoVTUj8yDChuh6zMUZMLIqKkJyYkQNMV89 fE381eJK0oc1I2sl/vqxgOPyXJPQok5QR8ZZKAosRxKjegUQsbsNy+cIj+30FJgj YG985jLQxXF70iLxxM1SXAOUFeZuOk0I6lAecgb+6VSCk/0qZw6XOmWZBBKw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1761740466; x=1761826866; bh=7TvDb2PqU9GCaV3RwHqiAvAUpLZdE0KpWg2 MHPaUp3E=; b=rYoXM9lMZuesQcpLn7njB/q0B/7bXftHa10jTdzY0k0XQ15OFG2 +cqLmKWRcUTm0QyFR5aHfDnCC5U6JwrukSc5l4wyAwLU0dYIU/URmslW206fu4JF ui9msCS0BIRSUm9bvbNFrh5XD1dhH60eMFnCSutVUBSyZmOBAQKRG6qXcv3pueI7 zTrSVekRWUwbpMHfKXIGIdysHx7v+bxbk+CRjaW9Y6mKOMlQ+XvKubhqFte7QfrV y4fF+P5Z3BAJ9n9vvvy2fdUv2DQIjtBsheo5bsEQveu2/j4to8aTrtJNa3U9k1ps 7mepG/7MiqmHF9bDzeSdjOwyy9KuzDt9XoA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduieefjeduucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpefgtdelhf evfeetgeeffeetkeetvedvudetteffudfgjeejgefgleegheduhfegteenucffohhmrghi nheprghgrghinhdrsghuihhlugenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepvddp mhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnohhurhesghhmrg hilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 29 Oct 2025 08:21:05 -0400 (EDT) Received: by fw12.qyliss.net (Postfix, from userid 1000) id D917B521583; Wed, 29 Oct 2025 13:20:49 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 5/7] release: add install step In-Reply-To: <20251029-updates-v1-5-401c1be2a11b@gmail.com> References: <20251029-updates-v1-0-401c1be2a11b@gmail.com> <20251029-updates-v1-5-401c1be2a11b@gmail.com> Date: Wed, 29 Oct 2025 13:20:47 +0100 Message-ID: <87pla5kig0.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: TBXFP7OKBRYAFH6FKT7J4L6ZHVS5KPG7 X-Message-ID-Hash: TBXFP7OKBRYAFH6FKT7J4L6ZHVS5KPG7 X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > This step provides versioned release artifacts. Writing a detached > OpenPGP signature of SHA256SUMS to SHA256SUMS.gpg is sufficient to > create a directory usable by systemd-sysupdate. > > Signed-off-by: Demi Marie Obenour > --- > host/rootfs/Makefile | 4 ++-- > host/rootfs/default.nix | 6 +++--- > release/checks/integration/default.nix | 2 +- > release/combined/eosimages.nix | 2 +- > release/live/Makefile | 14 ++++++++++++++ > release/live/default.nix | 5 +---- > 6 files changed, 22 insertions(+), 11 deletions(-) And then on the server we'd only serve one of these at a time, so we'd use the SHA256SUMS file generated by the build? > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index 84f1b385198ecfa5905b69e4901e56150ea1b424..35adb3d972c1a30705a5b123c= 65abf837617eb72 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -91,7 +91,7 @@ clean: > # supports one output per rule, so we combine the two outputs then > # define two more rules to separate them again. > build/rootfs.verity: $(dest) > - $(VERITYSETUP) format $(dest) build/rootfs.verity.superblock.tmp \ > + set -euo pipefail; $(VERITYSETUP) format $(dest) build/rootfs.verity.su= perblock.tmp \ > | awk -F ':[[:blank:]]*' '$$1 =3D=3D "Root hash" {print $$2; exit}'= \ > > build/rootfs.verity.roothash.tmp > cat build/rootfs.verity.roothash.tmp build/rootfs.verity.superblock.tmp= \ Correct but unrelated change. > @@ -100,7 +100,7 @@ build/rootfs.verity: $(dest) > build/rootfs.verity.roothash: build/rootfs.verity > head -n 1 build/rootfs.verity > $@ > build/rootfs.verity.superblock: build/rootfs.verity > - tail -n +2 build/rootfs.verity > $@ > + { read -r && cat; } < build/rootfs.verity > $@ Why? > diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix > index bc364b930b30e00c55b17b5e4248a303392cf3a0..995b9bfd4c53edf9fa060011c= 128464518d15d6e 100644 > --- a/host/rootfs/default.nix > +++ b/host/rootfs/default.nix > @@ -8,8 +8,8 @@ import ../../lib/call-package.nix ( > }: > pkgsStatic.callPackage ( >=20=20 > -{ busybox, cloud-hypervisor, cryptsetup, dbus, erofs-utils, execline > -, inkscape, inotify-tools, iproute2, jq, lib, mdevd, nixos > +{ btrfs-progs, busybox, cloud-hypervisor, cryptsetup, dbus, erofs-utils > +, execline, inkscape, inotify-tools, iproute2, jq, lib, mdevd, nixos > , runCommand, s6, s6-linux-init, s6-rc, socat, spectrum-host-tools > , stdenvNoCC, util-linux, virtiofsd, writeClosure > , xdg-desktop-portal-spectrum-host, xorg > @@ -82,7 +82,7 @@ let > # Packages that should be fully linked into /usr, > # (not just their bin/* files). > usrPackages =3D [ > - appvm kernel.modules firmware kmod kmod.lib > + appvm btrfs-progs firmware kernel.modules kmod kmod.lib > netvm mesa dejavu_fonts systemd util-linux westonLite > ]; >=20=20 Unrelated. > diff --git a/release/checks/integration/default.nix b/release/checks/inte= gration/default.nix > index 340fb6e11fed5971caf879d0a8a40baf395a7589..947d9cb8f2a5e1d7e93b68145= 81d33e342b522fc 100644 > --- a/release/checks/integration/default.nix > +++ b/release/checks/integration/default.nix > @@ -86,7 +86,7 @@ stdenv.mkDerivation (finalAttrs: { > env =3D { > QEMU_SYSTEM =3D "qemu-system-${stdenv.hostPlatform.qemuArch} -nograp= hic"; > EFI_PATH =3D "${qemu_kvm}/share/qemu/edk2-${stdenv.hostPlatform.qemu= Arch}-code.fd"; > - IMG_PATH =3D live; > + IMG_PATH =3D "${live}/live.img"; > USER_DATA_PATH =3D userData; > }; >=20=20 > diff --git a/release/combined/eosimages.nix b/release/combined/eosimages.= nix > index ba44d9cd82d55d491293ed36cc0402db8ebd3ffe..b168dcf61a74f96fed1d52858= c0c3ebfc311873c 100644 > --- a/release/combined/eosimages.nix > +++ b/release/combined/eosimages.nix > @@ -7,7 +7,7 @@ import ../../lib/call-package.nix ( > runCommand "eosimages.img" { > nativeBuildInputs =3D [ e2fsprogs tar2ext4 ]; > imageName =3D "Spectrum-0.0-x86_64-generic.0.Live.img"; > - image =3D callSpectrumPackage ../live {}; > + image =3D "${callSpectrumPackage ../live {}}/live.img"; > __structuredAttrs =3D true; > unsafeDiscardReferences =3D { out =3D true; }; > dontFixup =3D true; > diff --git a/release/live/Makefile b/release/live/Makefile > index 3072d869f13efbf5ea196d191881aeab85726d2e..9aa2488a57ba583ff49f0d95a= f4f91878a0cd5dd 100644 > --- a/release/live/Makefile > +++ b/release/live/Makefile > @@ -30,6 +30,20 @@ build/spectrum.efi: build/rootfs.verity.roothash $(DTB= S) $(KERNEL) $(INITRAMFS) > --os-release $$'NAME=3D"Spectrum"\n' \ > --cmdline "ro intel_iommu=3Don x-spectrum-roothash=3D$$roothash x-s= pectrum-version=3D$$VERSION" >=20=20 > +install: build/rootfs.verity.superblock $(ROOT_FS) build/spectrum.efi $(= dest) > + set -euo pipefail; \ I don't think this needs to hack around the normal Make thing of having one shell per line. > + $(READ_ROOTHASH); \ > + mkdir -p -- $(DESTDIR) build; \ > + cp -- build/rootfs.verity.superblock $(DESTDIR)/"Spectrum_OS_$$VERSION.= verity"; \ > + cp -- $(ROOT_FS) $(DESTDIR)/"Spectrum_OS_$$VERSION.root"; \ > + cp -- build/spectrum.efi $(DESTDIR)/"Spectrum_OS_$$VERSION.efi"; \ > + cp $(dest) $(DESTDIR)/live.img; \ > + cd $(DESTDIR); \ > + sha256sum live.img \ > + "Spectrum_OS_$$VERSION.root" \ > + "Spectrum_OS_$$VERSION.verity" \ > + "Spectrum_OS_$$VERSION.efi" > SHA256SUMS > + No "OS" in the project name. Given that we won't ever want the live image and the individual partition updates at the same time, it probably makes sense to put these into separate builds. Maybe we add host/verity and host/efi to build those, assemble them into an image in release/live, and also add release/update that combines the partition images and the SHA256SUMS file. > diff --git a/release/live/default.nix b/release/live/default.nix > index b5c0c8df31d4c6cb7fdd2337e8169f36655dd1a8..c6dcabd49363e113eb0783ced= 2a167633a6e19c3 100644 > --- a/release/live/default.nix > +++ b/release/live/default.nix > @@ -56,14 +56,11 @@ stdenv.mkDerivation { > SYSTEMD_BOOT_EFI =3D "${systemd}/lib/systemd/boot/efi/systemd-boot${= efiArch}.efi"; > EFINAME =3D "BOOT${toUpper efiArch}.EFI"; > VERSION =3D import ../../lib/version.nix; > + DESTDIR =3D "$(out)"; > } // lib.optionalAttrs stdenv.hostPlatform.linux-kernel.DTB or false { > DTBS =3D "${rootfs.kernel}/dtbs"; > }; >=20=20 > - buildFlags =3D [ "dest=3D$(out)" ]; > - DESTDIR should stay in buildFlags so it's not in the environment for nix-shell. > - dontInstall =3D true; > - > enableParallelBuilding =3D true; >=20=20 > __structuredAttrs =3D true; > > --=20 > 2.51.2 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaQIGoAAKCRCZddwkt31p FQF8AP0SRe2tcc000wthfjnL+Yy7daWN7sCmA3xp4otadUFwjwEAld2GdnTKjMGM UEZOikxWOpwSggnDIizFNmyA6pB7cAI= =ujJD -----END PGP SIGNATURE----- --=-=-=--