diff options
Diffstat (limited to 'dns/dnsmasq-devel')
| -rw-r--r-- | dns/dnsmasq-devel/Makefile | 40 | ||||
| -rw-r--r-- | dns/dnsmasq-devel/distinfo | 6 | ||||
| -rw-r--r-- | dns/dnsmasq-devel/files/simon-kelley-keyring.asc | bin | 0 -> 7158 bytes | |||
| -rwxr-xr-x | dns/dnsmasq-devel/files/update.py | 52 |
4 files changed, 90 insertions, 8 deletions
diff --git a/dns/dnsmasq-devel/Makefile b/dns/dnsmasq-devel/Makefile index a67abc5da302..fe6698992e0f 100644 --- a/dns/dnsmasq-devel/Makefile +++ b/dns/dnsmasq-devel/Makefile @@ -1,7 +1,7 @@ PORTNAME= dnsmasq -DISTVERSION= 2.92test7 # remember to bump PORTEPOCH when going from test to rc! +DISTVERSION= 2.92test21 # remember to bump PORTEPOCH when going from test to rc! # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 6 CATEGORIES= dns #MASTER_SITES= LOCAL/mandree/ \ @@ -18,7 +18,7 @@ LICENSE= GPLv2 DEPRECATED= Short-lived test branch, to be removed after v2.92 release -USES= cpe shebangfix tar:xz +USES= compiler cpe shebangfix tar:xz CPE_VENDOR= thekelleys SHEBANG_FILES= contrib/dnslist/dnslist.pl \ @@ -30,8 +30,27 @@ MAKE_ARGS= CC="${CC}" \ LIBS="${LDFLAGS}" \ PREFIX="${PREFIX}" \ RPM_OPT_FLAGS="${CPPFLAGS}" -CFLAGS+= -Wall -Wno-unused-function -Wno-unused-parameter \ - -Wno-unused-value -Wno-unused-variable +CFLAGS+= -Wall +# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html +# Note there are ${ARCH}-dependent options below after .include <bsd.port.pre.mk> +CFLAGS+= -O2 -Wall -Wformat -Wformat=2 \ + -Werror=format-security \ + -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \ + -fstrict-flex-arrays=3 \ + -fstack-clash-protection -fstack-protector-strong \ + -fno-delete-null-pointer-checks -fno-strict-overflow \ + -fno-strict-aliasing -ftrivial-auto-var-init=zero +LDFLAGS+= -Wl,-z,nodlopen -Wl,-z,noexecstack \ + -Wl,-z,relro -Wl,-z,now \ + -Wl,--as-needed -Wl,--no-copy-dt-needed-entries +CFLAGS+= -fPIE +LDFLAGS+= -pie +# error on obsolete C constructs +CFLAGS+= -Werror=implicit -Werror=incompatible-pointer-types \ + -Werror=int-conversion +# tune down harmless warnings due to coding style +CFLAGS+= -Wno-unused-function -Wno-unused-parameter \ + -Wno-unused-value -Wno-unused-variable -Wno-format-nonliteral CPPFLAGS+= -I${LOCALBASE}/include CONFLICTS_INSTALL= dnsmasq-2* @@ -102,6 +121,17 @@ USE_RC_SUBR= dnsmasq .include <bsd.port.pre.mk> +# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html +.if ${ARCH} == "amd64" +CFLAGS+= -fcf-protection=full +.endif +.if ${ARCH} == "aarch64" +CFLAGS+= -mbranch-protection=standard +.endif +.if ${CHOSEN_COMPILER_TYPE} == "gcc" +CFLAGS+= -Wtrampolines +.endif + LDFLAGS+= -L${LOCALBASE}/lib ${_intllibs} ${ICONV_LIB} post-patch: diff --git a/dns/dnsmasq-devel/distinfo b/dns/dnsmasq-devel/distinfo index c0c87c161929..184f1941bd97 100644 --- a/dns/dnsmasq-devel/distinfo +++ b/dns/dnsmasq-devel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1747062230 -SHA256 (dnsmasq-2.92test7.tar.xz) = 9784d8bd8208c8e2143d87f370948401af9526e18868a789887a35bf26757ac8 -SIZE (dnsmasq-2.92test7.tar.xz) = 577780 +TIMESTAMP = 1756306668 +SHA256 (dnsmasq-2.92test21.tar.xz) = bb755e2cc891e05446b2a16b6f2f66ecd1c3e43e6bc0861ef3b60e088848c419 +SIZE (dnsmasq-2.92test21.tar.xz) = 585408 diff --git a/dns/dnsmasq-devel/files/simon-kelley-keyring.asc b/dns/dnsmasq-devel/files/simon-kelley-keyring.asc Binary files differnew file mode 100644 index 000000000000..5ffea306f73b --- /dev/null +++ b/dns/dnsmasq-devel/files/simon-kelley-keyring.asc diff --git a/dns/dnsmasq-devel/files/update.py b/dns/dnsmasq-devel/files/update.py new file mode 100755 index 000000000000..117c0e9c95a4 --- /dev/null +++ b/dns/dnsmasq-devel/files/update.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python3 +"""update.py for dnsmasq-devel - (C) 2025 Matthias Andree, placed under MIT license +To use, edit Makefile with the new version, +then run files/update.py, which will download, check sigs, if GnuPG checks out, update makesum, +upload tarball and sig to my public_distfiles/ because upstream has low bandwidth, and test build. + +If things work out, commit manually and push.""" + +import os +import shutil +import subprocess +import sys + +def trace(func): + def wrapper(*args, **kwargs): + print(f"\n> {func.__name__}({args}, {kwargs})", file=sys.stderr) + retval = func(*args, **kwargs) + print(f"< {func.__name__} -> {retval!r}", file=sys.stderr) + return retval + return wrapper + +traced_run = trace(subprocess.run) + +cleanenv={'LC_ALL': 'C.UTF-8', + 'PATH': os.environ["PATH"]} +defargs={"check": "True", "env": cleanenv, "encoding": 'UTF-8'} + +try: + distdir, master_site, files_dir, dist_dir = map(str.strip, traced_run(['make', '-V', 'DISTDIR', + '-V', 'MASTER_SITES:N*FreeBSD*', + '-V', 'FILESDIR', + '-V', 'DISTDIR'], + capture_output=True, **defargs).stdout.splitlines()) + filename_tarball = traced_run('make -V DISTFILES'.split(), capture_output=True, **defargs).stdout.splitlines()[0].strip() + filename_signature = filename_tarball + '.asc' + uri_tarball = master_site + filename_tarball + uri_signature = master_site + filename_signature + traced_run(['fetch', uri_tarball, uri_signature], **defargs) + traced_run(['gpg', '--no-options', '--with-colons', '--status-fd', '1', + '--no-default-keyring', '--keyring', files_dir + '/simon-kelley-keyring.asc', + '--verify', filename_signature, filename_tarball], **defargs) + traced_run(['rsync', '-avHPW', '--chmod=0644', filename_tarball, filename_signature, 'freefall.freebsd.org:public_distfiles/'], **defargs) + shutil.move(filename_tarball, dist_dir + '/' + filename_tarball) + traced_run(['make', 'makesum', 'clean'], **defargs) + os.remove(filename_signature) + traced_run(['make', 'check-plist', 'package'], **defargs) + print("\nSUCCESS\n") +except Exception as cpe: + print("\nERROR\n") + print(repr(cpe)) + print("\nERROR\n") + sys.exit(1) |