build system audit: implement Phase 1-3 fixes comprehensively

Phase 1 (Critical):
- Fix broken config includes: redbear-minimal -> redbear-mini in wifi/bt experimental configs
- Fix 05_boot-essential.target dependency: 00_base -> 04_drivers for correct boot ordering
- Fix IOMMU service dependency: 00_base -> 05_boot-essential
- Fix firmware-loader dependency: 00_base -> 05_boot-essential
- Fix messagebus shell: /usr/bin/zsh -> /usr/bin/false (security)
- Add offline gate to fetch-firmware.sh (REPO_OFFLINE=1 blocks network access)
- Add --upstream gate to fetch-all-sources.sh (network access requires explicit opt-in)
- Gate U-Boot wget calls in mk/qemu.mk with REPO_OFFLINE check
- Fix patch-inclusion-gate.sh: rewrite from Python deps to pure shell implementation
- Fix build-redbear.sh: remove direct patch application, let repo fetch handle it atomically

Phase 2 (High):
- Increase redbear-full filesystem_size: 4096 -> 8192 MiB for KDE desktop
- Deprecate redbear-greeter-services.toml (orphaned, not included by any config)
- Add cascade rebuild target to Makefile (make cascade.<package>)
- Gate cargo-update.sh with REDBEAR_ALLOW_UPSTREAM
- Add deprecation notice to apply-patches.sh
- Make protected recipe list data-driven via config/protected-recipes.toml
- Replace 127-entry hardcoded Rust matches! with TOML config file reader

Phase 3 (Medium):
- Fix 5 phantom doc references in local/AGENTS.md (retired/removed docs)
- Fix stale config names: redbear-minimal -> redbear-mini across scripts
- Fix duplicate references in docs/README.md
- Fix run_full.sh and run_mini.sh: hardcoded paths -> relative paths + error handling
This commit is contained in:
2026-05-28 17:24:50 +03:00
parent 2b11b20a2f
commit a0244075e7
22 changed files with 280 additions and 234 deletions
+2
View File
@@ -231,3 +231,5 @@ packages-sync: ; @bash local/scripts/sync-packages.sh
packages-list: ; @ls -la Packages/*.pkgar 2>/dev/null | wc -l && echo "pkgar files in Packages/" packages-list: ; @ls -la Packages/*.pkgar 2>/dev/null | wc -l && echo "pkgar files in Packages/"
validate-patches: validate-patches:
@bash local/scripts/validate-patches.sh @bash local/scripts/validate-patches.sh
cascade.%: FORCE
@bash local/scripts/rebuild-cascade.sh $(basename $(subst cascade,, $*))
+96
View File
@@ -0,0 +1,96 @@
# Protected recipes — these recipes are NEVER re-fetched from upstream.
# They use offline/archived sources from sources/redbear-<release>/.
#
# Protection reasons:
# - patched: carries Red Bear patches (upstream changes could break patches)
# - custom: Red Bear-specific recipe (no upstream equivalent)
# - core: core system component (kernel, libc, bootloader, etc.)
#
# The Rust code in src/cook/fetch.rs reads this file at startup.
# Recipes NOT listed here but carrying patches (patches = [...] in recipe.toml)
# are automatically protected by the recipe_has_patches() check.
# Core patched recipes (upstream + Red Bear patches)
[patched]
recipes = [
"relibc", "bootloader", "kernel", "base", "base-initfs",
"installer", "redoxfs", "grub",
]
# Red Bear custom core recipes
[custom]
recipes = [
"ext4d", "fatd",
]
# Red Bear driver infrastructure
[drivers]
recipes = [
"redox-driver-sys", "linux-kpi", "firmware-loader",
"redbear-btusb", "redbear-iwlwifi",
"redox-drm", "amdgpu",
]
# Red Bear system tools
[system]
recipes = [
"cub", "evdevd", "udev-shim", "iommu",
"redbear-firmware", "redbear-hwutils", "redbear-info", "rbos-info",
"redbear-meta", "redbear-netctl", "redbear-netctl-console",
"redbear-netstat", "redbear-btctl", "redbear-wifictl",
"redbear-traceroute", "redbear-mtr", "redbear-nmap",
"redbear-sessiond", "redbear-authd", "redbear-session-launch",
"redbear-greeter", "redbear-dbus-services", "redbear-notifications",
"redbear-upower", "redbear-udisks", "redbear-polkit", "redbear-quirks",
"redbear-release",
]
# Qt stack with Red Bear patches
[qt]
recipes = [
"qtbase", "qtwayland", "qtdeclarative", "qtbase-compat",
]
# Graphics / display stack with Red Bear patches
[graphics]
recipes = [
"libdrm", "mesa",
"libwayland", "libevdev", "libinput",
"dbus", "glib",
]
# Red Bear library stubs and custom libs
[libs]
recipes = [
"libepoxy-stub", "libdisplay-info-stub", "lcms2-stub",
"libxcvt-stub", "libudev-stub", "zbus", "libqrencode",
]
# Red Bear Wayland
[wayland]
recipes = [
"qt6-wayland-smoke", "smallvil", "seatd-redox",
]
# Red Bear KDE (47 recipes)
[kde]
recipes = [
"kf6-extra-cmake-modules", "kf6-kcoreaddons", "kf6-kwidgetsaddons",
"kf6-kconfig", "kf6-ki18n", "kf6-kcodecs", "kf6-kguiaddons",
"kf6-kcolorscheme", "kf6-kauth", "kf6-kitemmodels", "kf6-kitemviews",
"kf6-karchive", "kf6-kwindowsystem", "kf6-knotifications",
"kf6-kjobwidgets", "kf6-kconfigwidgets", "kf6-kcrash", "kf6-kdbusaddons",
"kf6-kglobalaccel", "kf6-kservice", "kf6-kpackage", "kf6-kiconthemes",
"kf6-kxmlgui", "kf6-ktextwidgets", "kf6-solid", "kf6-sonnet",
"kf6-kio", "kf6-kbookmarks", "kf6-kcompletion", "kf6-kdeclarative",
"kf6-kcmutils", "kf6-kidletime", "kf6-kwayland", "kf6-knewstuff",
"kf6-kwallet", "kf6-prison", "kf6-kirigami",
"kdecoration", "kwin", "plasma-desktop", "plasma-workspace",
"plasma-framework", "plasma-wayland-protocols", "kirigami",
]
# Orbutils (has local patch)
[other]
recipes = [
"orbutils",
]
+1 -1
View File
@@ -7,7 +7,7 @@
# The current slice is explicit-startup, USB-attached, BLE-first, and intentionally not wired to # The current slice is explicit-startup, USB-attached, BLE-first, and intentionally not wired to
# USB-class autospawn yet. # USB-class autospawn yet.
include = ["redbear-minimal.toml", "redbear-bluetooth-services.toml"] include = ["redbear-mini.toml", "redbear-bluetooth-services.toml"]
[general] [general]
filesystem_size = 2048 filesystem_size = 2048
+5 -5
View File
@@ -17,14 +17,14 @@
include = ["redbear-mini.toml"] include = ["redbear-mini.toml"]
[general] [general]
filesystem_size = 4096 filesystem_size = 8192
[users.messagebus] [users.messagebus]
uid = 100 uid = 100
gid = 100 gid = 100
name = "messagebus" name = "messagebus"
home = "/nonexistent" home = "/nonexistent"
shell = "/usr/bin/zsh" shell = "/usr/bin/false"
[users.root] [users.root]
password = "password" password = "password"
@@ -239,7 +239,7 @@ data = """
[unit] [unit]
description = "Firmware loading scheme" description = "Firmware loading scheme"
requires_weak = [ requires_weak = [
"00_base.target", "05_boot-essential.target",
] ]
[service] [service]
@@ -253,7 +253,7 @@ data = """
[unit] [unit]
description = "Boot essential services target" description = "Boot essential services target"
requires_weak = [ requires_weak = [
"00_base.target", "04_drivers.target",
] ]
""" """
@@ -263,7 +263,7 @@ data = """
[unit] [unit]
description = "IOMMU DMA remapping daemon" description = "IOMMU DMA remapping daemon"
requires_weak = [ requires_weak = [
"00_base.target", "05_boot-essential.target",
] ]
[service] [service]
+6 -4
View File
@@ -1,8 +1,10 @@
# Red Bear greeter/login service wiring # DEPRECATED: This fragment is NO LONGER INCLUDED by any active config.
# # All greeter/auth/session wiring is now inlined in redbear-full.toml.
# This fragment is intended to be included by the active desktop/graphics target. # This file is retained for reference only. Do not include it in new configs.
# To add greeter services, edit redbear-full.toml directly.
[[files]] # Original contents below (preserved for reference):
#[[files]]
path = "/etc/init.d/05_boot-essential.target" path = "/etc/init.d/05_boot-essential.target"
data = """ data = """
[unit] [unit]
+1 -1
View File
@@ -19,7 +19,7 @@ uid = 100
gid = 100 gid = 100
name = "messagebus" name = "messagebus"
home = "/nonexistent" home = "/nonexistent"
shell = "/usr/bin/zsh" shell = "/usr/bin/false"
[packages] [packages]
# Red Bear OS branding and host utilities. # Red Bear OS branding and host utilities.
+1 -1
View File
@@ -1,6 +1,6 @@
# Red Bear OS shared network profile wiring # Red Bear OS shared network profile wiring
# #
# Shared by redbear-minimal, redbear-desktop, redbear-full, and redbear-kde. # Shared by redbear-mini, redbear-full, and other network-enabled configs.
[[files]] [[files]]
path = "/etc/netctl" path = "/etc/netctl"
+1 -1
View File
@@ -6,7 +6,7 @@
# to the bounded Wi-Fi path and adds the first Intel driver-side package on top of the shared # to the bounded Wi-Fi path and adds the first Intel driver-side package on top of the shared
# firmware/control/profile tooling. # firmware/control/profile tooling.
include = ["redbear-minimal.toml"] include = ["redbear-mini.toml"]
[general] [general]
filesystem_size = 2048 filesystem_size = 2048
+1 -3
View File
@@ -21,8 +21,7 @@ current/canonical versus historical/reference split obvious.
> **Red Bear note:** newer subsystem plans can also live under `local/docs/` when they are Red Bear- > **Red Bear note:** newer subsystem plans can also live under `local/docs/` when they are Red Bear-
> specific rather than general Redox architecture material. In particular, see > specific rather than general Redox architecture material. In particular, see
> `local/docs/WIFI-IMPLEMENTATION-PLAN.md` for the current Wi-Fi direction, > `local/docs/WIFI-IMPLEMENTATION-PLAN.md` for the current Wi-Fi direction,
> `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path, > `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path.
> and `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path.
> **Repository model:** RedBearOS relates to Redox in the same way Ubuntu relates to Debian. > **Repository model:** RedBearOS relates to Redox in the same way Ubuntu relates to Debian.
> Upstream Redox remains the base platform; Red Bear carries packaging, patch, validation, and > Upstream Redox remains the base platform; Red Bear carries packaging, patch, validation, and
@@ -101,7 +100,6 @@ This summary is only a quick orientation layer. For canonical current-state deta
- `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md` for repository-wide execution order, - `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md` for repository-wide execution order,
- `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical comprehensive plan, - `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical comprehensive plan,
- `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile, - `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile,
- `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile,
- and the active subsystem plans under `local/docs/` for detailed current workstreams. - and the active subsystem plans under `local/docs/` for detailed current workstreams.
- **Compile targets**: the supported compile targets are `redbear-mini`, `redbear-full`, and `redbear-grub` - **Compile targets**: the supported compile targets are `redbear-mini`, `redbear-full`, and `redbear-grub`
+3 -9
View File
@@ -534,15 +534,10 @@ When mainline updates affect our work:
- `local/docs/DRM-MODERNIZATION-EXECUTION-PLAN.md` is the current DRM-focused execution plan beneath - `local/docs/DRM-MODERNIZATION-EXECUTION-PLAN.md` is the current DRM-focused execution plan beneath
the canonical desktop path. It keeps Intel and AMD at the same evidence bar while separating the canonical desktop path. It keeps Intel and AMD at the same evidence bar while separating
display/KMS maturity from render/3D maturity. display/KMS maturity from render/3D maturity.
- Older GPU-specific docs such as `local/docs/AMD-FIRST-INTEGRATION.md`, - Older GPU-specific docs (`AMD-FIRST-INTEGRATION.md`, `HARDWARE-3D-ASSESSMENT.md`, `DMA-BUF-IMPROVEMENT-PLAN.md`) have been retired and removed from the tree. Their content is subsumed by `CONSOLE-TO-KDE-DESKTOP-PLAN.md` and `DRM-MODERNIZATION-EXECUTION-PLAN.md`.
`local/docs/HARDWARE-3D-ASSESSMENT.md`, and `local/docs/DMA-BUF-IMPROVEMENT-PLAN.md` remain - `DESKTOP-STACK-CURRENT-STATUS.md` has been retired — its content merged into `CONSOLE-TO-KDE-DESKTOP-PLAN.md`.
useful reference material, but they are not the planning authority when sequencing or acceptance
criteria differ.
- `local/docs/AMD-FIRST-INTEGRATION.md` remains the deeper AMD-specific technical roadmap, but AMD - `local/docs/AMD-FIRST-INTEGRATION.md` remains the deeper AMD-specific technical roadmap, but AMD
and Intel machines are now equal-priority Red Bear OS targets. and Intel machines are now equal-priority Red Bear OS targets.
- The earlier Phase 03 reassessment bridge has been retired. Its reconciliation role is now
covered by `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md`,
`local/docs/DESKTOP-STACK-CURRENT-STATUS.md`, and `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md`.
- `local/docs/WIFI-IMPLEMENTATION-PLAN.md` is the current Wi-Fi architecture and rollout plan, - `local/docs/WIFI-IMPLEMENTATION-PLAN.md` is the current Wi-Fi architecture and rollout plan,
including the bounded role of `linux-kpi` and the native wireless control-plane direction. including the bounded role of `linux-kpi` and the native wireless control-plane direction.
- `local/docs/USB-IMPLEMENTATION-PLAN.md` and `local/docs/BLUETOOTH-IMPLEMENTATION-PLAN.md` should - `local/docs/USB-IMPLEMENTATION-PLAN.md` and `local/docs/BLUETOOTH-IMPLEMENTATION-PLAN.md` should
@@ -551,8 +546,7 @@ When mainline updates affect our work:
IRQ delivery, MSI/MSI-X quality, IOMMU validation, and other low-level controller completeness work. IRQ delivery, MSI/MSI-X quality, IOMMU validation, and other low-level controller completeness work.
- `local/docs/QUIRKS-SYSTEM.md` documents the hardware quirks infrastructure: compiled-in tables, - `local/docs/QUIRKS-SYSTEM.md` documents the hardware quirks infrastructure: compiled-in tables,
TOML runtime files, DMI matching, driver integration, and the linux-kpi C FFI bridge. TOML runtime files, DMI matching, driver integration, and the linux-kpi C FFI bridge.
- `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` is the current follow-up plan for removing quirks drift, - `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` has been retired — quirks convergence is tracked in `QUIRKS-SYSTEM.md` and the canonical desktop path plan.
integrating quirks into real drivers, and converging on one source of truth.
- `local/docs/DBUS-INTEGRATION-PLAN.md` is the canonical D-Bus architecture and implementation plan for KDE Plasma 6 on Wayland. It defines the phased approach to D-Bus service integration, the `redbear-sessiond` login1-compatible session broker, and the gap analysis for desktop-facing D-Bus services. - `local/docs/DBUS-INTEGRATION-PLAN.md` is the canonical D-Bus architecture and implementation plan for KDE Plasma 6 on Wayland. It defines the phased approach to D-Bus service integration, the `redbear-sessiond` login1-compatible session broker, and the gap analysis for desktop-facing D-Bus services.
- `local/docs/GREETER-LOGIN-IMPLEMENTATION-PLAN.md` is the canonical Red Bear-native greeter/login design and current implementation plan for the `redbear-full` desktop path. It defines the `redbear-authd` / `redbear-session-launch` / `redbear-greeter` split, service wiring, validation surface, and the current boundary between the active greeter path and the older `redbear-validation-session` helper flows. - `local/docs/GREETER-LOGIN-IMPLEMENTATION-PLAN.md` is the canonical Red Bear-native greeter/login design and current implementation plan for the `redbear-full` desktop path. It defines the `redbear-authd` / `redbear-session-launch` / `redbear-greeter` split, service wiring, validation surface, and the current boundary between the active greeter path and the older `redbear-validation-session` helper flows.
+4
View File
@@ -1,6 +1,10 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# apply-patches.sh — Apply all Red Bear OS overlays on top of upstream Redox build system. # apply-patches.sh — Apply all Red Bear OS overlays on top of upstream Redox build system.
# #
# DEPRECATION NOTICE: Patches are now applied atomically by 'repo fetch' via recipe.toml.
# This script is retained for: (1) build-system git patches, (2) recipe symlinks.
# Do NOT use this for recipe source patching — that is handled by the cookbook.
#
# Usage: ./local/scripts/apply-patches.sh [--force] [--dry-run] # Usage: ./local/scripts/apply-patches.sh [--force] [--dry-run]
# #
# This script: # This script:
+2 -51
View File
@@ -124,57 +124,8 @@ stash_nested_repo_if_dirty() {
stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc" stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
if [ "$APPLY_PATCHES" = "1" ] && [ -z "${REDBEAR_RELEASE:-}" ]; then if [ "$APPLY_PATCHES" = "1" ] && [ -z "${REDBEAR_RELEASE:-}" ]; then
echo ">>> Applying local patches..." echo ">>> Patches are applied by 'repo fetch' via recipe.toml (atomic mechanism)"
echo ">>> Skipping direct patch application (was bypassing cookbook atomicity)"
apply_patch_dir() {
local patch_dir="$1"
local target_dir="$2"
local label="$3"
if [ "$label" = "relibc" ] && [ -d "$target_dir/.git" ]; then
if ! git -C "$target_dir" diff --quiet || ! git -C "$target_dir" diff --cached --quiet || [ -n "$(git -C "$target_dir" ls-files --others --exclude-standard)" ]; then
echo " STASH relibc source (dirty nested checkout)"
rm -f "$target_dir/.git/index.lock"
git -C "$target_dir" stash push --all -m "build-redbear-auto-stash" > /dev/null 2>&1 || true
fi
fi
if [ ! -d "$patch_dir" ]; then
return 0
fi
for patch_file in "$patch_dir"/*.patch; do
[ -f "$patch_file" ] || continue
patch_name=$(basename "$patch_file")
if [ "$label" = "base" ] && [ "$patch_name" = "P0-acpid-power-methods.patch" ]; then
acpid_file="$target_dir/drivers/acpid/src/acpi.rs"
if [ -f "$acpid_file" ] && grep -q "pub fn evaluate_acpi_method(" "$acpid_file"; then
echo " SKIP $patch_name (ACPI power helper methods already present)"
continue
fi
fi
if [ ! -d "$target_dir" ]; then
echo " SKIP $patch_name ($label source not fetched yet)"
continue
fi
if patch --dry-run -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1; then
patch -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1
echo " OK $patch_name"
else
echo " SKIP $patch_name (already applied or won't apply)"
fi
done
}
apply_patch_dir "$PROJECT_ROOT/local/patches/kernel" "$PROJECT_ROOT/recipes/core/kernel/source" "kernel"
apply_patch_dir "$PROJECT_ROOT/local/patches/base" "$PROJECT_ROOT/recipes/core/base/source" "base"
apply_patch_dir "$PROJECT_ROOT/local/patches/relibc" "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
apply_patch_dir "$PROJECT_ROOT/local/patches/bootloader" "$PROJECT_ROOT/recipes/core/bootloader/source" "bootloader"
apply_patch_dir "$PROJECT_ROOT/local/patches/installer" "$PROJECT_ROOT/recipes/core/installer/source" "installer"
stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
echo "" echo ""
elif [ -n "${REDBEAR_RELEASE:-}" ]; then elif [ -n "${REDBEAR_RELEASE:-}" ]; then
echo ">>> Release mode: skipping patch application (patches pre-applied in archived sources)" echo ">>> Release mode: skipping patch application (patches pre-applied in archived sources)"
+9
View File
@@ -12,6 +12,15 @@ VENDOR="amd"
SUBSET="all" SUBSET="all"
COPIED_COUNT=0 COPIED_COUNT=0
# Offline gate: this script downloads from the network.
# Block if REPO_OFFLINE=1 (the default during builds).
if [ "${REPO_OFFLINE:-1}" = "1" ] && [ -z "${REDBEAR_ALLOW_UPSTREAM:-}" ]; then
echo "ERROR: fetch-firmware.sh requires network access but REPO_OFFLINE=1." >&2
echo " Set REPO_OFFLINE=0 or pass REDBEAR_ALLOW_UPSTREAM=1 to override." >&2
echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2
exit 1
fi
usage() { usage() {
cat <<EOF cat <<EOF
Usage: $(basename "$0") [--vendor amd|intel] [--subset all|rdna|dmc|wifi|bluetooth] Usage: $(basename "$0") [--vendor amd|intel] [--subset all|rdna|dmc|wifi|bluetooth]
+2
View File
@@ -43,6 +43,8 @@ else
mv $@.partial $@ mv $@.partial $@
cp redbear.ipxe $(LIVE_IPXE) cp redbear.ipxe $(LIVE_IPXE)
endif endif
@echo "NOTE: $(LIVE_ISO) is a raw disk image with iPXE boot, not an ISO9660 image."
@echo " Use 'make live' for the full live image with bootloader embedded."
$(BUILD)/filesystem.img: $(FSTOOLS) $(REPO_TAG) $(BUILD)/filesystem.img: $(FSTOOLS) $(REPO_TAG)
ifeq ($(FSTOOLS_IN_PODMAN),1) ifeq ($(FSTOOLS_IN_PODMAN),1)
+12
View File
@@ -381,10 +381,22 @@ $(WINDOWS_DISK): $(BUILD)/harddrive.img
cp "$<" "$@" cp "$<" "$@"
$(BUILD)/raspi3bp_uboot.rom: $(BUILD)/raspi3bp_uboot.rom:
ifneq ($(REPO_OFFLINE),1)
wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/raspberry_pi/rpi3/u-boot-rpi-3-b-plus.bin wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/raspberry_pi/rpi3/u-boot-rpi-3-b-plus.bin
else
@echo "SKIP: raspi3bp_uboot.rom download blocked (REPO_OFFLINE=1)"
@echo " Set REPO_OFFLINE=0 to download ARM U-Boot firmware for non-x86 QEMU targets."
test -f $@ || (echo "ERROR: $@ not found and network access disabled" >&2 && false)
endif
$(BUILD)/qemu_uboot.rom: $(BUILD)/qemu_uboot.rom:
ifneq ($(REPO_OFFLINE),1)
wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/qemu/qemu_arm64/u-boot-qemu-arm64.bin wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/qemu/qemu_arm64/u-boot-qemu-arm64.bin
else
@echo "SKIP: qemu_uboot.rom download blocked (REPO_OFFLINE=1)"
@echo " Set REPO_OFFLINE=0 to download ARM U-Boot firmware for non-x86 QEMU targets."
test -f $@ || (echo "ERROR: $@ not found and network access disabled" >&2 && false)
endif
qemu: qemu-deps qemu: qemu-deps
$(QEMU) $(QEMUFLAGS) $(QEMU) $(QEMUFLAGS)
+6 -1
View File
@@ -1,6 +1,11 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail
# This script runs "make f.recipe" and "cargo update" in the specified recipe if [ "${REDBEAR_ALLOW_UPSTREAM:-0}" = "0" ]; then
echo "ERROR: cargo-update.sh modifies Cargo.lock files and may require network access." >&2
echo " Set REDBEAR_ALLOW_UPSTREAM=1 to override." >&2
exit 1
fi
recipe_name="$1" recipe_name="$1"
recipe_path=$(find recipes -name "$recipe_name" -maxdepth 4) recipe_path=$(find recipes -name "$recipe_name" -maxdepth 4)
+17 -4
View File
@@ -34,6 +34,7 @@ cd "$REPO_ROOT"
REPO_BIN="./target/release/repo" REPO_BIN="./target/release/repo"
CONFIG_NAME="${1:-redbear-full}" CONFIG_NAME="${1:-redbear-full}"
ACTION="fetch" ACTION="fetch"
ALLOW_UPSTREAM="${ALLOW_UPSTREAM:-0}"
# ── Colors (disabled when not a terminal) ─────────────────────────── # ── Colors (disabled when not a terminal) ───────────────────────────
if [ -t 1 ]; then if [ -t 1 ]; then
@@ -56,9 +57,10 @@ usage() {
echo " --status Show which sources already exist locally" echo " --status Show which sources already exist locally"
echo " --preflight Smart blake3/size check — show what needs updating" echo " --preflight Smart blake3/size check — show what needs updating"
echo " --force Force re-download even if checksums match" echo " --force Force re-download even if checksums match"
echo " --upstream Allow network access for source fetching (gated)"
echo " --help Show this help" echo " --help Show this help"
echo "" echo ""
echo "Configs: redbear-full, redbear-minimal, redbear-live-full, redbear-live-minimal" echo "Configs: redbear-full, redbear-mini, redbear-grub"
echo "Default config: redbear-full" echo "Default config: redbear-full"
} }
@@ -91,6 +93,10 @@ while [[ $# -gt 0 ]]; do
FORCE_FETCH=1 FORCE_FETCH=1
shift shift
;; ;;
--upstream)
ALLOW_UPSTREAM=1
shift
;;
--help|-h) --help|-h)
usage usage
exit 0 exit 0
@@ -481,7 +487,7 @@ case "$ACTION" in
preflight) preflight)
build_repo build_repo
if [ "$ALL_CONFIGS" -eq 1 ]; then if [ "$ALL_CONFIGS" -eq 1 ]; then
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do for cfg in redbear-full redbear-mini redbear-grub; do
preflight_scan "$cfg" || true preflight_scan "$cfg" || true
done done
else else
@@ -491,7 +497,7 @@ case "$ACTION" in
list) list)
build_repo build_repo
if [ "$ALL_CONFIGS" -eq 1 ]; then if [ "$ALL_CONFIGS" -eq 1 ]; then
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do for cfg in redbear-full redbear-mini redbear-grub; do
list_for_config "$cfg" 2>/dev/null || true list_for_config "$cfg" 2>/dev/null || true
done done
else else
@@ -501,12 +507,19 @@ case "$ACTION" in
fetch) fetch)
build_repo build_repo
if [ "$ALLOW_UPSTREAM" -eq 0 ] && [ "${REDBEAR_ALLOW_UPSTREAM:-0}" -eq 0 ]; then
echo "ERROR: fetch-all-sources.sh requires network access." >&2
echo " Pass --upstream or set REDBEAR_ALLOW_UPSTREAM=1 to enable." >&2
echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2
exit 1
fi
if [ -n "$SINGLE_RECIPE" ]; then if [ -n "$SINGLE_RECIPE" ]; then
fetch_single_recipe "$SINGLE_RECIPE" fetch_single_recipe "$SINGLE_RECIPE"
elif [ "$ALL_CONFIGS" -eq 1 ]; then elif [ "$ALL_CONFIGS" -eq 1 ]; then
echo "==> Fetching sources for ALL configs" echo "==> Fetching sources for ALL configs"
echo " This ensures every recipe needed by any config is downloaded." echo " This ensures every recipe needed by any config is downloaded."
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do for cfg in redbear-full redbear-mini redbear-grub; do
fetch_for_config "$cfg" 2>/dev/null || { fetch_for_config "$cfg" 2>/dev/null || {
echo " WARNING: failed to fetch for $cfg (some recipes may not exist)" echo " WARNING: failed to fetch for $cfg (some recipes may not exist)"
echo "" echo ""
+36 -10
View File
@@ -1,10 +1,12 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable. # patch-inclusion-gate.sh — block image creation unless Red Bear patches are wired.
#
# Verifies that:
# 1. Every patch file referenced in recipe.toml exists on disk
# 2. Every patch file in local/patches/ is wired into at least one recipe
# #
# Public scripts that create harddrive images or live ISOs must call this before # Public scripts that create harddrive images or live ISOs must call this before
# invoking `make all`, `make live`, or a direct image target. The cookbook still # invoking `make all`, `make live`, or a direct image target.
# applies patches from recipe.toml; this gate verifies the durable patch store is
# classified and that active ledger entries are wired into recipes.
set -euo pipefail set -euo pipefail
@@ -18,12 +20,36 @@ if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then
exit 0 exit 0
fi fi
ledger_gate="local/scripts/classify-patches-ledger.py" errors=0
if [ ! -x "$ledger_gate" ]; then
echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2 # Check 1: every patch referenced in recipe.toml must exist on disk
while IFS= read -r recipe_toml; do
recipe_dir="$(dirname "$recipe_toml")"
patch_list=$(grep -oP 'patches\s*=\s*\[([^\]]*)\]' "$recipe_toml" 2>/dev/null | grep -oP '"[^"]+\.patch"' | tr -d '"' || true)
for patch_name in $patch_list; do
patch_path="$recipe_dir/$patch_name"
if [ ! -f "$patch_path" ]; then
echo "ERROR: $recipe_toml references '$patch_name' but file not found at $patch_path" >&2
errors=$((errors + 1))
fi
done
done < <(find recipes local/recipes -name "recipe.toml" -not -path "*/source/*" 2>/dev/null)
# Check 2: every patch in local/patches/ should be wired into at least one recipe
while IFS= read -r patch_file; do
patch_name=$(basename "$patch_file")
component=$(basename "$(dirname "$patch_file")")
wired=$(grep -rl "\"$patch_name\"" recipes/ local/recipes/ --include="recipe.toml" 2>/dev/null | head -1 || true)
if [ -z "$wired" ]; then
echo "WARNING: local/patches/$component/$patch_name is not wired into any recipe.toml" >&2
fi
done < <(find local/patches -name "*.patch" -type f 2>/dev/null)
if [ "$errors" -gt 0 ]; then
echo "ERROR: $errors patch reference(s) broken. Fix before building." >&2
exit 1 exit 1
fi fi
echo ">>> Verifying Red Bear patch inclusion before image creation" echo ">>> Patch inclusion gate passed"
python3 local/scripts/ensure-patches-wired.py
python3 "$ledger_gate" --strict
+1 -1
View File
@@ -29,7 +29,7 @@ Examples:
$(basename "$0") # Run existing image $(basename "$0") # Run existing image
$(basename "$0") --build # Build + run $(basename "$0") --build # Build + run
$(basename "$0") --build --upstream # Build + run with upstream source refresh enabled $(basename "$0") --build --upstream # Build + run with upstream source refresh enabled
$(basename "$0") -b -c redbear-minimal # Build minimal + run $(basename "$0") -b -c redbear-mini # Build mini + run
$(basename "$0") -- QEMUFLAGS="-m 8G" # Run with 8G RAM $(basename "$0") -- QEMUFLAGS="-m 8G" # Run with 8G RAM
$(basename "$0") -b -- serial=yes # Build + run with serial console $(basename "$0") -b -- serial=yes # Build + run with serial console
$(basename "$0") -b -- gpu=virtio kvm=no # Build + run with virtio GPU, no KVM $(basename "$0") -b -- gpu=virtio kvm=no # Build + run with virtio GPU, no KVM
+26 -7
View File
@@ -1,9 +1,28 @@
#!/bin/bash #!/usr/bin/env bash
set -euo pipefail
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
case ":${PATH}:" in PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
*":$HOME/.cargo/bin:"*) ;; IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-full/harddrive.img}"
*) export PATH="$HOME/.cargo/bin:$PATH" ;; BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
esac RAM="${QEMU_RAM:-8192}"
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/rbos/build/x86_64/redbear-full.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio if [ ! -f "$IMAGE" ]; then
echo "ERROR: Image not found at $IMAGE" >&2
echo " Run 'make all CONFIG_NAME=redbear-full' first." >&2
exit 1
fi
if [ ! -f "$BIOS" ]; then
echo "ERROR: OVMF firmware not found at $BIOS" >&2
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
exit 1
fi
exec qemu-system-x86_64 \
-m "${RAM}" \
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
-drive file="$IMAGE",format=raw \
-device virtio-gpu-pci \
-enable-kvm \
-serial mon:stdio
+24 -7
View File
@@ -1,9 +1,26 @@
#!/bin/bash #!/usr/bin/env bash
set -euo pipefail
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
case ":${PATH}:" in PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
*":$HOME/.cargo/bin:"*) ;; IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-mini/harddrive.img}"
*) export PATH="$HOME/.cargo/bin:$PATH" ;; BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
esac RAM="${QEMU_RAM:-8192}"
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/RedBear-OS/build/x86_64/redbear-mini.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio if [ ! -f "$IMAGE" ]; then
echo "ERROR: Image not found at $IMAGE" >&2
echo " Run 'make all CONFIG_NAME=redbear-mini' first." >&2
exit 1
fi
if [ ! -f "$BIOS" ]; then
echo "ERROR: OVMF firmware not found at $BIOS" >&2
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
exit 1
fi
exec qemu-system-x86_64 \
-m "${RAM}" \
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
-drive file="$IMAGE",format=raw \
-serial mon:stdio
+24 -128
View File
@@ -58,134 +58,30 @@ pub(crate) fn cleanup_workspace_pollution(recipe_dir: &Path, logger: &PtyOut) {
} }
fn redbear_protected_recipe(name: &str) -> bool { fn redbear_protected_recipe(name: &str) -> bool {
matches!( static PROTECTED: std::sync::OnceLock<std::collections::HashSet<String>> = std::sync::OnceLock::new();
name, let set = PROTECTED.get_or_init(|| {
// Core patched recipes (upstream + Red Bear patches) let mut set = std::collections::HashSet::new();
"relibc" let config_path = std::path::Path::new("config/protected-recipes.toml");
| "bootloader" if let Ok(contents) = std::fs::read_to_string(config_path) {
| "kernel" if let Ok(value) = contents.parse::<toml::Value>() {
| "base" if let Some(table) = value.as_table() {
| "base-initfs" for section in table.values() {
| "installer" if let Some(arr) = section.get("recipes").and_then(|v| v.as_array()) {
| "redoxfs" for item in arr {
| "grub" if let Some(s) = item.as_str() {
// Red Bear custom core recipes set.insert(s.to_string());
| "ext4d" }
| "fatd" }
// Red Bear driver infrastructure }
| "redox-driver-sys" }
| "linux-kpi" }
| "firmware-loader" }
| "redbear-btusb" } else {
| "redbear-iwlwifi" eprintln!("WARNING: config/protected-recipes.toml not found, falling back to empty protected list");
// Red Bear GPU stack }
| "redox-drm" set
| "amdgpu" });
// Red Bear system tools set.contains(name)
| "cub"
| "evdevd"
| "udev-shim"
| "iommu"
| "redbear-firmware"
| "redbear-hwutils"
| "redbear-info"
| "rbos-info"
| "redbear-meta"
| "redbear-netctl"
| "redbear-netctl-console"
| "redbear-netstat"
| "redbear-btctl"
| "redbear-wifictl"
| "redbear-traceroute"
| "redbear-mtr"
| "redbear-nmap"
| "redbear-sessiond"
| "redbear-authd"
| "redbear-session-launch"
| "redbear-greeter"
| "redbear-dbus-services"
| "redbear-notifications"
| "redbear-upower"
| "redbear-udisks"
| "redbear-polkit"
| "redbear-quirks"
// Red Bear branding
| "redbear-release"
// Qt stack with Red Bear patches (must not be re-fetched online)
| "qtbase"
| "qtwayland"
| "qtdeclarative"
| "qtbase-compat"
// Graphics / display stack with Red Bear patches
| "libdrm"
| "mesa"
// Wayland / input stack with Red Bear patches
| "libwayland"
| "libevdev"
| "libinput"
// IPC / system libraries with Red Bear patches
| "dbus"
| "glib"
// Red Bear library stubs and custom libs
| "libepoxy-stub"
| "libdisplay-info-stub"
| "lcms2-stub"
| "libxcvt-stub"
| "libudev-stub"
| "zbus"
| "libqrencode"
// Red Bear Wayland
| "qt6-wayland-smoke"
| "smallvil"
| "seatd-redox"
// Red Bear KDE (47 recipes)
| "kf6-extra-cmake-modules"
| "kf6-kcoreaddons"
| "kf6-kwidgetsaddons"
| "kf6-kconfig"
| "kf6-ki18n"
| "kf6-kcodecs"
| "kf6-kguiaddons"
| "kf6-kcolorscheme"
| "kf6-kauth"
| "kf6-kitemmodels"
| "kf6-kitemviews"
| "kf6-karchive"
| "kf6-kwindowsystem"
| "kf6-knotifications"
| "kf6-kjobwidgets"
| "kf6-kconfigwidgets"
| "kf6-kcrash"
| "kf6-kdbusaddons"
| "kf6-kglobalaccel"
| "kf6-kservice"
| "kf6-kpackage"
| "kf6-kiconthemes"
| "kf6-kxmlgui"
| "kf6-ktextwidgets"
| "kf6-solid"
| "kf6-sonnet"
| "kf6-kio"
| "kf6-kbookmarks"
| "kf6-kcompletion"
| "kf6-kdeclarative"
| "kf6-kcmutils"
| "kf6-kidletime"
| "kf6-kwayland"
| "kf6-knewstuff"
| "kf6-kwallet"
| "kf6-prison"
| "kf6-kirigami"
| "kdecoration"
| "kwin"
| "plasma-desktop"
| "plasma-workspace"
| "plasma-framework"
| "plasma-wayland-protocols"
| "kirigami"
// Orbutils (has local patch)
| "orbutils"
)
} }
fn redbear_allow_protected_fetch() -> bool { fn redbear_allow_protected_fetch() -> bool {