diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 5d80c25d196..4631873b175 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -72,7 +72,7 @@ jobs: - name: 'Build Wolfi' run: | for package in ${{needs.changes.outputs.packages}}; do - make MELANGE="melange" MELANGE_EXTRA_OPTS="--create-build-log" REPO="$GITHUB_WORKSPACE/packages" BUILDWORLD=no packages/$package -j1 + make MELANGE="melange" MELANGE_EXTRA_OPTS="--create-build-log" REPO="$GITHUB_WORKSPACE/packages" packages/$package -j1 done - name: Check for file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3a88a7fc6c1..b80bd537f50 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -32,11 +32,9 @@ Add a new entry for your package near the bottom of [`packages.txt`](packages.tx your-package-name ``` -Once you're done writing the new package configuration file, you can test it by triggering a build with `make packages/ BUILDWORLD=no USE_CACHE=no`. +Once you're done writing the new package configuration file, you can test it by triggering a build with `make packages/`. -note: `USE_CACHE=no` disables using a GCP cloud bucket for caching pipeline sources. This is mainly used for production setups and not needed for local development. - -If you do use a cache for your sources and see GCS auth related errors, your gcloud auth credentials might be the issue. Try running `gcloud auth login && gcloud auth application-default login`. +If you do use a cache for your sources and see GCS auth related errors, your gcloud auth credentials might be the issue. Try running `gcloud auth login && gcloud auth application-default login`, then add `USE_CACHE=yes` to your `make` invocation. Your build packages should be found in the generated `./packages` directory. @@ -76,4 +74,4 @@ gsutil -m rsync -r gs://wolfi-production-registry-destination/os/ ./packages - When you're ready to submit a PR for a new package or to update a package, make sure your YAML file(s) are **formatted correctly**, so that they'll pass CI. We use [yam](https://github.com/chainguard-dev/yam) for YAML formatting. You should be able to run the `yam` command from the root of this repo to get all files formatted correctly. -- When running a lot of melange builds using `docker` as a runner (default on Mac) you may want to increase the Docker VM CPU, Memory and especially storage resources, else Docker can easily run out of disk space. \ No newline at end of file +- When running a lot of melange builds using `docker` as a runner (default on Mac) you may want to increase the Docker VM CPU, Memory and especially storage resources, else Docker can easily run out of disk space. diff --git a/HOW_TO_PATCH_CVES.md b/HOW_TO_PATCH_CVES.md index d68bd176b61..caed4b0573f 100644 --- a/HOW_TO_PATCH_CVES.md +++ b/HOW_TO_PATCH_CVES.md @@ -52,16 +52,10 @@ For the ease of explanation, we'll assume we're addressing a single reported vul For example, if we're patching CVE-2018-25032 in the "zlib" package, where the version is 1.2.3 and the epoch is 4, we'd enter `zlib` as the package, `CVE-2018-25032` as the vulnerability and `1.2.3-r4` as the fixed version. -1. Verify that our update package will build successfully by running Melange. To do this, run (in a container if you're not already on Linux): +1. Verify that our update package will build successfully by running Melange. To do this, run: ```shell - make - ``` - - Note that currently, this will build the **entire world**. If you want to build just a single package, you can run the following to build the package: - - ```shell - BUILDWORLD=no make packages/${ARCH}/${PACKAGE_NAME}-${PACKAGE_VERSION}.apk + make packages/${PACKAGE_NAME} ``` 1. Open a PR. diff --git a/Makefile b/Makefile index ef5ef3cc227..592b5e82f91 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ ifeq (${USE_CACHE}, yes) MELANGE_OPTS += --cache-source ${CACHE_DIR} endif -ifeq (${BUILDWORLD}, no) +ifneq (${BUILDWORLD}, yes) MELANGE_OPTS += -k ${WOLFI_SIGNING_PUBKEY} MELANGE_OPTS += -r ${WOLFI_PROD} endif diff --git a/REPRODUCIBILITY.md b/REPRODUCIBILITY.md index facc390d393..ccbdc1509f5 100644 --- a/REPRODUCIBILITY.md +++ b/REPRODUCIBILITY.md @@ -30,8 +30,11 @@ There are presently some caveats, however: # Reproducing the entire OS The easiest way to verify reproducibility in the build system is to -simply build the OS twice with the same key. Or you can download the -entire Wolfi package collection using `gsutil -m rsync`: +simply build the OS twice with the same key. To build all packages, run `make +BUILDWORLD=yes`. + +Or you can download the entire Wolfi package collection using `gsutil -m +rsync`: gsutil -m rsync gs://wolfi-production-registry-destination/os/ wolfi-packages/os/ @@ -48,12 +51,12 @@ comparing the package directories. If you just want to test an individual Wolfi package for reproducibility, the same caveats above still apply. But you can ask the build system to build just a single package, without building dependencies, by using the -`BUILDWORLD=no` knob. For example, with `execline`: +`=no` knob. For example, with `execline`: - # doas make packages/execline BUILDWORLD=no + # doas make packages/execline ... # doas mv packages packages-1 - # doas make packages/execline BUILDWORLD=no + # doas make packages/execline ... # doas mv packages packages-2 # sha256sum packages-1/$(uname -m)/*.apk | sed -e s:packages-1:packages-2:g | sha256sum -c