chore: update dependencies, hermetic build

- Build Python dependencies hermetically
- Download Go dependencies in prepare stage to ensure hermeticity
- Fix ca-certificates permissions (fixes kres network issue)
- Don't build sd-boot here, as we build systemd in pkgs
- Publish packages to not be rebuilt in pkgs
- Update toolchain for newer Go
- Update dependencies
- rekres

Fixes: #424
Ref: siderolabs/pkgs#1153
Signed-off-by: Dmitry Sharshakov <[email protected]>

.kres.yaml

@@ -3,6 +3,14 @@ kind: pkgfile.Build
 spec:
   targets:
     - tools
+    - tools-ca-certificates
+    - tools-kmod
+    - tools-libcap
+    - tools-libselinux
+    - tools-libsepol
+    - tools-openssl
+    - tools-pcre2
+    - tools-util-linux
   reproducibleTargetName: tools
 ---
 kind: common.Renovate

Makefile

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-01-15T13:57:46Z by kres 3b3f992.
+# Generated on 2025-02-13T13:00:26Z by kres 5e9dc91.
 
 # common variables
 
@@ -25,7 +25,7 @@ SOURCE_DATE_EPOCH := $(shell git log $(INITIAL_COMMIT_SHA) --pretty=%ct)
 
 # sync bldr image with pkgfile
 
-BLDR_RELEASE := v0.4.0-1-g76a2c8f
+BLDR_RELEASE := v0.4.1
 BLDR_IMAGE := ghcr.io/siderolabs/bldr:$(BLDR_RELEASE)
 BLDR := docker run --rm --user $(shell id -u):$(shell id -g) --volume $(PWD):/src --entrypoint=/bldr $(BLDR_IMAGE) --root=/src
 
@@ -45,6 +45,14 @@ COMMON_ARGS += --build-arg=SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)
 # targets defines all the available targets
 
 TARGETS = tools
+TARGETS += tools-ca-certificates
+TARGETS += tools-kmod
+TARGETS += tools-libcap
+TARGETS += tools-libselinux
+TARGETS += tools-libsepol
+TARGETS += tools-openssl
+TARGETS += tools-pcre2
+TARGETS += tools-util-linux
 
 # help menu
 

curl/pkg.yaml

@@ -2,7 +2,7 @@ name: curl
 variant: scratch
 dependencies:
   - stage: base
-  - stage: openssl
+  - stage: tools-openssl
     runtime: true
   - stage: zlib
     runtime: true

fakeroot/pkg.yaml

@@ -6,7 +6,7 @@ dependencies:
   - stage: autoconf
   - stage: automake
   - stage: libtool
-  - stage: libcap
+  - stage: tools-libcap
 steps:
   - sources:
       - url: https://salsa.debian.org/clint/fakeroot/-/archive/upstream/{{ .fakeroot_version }}/fakeroot-upstream-{{ .fakeroot_version }}.tar.gz

git/pkg.yaml

@@ -5,7 +5,7 @@ dependencies:
   - stage: zlib
     runtime: true
   - stage: gettext
-  - stage: openssl
+  - stage: tools-openssl
   - stage: curl
     runtime: true
   - stage: autoconf

meson/pkg.yaml

@@ -4,19 +4,17 @@ dependencies:
   - stage: base
   - stage: libffi
   - stage: python3
-  - stage: openssl
+  - stage: python-setuptools
+  - stage: tools-openssl
   - stage: zlib
 steps:
   - sources:
       - url: https://github.com/mesonbuild/meson/releases/download/{{ .meson_version }}/meson-{{ .meson_version }}.tar.gz
         destination: meson.tar.gz
         sha256: "{{ .meson_sha256 }}"
         sha512: "{{ .meson_sha512 }}"
-  - network: default
     prepare:
       - |
-        pip3 install setuptools
-
         tar -xzf meson.tar.gz --strip-components=1
     build:
       - |

ninja/pkg.yaml

@@ -0,0 +1,29 @@
+name: ninja
+variant: scratch
+dependencies:
+  - stage: base
+  - stage: cmake
+  - stage: curl
+  - stage: libuv
+  - stage: xz
+  - stage: expat
+  - stage: rhash
+steps:
+  - sources:
+      - url: https://github.com/ninja-build/ninja/archive/refs/tags/{{ .ninja_version }}.tar.gz
+        destination: ninja.tar.gz
+        sha256: "{{ .ninja_sha256 }}"
+        sha512: "{{ .ninja_sha512 }}"
+    prepare:
+      - |
+        tar -xzf ninja.tar.gz --strip-components=1
+        cmake -Bbuild -DBUILD_TESTING=OFF
+    build:
+      - |
+        cmake --build build
+    install:
+      - |
+        install -m755 -D build/ninja /rootfs/usr/bin/ninja
+finalize:
+  - from: /rootfs
+    to: /

pahole/pkg.yaml

@@ -20,10 +20,10 @@ dependencies:
   - stage: xz
 steps:
   - sources:
-      - url: https://git.kernel.org/pub/scm/devel/pahole/pahole.git/snapshot/pahole-{{.pahole_version }}.tar.gz
+      - url: https://git.kernel.org/pub/scm/devel/pahole/pahole.git/snapshot/pahole-{{ .pahole_version }}.tar.gz
         destination: pahole.tar.gz
-        sha256: "{{.pahole_sha256 }}"
-        sha512: "{{.pahole_sha512 }}"
+        sha256: "{{ .pahole_sha256 }}"
+        sha512: "{{ .pahole_sha512 }}"
     prepare:
       - |
         tar -xzf pahole.tar.gz --strip-components=1

policycoreutils/pkg.yaml

@@ -4,9 +4,9 @@ dependencies:
   - stage: base
   - stage: patch
   - stage: musl-fts
-  - stage: pcre
-  - stage: libsepol
-  - stage: libselinux
+  - stage: tools-pcre2
+  - stage: tools-libsepol
+  - stage: tools-libselinux
 steps:
   - sources:
       - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .selinux_version }}/policycoreutils-{{ .selinux_version }}.tar.gz

protoc-gen-go-grpc/pkg.yaml

@@ -2,17 +2,21 @@ name: protoc-gen-go-grpc
 variant: scratch
 dependencies:
   - stage: base
-  - stage: ca-certificates
+  - stage: tools-ca-certificates
 steps:
   - sources:
       - url: https://github.com/grpc/grpc-go/archive/refs/tags/{{ .protoc_gen_go_grpc_version }}.tar.gz
         destination: grpc-go.tar.gz
         sha256: "{{ .protoc_gen_go_grpc_sha256 }}"
         sha512: "{{ .protoc_gen_go_grpc_sha512 }}"
+  - network: default
     prepare:
       - |
         tar -xzf grpc-go.tar.gz --strip-components=1
-  - network: default
+      - |
+        cd cmd/protoc-gen-go-grpc
+        go mod download
+  - network: none
     build:
       - |
         export GO111MODULE=on

protoc-gen-go/pkg.yaml

@@ -2,7 +2,7 @@ name: protoc-gen-go
 variant: scratch
 dependencies:
   - stage: base
-  - stage: ca-certificates
+  - stage: tools-ca-certificates
 steps:
   - sources:
       - url: https://github.com/protocolbuffers/protobuf-go/archive/refs/tags/{{ .protoc_gen_go_version }}.tar.gz
@@ -12,7 +12,6 @@ steps:
     prepare:
       - |
         tar -xzf protobuf-go.tar.gz --strip-components=1
-  - network: default
     build:
       - |
         export GO111MODULE=on

pyelftools/pkg.yaml

@@ -0,0 +1,28 @@
+name: pyelftools
+variant: scratch
+dependencies:
+  - stage: base
+  - stage: libffi
+  - stage: python3
+  - stage: python-setuptools
+  - stage: zlib
+steps:
+  - sources:
+      - url: https://github.com/eliben/pyelftools/archive/refs/tags/{{ .pyelftools_version }}.tar.gz
+        destination: pyelftools.tar.gz
+        sha256: "{{ .pyelftools_sha256 }}"
+        sha512: "{{ .pyelftools_sha512 }}"
+    prepare:
+      - |
+        tar -xzf pyelftools.tar.gz --strip-components=1
+    build:
+      - |
+        python3 setup.py build
+    install:
+      - |
+        python3 setup.py install --root=/rootfs
+        # Determinism: remove all bytecode
+        find /rootfs -type d -name __pycache__ -print0 | xargs -0 -I {} rm -rf "{}"
+finalize:
+  - from: /rootfs
+    to: /

python-build/pkg.yaml

@@ -0,0 +1,20 @@
+name: python-build
+variant: scratch
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/pypa/build/archive/refs/tags/{{ .python_build_version }}.tar.gz
+        destination: python-build.tar.gz
+        sha256: "{{ .python_build_sha256 }}"
+        sha512: "{{ .python_build_sha512 }}"
+    prepare:
+      - |
+        tar -xzf python-build.tar.gz --strip-components=1
+    install:
+      - |
+        mkdir -p /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages
+        cp -rd src/build /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages/
+finalize:
+  - from: /rootfs
+    to: /

python-flit_core/pkg.yaml

@@ -0,0 +1,20 @@
+name: python-flit_core
+variant: scratch
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/pypa/flit/archive/refs/tags/{{ .python_flit_core_version }}.tar.gz
+        destination: python_flit_core.tar.gz
+        sha256: "{{ .python_flit_core_sha256 }}"
+        sha512: "{{ .python_flit_core_sha512 }}"
+    prepare:
+      - |
+        tar -xzf python_flit_core.tar.gz --strip-components=1
+    install:
+      - |
+        mkdir -p /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages
+        cp -rd flit_core/flit_core /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages/
+finalize:
+  - from: /rootfs
+    to: /

python-gpep517/pkg.yaml

@@ -0,0 +1,20 @@
+name: python-gpep517
+variant: scratch
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/projg2/gpep517/archive/refs/tags/{{ .python_gpep517_version }}.tar.gz
+        destination: python_gpep517.tar.gz
+        sha256: "{{ .python_gpep517_sha256 }}"
+        sha512: "{{ .python_gpep517_sha512 }}"
+    prepare:
+      - |
+        tar -xzf python_gpep517.tar.gz --strip-components=1
+    install:
+      - |
+        mkdir -p /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages
+        cp -rd gpep517 /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages/
+finalize:
+  - from: /rootfs
+    to: /

python-installer/pkg.yaml

@@ -0,0 +1,21 @@
+name: python-installer
+variant: scratch
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/pypa/installer/archive/refs/tags/{{ .python_installer_version }}.tar.gz
+        destination: python_installer.tar.gz
+        sha256: "{{ .python_installer_sha256 }}"
+        sha512: "{{ .python_installer_sha512 }}"
+    prepare:
+      - |
+        tar -xzf python_installer.tar.gz --strip-components=1
+    install:
+      - |
+        mkdir -p /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages
+        rm -rf src/installer/_scripts/*.exe
+        cp -rd src/installer /rootfs/usr/lib/python{{ .python_maj_min_version }}/site-packages/
+finalize:
+  - from: /rootfs
+    to: /

python-jinja2/pkg.yaml

@@ -0,0 +1,36 @@
+name: python-jinja2
+variant: scratch
+dependencies:
+  - stage: base
+  - stage: libffi
+  - stage: python3
+  - stage: python-build
+  - stage: python-gpep517
+  - stage: python-flit_core
+  - stage: python-installer
+  - stage: python-markupsafe
+  - stage: zlib
+steps:
+  - sources:
+      - url: https://github.com/pallets/jinja/archive/refs/tags/{{ .python_jinja2_version }}.tar.gz
+        destination: jinja2.tar.gz
+        sha256: "{{ .python_jinja2_sha256 }}"
+        sha512: "{{ .python_jinja2_sha512 }}"
+    prepare:
+      - |
+        tar -xzf jinja2.tar.gz --strip-components=1
+    build:
+      - |
+        python3 -m gpep517 build-wheel --wheel-dir /tmp --output-fd 1
+    install:
+      - |
+        python3 -m installer -d /rootfs /tmp/*.whl
+        # Determinism: remove all bytecode
+        find /rootfs -type d -name __pycache__ -print0 | xargs -0 -I {} rm -rf "{}"
+    test:
+      - |
+        python3 -m installer /tmp/*.whl
+        python3 -c "import jinja2"
+finalize:
+  - from: /rootfs
+    to: /

python-markupsafe/pkg.yaml

@@ -0,0 +1,36 @@
+name: python-markupsafe
+variant: scratch
+dependencies:
+  - stage: base
+  - stage: libffi
+  - stage: python3
+  - stage: python-build
+  - stage: python-gpep517
+  - stage: python-flit_core
+  - stage: python-installer
+  - stage: python-setuptools
+  - stage: zlib
+steps:
+  - sources:
+      - url: https://github.com/pallets/markupsafe/archive/refs/tags/{{ .python_markupsafe_version }}.tar.gz
+        destination: markupsafe.tar.gz
+        sha256: "{{ .python_markupsafe_sha256 }}"
+        sha512: "{{ .python_markupsafe_sha512 }}"
+    prepare:
+      - |
+        tar -xzf markupsafe.tar.gz --strip-components=1
+    build:
+      - |
+        python3 -m gpep517 build-wheel --wheel-dir /tmp --output-fd 1
+    install:
+      - |
+        python3 -m installer -d /rootfs /tmp/*.whl
+        # Determinism: remove all bytecode
+        find /rootfs -type d -name __pycache__ -print0 | xargs -0 -I {} rm -rf "{}"
+    test:
+      - |
+        python3 -m installer /tmp/*.whl
+        python3 -c "import markupsafe"
+finalize:
+  - from: /rootfs
+    to: /