Break the circular dependencies with curl, openssl, git
Building the chroot environment from sources using
"--bootstrap" currently runs into a circular dependency:
curl->openssl->git->curl
The openssl->git dependency comes indirectly from the fact
that the current version of openssl uses the "cros-workon"
ebuild package to assist in applying packages. The ebuild
system automatically and silently resolves this circular
dependency by reverting the openssl library to an earlier
version that does not use cros-workon based patching.
Unfortunately this older version of openssl has a bug that
causes it not to work when doing builds in a firewalled
environment: When curl (using this older version of openssl
library) attempts to fetch an "https" url, it authenticates
the target server against a bundle of certificate-authority
certificates it maintains. Finding the certificate fails
(although the validation succeeds if curl is told explicitly
what certificate to use). With the certificate not-found,
server authentication fails, the curl download fails, and
the build ultimately fails.
This patch breaks the circular dependency, allowing a
more-current version of openssl to be used in curl, making
the above build scenario work in a firewalled environment.
The circularity is broken by first building git without curl
support (and webdav that depends on curl). Then early
toolchain components up through and including curl are
built. This build of curl then uses a more up-to-date
version of openssl with the desired bug-fix. Once curl is
built, then git is re-built and re-installed with the
now-installed version of curl (re-)enabled.
BUG=None
TEST=create chroot with --bootstrap ; build_packages (behind firewall)
Change-Id: Iaa560fdb6623fcb73cde066a3b2bc2a342169c62
Reviewed-on: https://gerrit.chromium.org/gerrit/34292
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: paul drews <paul.drews@intel.com>
Tested-by: paul drews <paul.drews@intel.com>
diff --git a/sdk_lib/make_chroot.sh b/sdk_lib/make_chroot.sh
index ae33fbf..4493309 100755
--- a/sdk_lib/make_chroot.sh
+++ b/sdk_lib/make_chroot.sh
@@ -423,6 +423,16 @@
info "Updating portage"
early_enter_chroot emerge -uNv --quiet portage
+# Packages that inherit cros-workon commonly get a circular dependency
+# curl->openssl->git->curl that is broken by emerging an early version of git
+# without curl (and webdav that depends on it).
+need_git_rebuild=${FLAGS_FALSE}
+if [[ ! -e "${FLAGS_chroot}/usr/bin/git" ]]; then
+ need_git_rebuild=${FLAGS_TRUE}
+ info "Updating early git"
+ USE="-curl -webdav" early_enter_chroot emerge -uNv $USEPKG dev-vcs/git
+fi
+
info "Updating host toolchain"
early_enter_chroot emerge -uNv --quiet crossdev
TOOLCHAIN_ARGS=( --deleteold )
@@ -440,7 +450,13 @@
info "Running emerge curl sudo ..."
early_enter_chroot $EMERGE_CMD -uNv $USEPKG --select $EMERGE_JOBS \
- pbzip2 net-misc/curl sudo
+ pbzip2 dev-libs/openssl net-misc/curl sudo
+
+if [[ ${need_git_rebuild} -eq ${FLAGS_TRUE} ]]; then
+ # (Re-)emerge the full version of git, without preventing curl.
+ info "Updating full verison of git"
+ early_enter_chroot emerge -uNv $USEPKG dev-vcs/git
+fi
if [ -n "${INITIALIZE_CHROOT}" ]; then
# If we're creating a new chroot, we also want to set it to the latest