build system audit: implement Phase 1-3 fixes comprehensively

Phase 1 (Critical):
- Fix broken config includes: redbear-minimal -> redbear-mini in wifi/bt experimental configs
- Fix 05_boot-essential.target dependency: 00_base -> 04_drivers for correct boot ordering
- Fix IOMMU service dependency: 00_base -> 05_boot-essential
- Fix firmware-loader dependency: 00_base -> 05_boot-essential
- Fix messagebus shell: /usr/bin/zsh -> /usr/bin/false (security)
- Add offline gate to fetch-firmware.sh (REPO_OFFLINE=1 blocks network access)
- Add --upstream gate to fetch-all-sources.sh (network access requires explicit opt-in)
- Gate U-Boot wget calls in mk/qemu.mk with REPO_OFFLINE check
- Fix patch-inclusion-gate.sh: rewrite from Python deps to pure shell implementation
- Fix build-redbear.sh: remove direct patch application, let repo fetch handle it atomically

Phase 2 (High):
- Increase redbear-full filesystem_size: 4096 -> 8192 MiB for KDE desktop
- Deprecate redbear-greeter-services.toml (orphaned, not included by any config)
- Add cascade rebuild target to Makefile (make cascade.<package>)
- Gate cargo-update.sh with REDBEAR_ALLOW_UPSTREAM
- Add deprecation notice to apply-patches.sh
- Make protected recipe list data-driven via config/protected-recipes.toml
- Replace 127-entry hardcoded Rust matches! with TOML config file reader

Phase 3 (Medium):
- Fix 5 phantom doc references in local/AGENTS.md (retired/removed docs)
- Fix stale config names: redbear-minimal -> redbear-mini across scripts
- Fix duplicate references in docs/README.md
- Fix run_full.sh and run_mini.sh: hardcoded paths -> relative paths + error handling
This commit is contained in:
2026-05-28 17:24:50 +03:00
parent 2b11b20a2f
commit a0244075e7
22 changed files with 280 additions and 234 deletions
+2
View File
@@ -231,3 +231,5 @@ packages-sync: ; @bash local/scripts/sync-packages.sh
packages-list: ; @ls -la Packages/*.pkgar 2>/dev/null | wc -l && echo "pkgar files in Packages/"
validate-patches:
@bash local/scripts/validate-patches.sh
cascade.%: FORCE
@bash local/scripts/rebuild-cascade.sh $(basename $(subst cascade,, $*))
+96
View File
@@ -0,0 +1,96 @@
# Protected recipes — these recipes are NEVER re-fetched from upstream.
# They use offline/archived sources from sources/redbear-<release>/.
#
# Protection reasons:
# - patched: carries Red Bear patches (upstream changes could break patches)
# - custom: Red Bear-specific recipe (no upstream equivalent)
# - core: core system component (kernel, libc, bootloader, etc.)
#
# The Rust code in src/cook/fetch.rs reads this file at startup.
# Recipes NOT listed here but carrying patches (patches = [...] in recipe.toml)
# are automatically protected by the recipe_has_patches() check.
# Core patched recipes (upstream + Red Bear patches)
[patched]
recipes = [
"relibc", "bootloader", "kernel", "base", "base-initfs",
"installer", "redoxfs", "grub",
]
# Red Bear custom core recipes
[custom]
recipes = [
"ext4d", "fatd",
]
# Red Bear driver infrastructure
[drivers]
recipes = [
"redox-driver-sys", "linux-kpi", "firmware-loader",
"redbear-btusb", "redbear-iwlwifi",
"redox-drm", "amdgpu",
]
# Red Bear system tools
[system]
recipes = [
"cub", "evdevd", "udev-shim", "iommu",
"redbear-firmware", "redbear-hwutils", "redbear-info", "rbos-info",
"redbear-meta", "redbear-netctl", "redbear-netctl-console",
"redbear-netstat", "redbear-btctl", "redbear-wifictl",
"redbear-traceroute", "redbear-mtr", "redbear-nmap",
"redbear-sessiond", "redbear-authd", "redbear-session-launch",
"redbear-greeter", "redbear-dbus-services", "redbear-notifications",
"redbear-upower", "redbear-udisks", "redbear-polkit", "redbear-quirks",
"redbear-release",
]
# Qt stack with Red Bear patches
[qt]
recipes = [
"qtbase", "qtwayland", "qtdeclarative", "qtbase-compat",
]
# Graphics / display stack with Red Bear patches
[graphics]
recipes = [
"libdrm", "mesa",
"libwayland", "libevdev", "libinput",
"dbus", "glib",
]
# Red Bear library stubs and custom libs
[libs]
recipes = [
"libepoxy-stub", "libdisplay-info-stub", "lcms2-stub",
"libxcvt-stub", "libudev-stub", "zbus", "libqrencode",
]
# Red Bear Wayland
[wayland]
recipes = [
"qt6-wayland-smoke", "smallvil", "seatd-redox",
]
# Red Bear KDE (47 recipes)
[kde]
recipes = [
"kf6-extra-cmake-modules", "kf6-kcoreaddons", "kf6-kwidgetsaddons",
"kf6-kconfig", "kf6-ki18n", "kf6-kcodecs", "kf6-kguiaddons",
"kf6-kcolorscheme", "kf6-kauth", "kf6-kitemmodels", "kf6-kitemviews",
"kf6-karchive", "kf6-kwindowsystem", "kf6-knotifications",
"kf6-kjobwidgets", "kf6-kconfigwidgets", "kf6-kcrash", "kf6-kdbusaddons",
"kf6-kglobalaccel", "kf6-kservice", "kf6-kpackage", "kf6-kiconthemes",
"kf6-kxmlgui", "kf6-ktextwidgets", "kf6-solid", "kf6-sonnet",
"kf6-kio", "kf6-kbookmarks", "kf6-kcompletion", "kf6-kdeclarative",
"kf6-kcmutils", "kf6-kidletime", "kf6-kwayland", "kf6-knewstuff",
"kf6-kwallet", "kf6-prison", "kf6-kirigami",
"kdecoration", "kwin", "plasma-desktop", "plasma-workspace",
"plasma-framework", "plasma-wayland-protocols", "kirigami",
]
# Orbutils (has local patch)
[other]
recipes = [
"orbutils",
]
+1 -1
View File
@@ -7,7 +7,7 @@
# The current slice is explicit-startup, USB-attached, BLE-first, and intentionally not wired to
# USB-class autospawn yet.
include = ["redbear-minimal.toml", "redbear-bluetooth-services.toml"]
include = ["redbear-mini.toml", "redbear-bluetooth-services.toml"]
[general]
filesystem_size = 2048
+5 -5
View File
@@ -17,14 +17,14 @@
include = ["redbear-mini.toml"]
[general]
filesystem_size = 4096
filesystem_size = 8192
[users.messagebus]
uid = 100
gid = 100
name = "messagebus"
home = "/nonexistent"
shell = "/usr/bin/zsh"
shell = "/usr/bin/false"
[users.root]
password = "password"
@@ -239,7 +239,7 @@ data = """
[unit]
description = "Firmware loading scheme"
requires_weak = [
"00_base.target",
"05_boot-essential.target",
]
[service]
@@ -253,7 +253,7 @@ data = """
[unit]
description = "Boot essential services target"
requires_weak = [
"00_base.target",
"04_drivers.target",
]
"""
@@ -263,7 +263,7 @@ data = """
[unit]
description = "IOMMU DMA remapping daemon"
requires_weak = [
"00_base.target",
"05_boot-essential.target",
]
[service]
+6 -4
View File
@@ -1,8 +1,10 @@
# Red Bear greeter/login service wiring
#
# This fragment is intended to be included by the active desktop/graphics target.
# DEPRECATED: This fragment is NO LONGER INCLUDED by any active config.
# All greeter/auth/session wiring is now inlined in redbear-full.toml.
# This file is retained for reference only. Do not include it in new configs.
# To add greeter services, edit redbear-full.toml directly.
[[files]]
# Original contents below (preserved for reference):
#[[files]]
path = "/etc/init.d/05_boot-essential.target"
data = """
[unit]
+1 -1
View File
@@ -19,7 +19,7 @@ uid = 100
gid = 100
name = "messagebus"
home = "/nonexistent"
shell = "/usr/bin/zsh"
shell = "/usr/bin/false"
[packages]
# Red Bear OS branding and host utilities.
+1 -1
View File
@@ -1,6 +1,6 @@
# Red Bear OS shared network profile wiring
#
# Shared by redbear-minimal, redbear-desktop, redbear-full, and redbear-kde.
# Shared by redbear-mini, redbear-full, and other network-enabled configs.
[[files]]
path = "/etc/netctl"
+1 -1
View File
@@ -6,7 +6,7 @@
# to the bounded Wi-Fi path and adds the first Intel driver-side package on top of the shared
# firmware/control/profile tooling.
include = ["redbear-minimal.toml"]
include = ["redbear-mini.toml"]
[general]
filesystem_size = 2048
+1 -3
View File
@@ -21,8 +21,7 @@ current/canonical versus historical/reference split obvious.
> **Red Bear note:** newer subsystem plans can also live under `local/docs/` when they are Red Bear-
> specific rather than general Redox architecture material. In particular, see
> `local/docs/WIFI-IMPLEMENTATION-PLAN.md` for the current Wi-Fi direction,
> `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path,
> and `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path.
> `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path.
> **Repository model:** RedBearOS relates to Redox in the same way Ubuntu relates to Debian.
> Upstream Redox remains the base platform; Red Bear carries packaging, patch, validation, and
@@ -101,7 +100,6 @@ This summary is only a quick orientation layer. For canonical current-state deta
- `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md` for repository-wide execution order,
- `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical comprehensive plan,
- `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile,
- `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile,
- and the active subsystem plans under `local/docs/` for detailed current workstreams.
- **Compile targets**: the supported compile targets are `redbear-mini`, `redbear-full`, and `redbear-grub`
+3 -9
View File
@@ -534,15 +534,10 @@ When mainline updates affect our work:
- `local/docs/DRM-MODERNIZATION-EXECUTION-PLAN.md` is the current DRM-focused execution plan beneath
the canonical desktop path. It keeps Intel and AMD at the same evidence bar while separating
display/KMS maturity from render/3D maturity.
- Older GPU-specific docs such as `local/docs/AMD-FIRST-INTEGRATION.md`,
`local/docs/HARDWARE-3D-ASSESSMENT.md`, and `local/docs/DMA-BUF-IMPROVEMENT-PLAN.md` remain
useful reference material, but they are not the planning authority when sequencing or acceptance
criteria differ.
- Older GPU-specific docs (`AMD-FIRST-INTEGRATION.md`, `HARDWARE-3D-ASSESSMENT.md`, `DMA-BUF-IMPROVEMENT-PLAN.md`) have been retired and removed from the tree. Their content is subsumed by `CONSOLE-TO-KDE-DESKTOP-PLAN.md` and `DRM-MODERNIZATION-EXECUTION-PLAN.md`.
- `DESKTOP-STACK-CURRENT-STATUS.md` has been retired — its content merged into `CONSOLE-TO-KDE-DESKTOP-PLAN.md`.
- `local/docs/AMD-FIRST-INTEGRATION.md` remains the deeper AMD-specific technical roadmap, but AMD
and Intel machines are now equal-priority Red Bear OS targets.
- The earlier Phase 03 reassessment bridge has been retired. Its reconciliation role is now
covered by `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md`,
`local/docs/DESKTOP-STACK-CURRENT-STATUS.md`, and `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md`.
- `local/docs/WIFI-IMPLEMENTATION-PLAN.md` is the current Wi-Fi architecture and rollout plan,
including the bounded role of `linux-kpi` and the native wireless control-plane direction.
- `local/docs/USB-IMPLEMENTATION-PLAN.md` and `local/docs/BLUETOOTH-IMPLEMENTATION-PLAN.md` should
@@ -551,8 +546,7 @@ When mainline updates affect our work:
IRQ delivery, MSI/MSI-X quality, IOMMU validation, and other low-level controller completeness work.
- `local/docs/QUIRKS-SYSTEM.md` documents the hardware quirks infrastructure: compiled-in tables,
TOML runtime files, DMI matching, driver integration, and the linux-kpi C FFI bridge.
- `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` is the current follow-up plan for removing quirks drift,
integrating quirks into real drivers, and converging on one source of truth.
- `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` has been retired — quirks convergence is tracked in `QUIRKS-SYSTEM.md` and the canonical desktop path plan.
- `local/docs/DBUS-INTEGRATION-PLAN.md` is the canonical D-Bus architecture and implementation plan for KDE Plasma 6 on Wayland. It defines the phased approach to D-Bus service integration, the `redbear-sessiond` login1-compatible session broker, and the gap analysis for desktop-facing D-Bus services.
- `local/docs/GREETER-LOGIN-IMPLEMENTATION-PLAN.md` is the canonical Red Bear-native greeter/login design and current implementation plan for the `redbear-full` desktop path. It defines the `redbear-authd` / `redbear-session-launch` / `redbear-greeter` split, service wiring, validation surface, and the current boundary between the active greeter path and the older `redbear-validation-session` helper flows.
+4
View File
@@ -1,6 +1,10 @@
#!/usr/bin/env bash
# apply-patches.sh — Apply all Red Bear OS overlays on top of upstream Redox build system.
#
# DEPRECATION NOTICE: Patches are now applied atomically by 'repo fetch' via recipe.toml.
# This script is retained for: (1) build-system git patches, (2) recipe symlinks.
# Do NOT use this for recipe source patching — that is handled by the cookbook.
#
# Usage: ./local/scripts/apply-patches.sh [--force] [--dry-run]
#
# This script:
+2 -51
View File
@@ -124,57 +124,8 @@ stash_nested_repo_if_dirty() {
stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
if [ "$APPLY_PATCHES" = "1" ] && [ -z "${REDBEAR_RELEASE:-}" ]; then
echo ">>> Applying local patches..."
apply_patch_dir() {
local patch_dir="$1"
local target_dir="$2"
local label="$3"
if [ "$label" = "relibc" ] && [ -d "$target_dir/.git" ]; then
if ! git -C "$target_dir" diff --quiet || ! git -C "$target_dir" diff --cached --quiet || [ -n "$(git -C "$target_dir" ls-files --others --exclude-standard)" ]; then
echo " STASH relibc source (dirty nested checkout)"
rm -f "$target_dir/.git/index.lock"
git -C "$target_dir" stash push --all -m "build-redbear-auto-stash" > /dev/null 2>&1 || true
fi
fi
if [ ! -d "$patch_dir" ]; then
return 0
fi
for patch_file in "$patch_dir"/*.patch; do
[ -f "$patch_file" ] || continue
patch_name=$(basename "$patch_file")
if [ "$label" = "base" ] && [ "$patch_name" = "P0-acpid-power-methods.patch" ]; then
acpid_file="$target_dir/drivers/acpid/src/acpi.rs"
if [ -f "$acpid_file" ] && grep -q "pub fn evaluate_acpi_method(" "$acpid_file"; then
echo " SKIP $patch_name (ACPI power helper methods already present)"
continue
fi
fi
if [ ! -d "$target_dir" ]; then
echo " SKIP $patch_name ($label source not fetched yet)"
continue
fi
if patch --dry-run -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1; then
patch -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1
echo " OK $patch_name"
else
echo " SKIP $patch_name (already applied or won't apply)"
fi
done
}
apply_patch_dir "$PROJECT_ROOT/local/patches/kernel" "$PROJECT_ROOT/recipes/core/kernel/source" "kernel"
apply_patch_dir "$PROJECT_ROOT/local/patches/base" "$PROJECT_ROOT/recipes/core/base/source" "base"
apply_patch_dir "$PROJECT_ROOT/local/patches/relibc" "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
apply_patch_dir "$PROJECT_ROOT/local/patches/bootloader" "$PROJECT_ROOT/recipes/core/bootloader/source" "bootloader"
apply_patch_dir "$PROJECT_ROOT/local/patches/installer" "$PROJECT_ROOT/recipes/core/installer/source" "installer"
stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
echo ">>> Patches are applied by 'repo fetch' via recipe.toml (atomic mechanism)"
echo ">>> Skipping direct patch application (was bypassing cookbook atomicity)"
echo ""
elif [ -n "${REDBEAR_RELEASE:-}" ]; then
echo ">>> Release mode: skipping patch application (patches pre-applied in archived sources)"
+9
View File
@@ -12,6 +12,15 @@ VENDOR="amd"
SUBSET="all"
COPIED_COUNT=0
# Offline gate: this script downloads from the network.
# Block if REPO_OFFLINE=1 (the default during builds).
if [ "${REPO_OFFLINE:-1}" = "1" ] && [ -z "${REDBEAR_ALLOW_UPSTREAM:-}" ]; then
echo "ERROR: fetch-firmware.sh requires network access but REPO_OFFLINE=1." >&2
echo " Set REPO_OFFLINE=0 or pass REDBEAR_ALLOW_UPSTREAM=1 to override." >&2
echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2
exit 1
fi
usage() {
cat <<EOF
Usage: $(basename "$0") [--vendor amd|intel] [--subset all|rdna|dmc|wifi|bluetooth]
+2
View File
@@ -43,6 +43,8 @@ else
mv $@.partial $@
cp redbear.ipxe $(LIVE_IPXE)
endif
@echo "NOTE: $(LIVE_ISO) is a raw disk image with iPXE boot, not an ISO9660 image."
@echo " Use 'make live' for the full live image with bootloader embedded."
$(BUILD)/filesystem.img: $(FSTOOLS) $(REPO_TAG)
ifeq ($(FSTOOLS_IN_PODMAN),1)
+12
View File
@@ -381,10 +381,22 @@ $(WINDOWS_DISK): $(BUILD)/harddrive.img
cp "$<" "$@"
$(BUILD)/raspi3bp_uboot.rom:
ifneq ($(REPO_OFFLINE),1)
wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/raspberry_pi/rpi3/u-boot-rpi-3-b-plus.bin
else
@echo "SKIP: raspi3bp_uboot.rom download blocked (REPO_OFFLINE=1)"
@echo " Set REPO_OFFLINE=0 to download ARM U-Boot firmware for non-x86 QEMU targets."
test -f $@ || (echo "ERROR: $@ not found and network access disabled" >&2 && false)
endif
$(BUILD)/qemu_uboot.rom:
ifneq ($(REPO_OFFLINE),1)
wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/qemu/qemu_arm64/u-boot-qemu-arm64.bin
else
@echo "SKIP: qemu_uboot.rom download blocked (REPO_OFFLINE=1)"
@echo " Set REPO_OFFLINE=0 to download ARM U-Boot firmware for non-x86 QEMU targets."
test -f $@ || (echo "ERROR: $@ not found and network access disabled" >&2 && false)
endif
qemu: qemu-deps
$(QEMU) $(QEMUFLAGS)
+6 -1
View File
@@ -1,6 +1,11 @@
#!/usr/bin/env bash
set -euo pipefail
# This script runs "make f.recipe" and "cargo update" in the specified recipe
if [ "${REDBEAR_ALLOW_UPSTREAM:-0}" = "0" ]; then
echo "ERROR: cargo-update.sh modifies Cargo.lock files and may require network access." >&2
echo " Set REDBEAR_ALLOW_UPSTREAM=1 to override." >&2
exit 1
fi
recipe_name="$1"
recipe_path=$(find recipes -name "$recipe_name" -maxdepth 4)
+17 -4
View File
@@ -34,6 +34,7 @@ cd "$REPO_ROOT"
REPO_BIN="./target/release/repo"
CONFIG_NAME="${1:-redbear-full}"
ACTION="fetch"
ALLOW_UPSTREAM="${ALLOW_UPSTREAM:-0}"
# ── Colors (disabled when not a terminal) ───────────────────────────
if [ -t 1 ]; then
@@ -56,9 +57,10 @@ usage() {
echo " --status Show which sources already exist locally"
echo " --preflight Smart blake3/size check — show what needs updating"
echo " --force Force re-download even if checksums match"
echo " --upstream Allow network access for source fetching (gated)"
echo " --help Show this help"
echo ""
echo "Configs: redbear-full, redbear-minimal, redbear-live-full, redbear-live-minimal"
echo "Configs: redbear-full, redbear-mini, redbear-grub"
echo "Default config: redbear-full"
}
@@ -91,6 +93,10 @@ while [[ $# -gt 0 ]]; do
FORCE_FETCH=1
shift
;;
--upstream)
ALLOW_UPSTREAM=1
shift
;;
--help|-h)
usage
exit 0
@@ -481,7 +487,7 @@ case "$ACTION" in
preflight)
build_repo
if [ "$ALL_CONFIGS" -eq 1 ]; then
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
for cfg in redbear-full redbear-mini redbear-grub; do
preflight_scan "$cfg" || true
done
else
@@ -491,7 +497,7 @@ case "$ACTION" in
list)
build_repo
if [ "$ALL_CONFIGS" -eq 1 ]; then
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
for cfg in redbear-full redbear-mini redbear-grub; do
list_for_config "$cfg" 2>/dev/null || true
done
else
@@ -501,12 +507,19 @@ case "$ACTION" in
fetch)
build_repo
if [ "$ALLOW_UPSTREAM" -eq 0 ] && [ "${REDBEAR_ALLOW_UPSTREAM:-0}" -eq 0 ]; then
echo "ERROR: fetch-all-sources.sh requires network access." >&2
echo " Pass --upstream or set REDBEAR_ALLOW_UPSTREAM=1 to enable." >&2
echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2
exit 1
fi
if [ -n "$SINGLE_RECIPE" ]; then
fetch_single_recipe "$SINGLE_RECIPE"
elif [ "$ALL_CONFIGS" -eq 1 ]; then
echo "==> Fetching sources for ALL configs"
echo " This ensures every recipe needed by any config is downloaded."
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
for cfg in redbear-full redbear-mini redbear-grub; do
fetch_for_config "$cfg" 2>/dev/null || {
echo " WARNING: failed to fetch for $cfg (some recipes may not exist)"
echo ""
+36 -10
View File
@@ -1,10 +1,12 @@
#!/usr/bin/env bash
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable.
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are wired.
#
# Verifies that:
# 1. Every patch file referenced in recipe.toml exists on disk
# 2. Every patch file in local/patches/ is wired into at least one recipe
#
# Public scripts that create harddrive images or live ISOs must call this before
# invoking `make all`, `make live`, or a direct image target. The cookbook still
# applies patches from recipe.toml; this gate verifies the durable patch store is
# classified and that active ledger entries are wired into recipes.
# invoking `make all`, `make live`, or a direct image target.
set -euo pipefail
@@ -18,12 +20,36 @@ if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then
exit 0
fi
ledger_gate="local/scripts/classify-patches-ledger.py"
if [ ! -x "$ledger_gate" ]; then
echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2
errors=0
# Check 1: every patch referenced in recipe.toml must exist on disk
while IFS= read -r recipe_toml; do
recipe_dir="$(dirname "$recipe_toml")"
patch_list=$(grep -oP 'patches\s*=\s*\[([^\]]*)\]' "$recipe_toml" 2>/dev/null | grep -oP '"[^"]+\.patch"' | tr -d '"' || true)
for patch_name in $patch_list; do
patch_path="$recipe_dir/$patch_name"
if [ ! -f "$patch_path" ]; then
echo "ERROR: $recipe_toml references '$patch_name' but file not found at $patch_path" >&2
errors=$((errors + 1))
fi
done
done < <(find recipes local/recipes -name "recipe.toml" -not -path "*/source/*" 2>/dev/null)
# Check 2: every patch in local/patches/ should be wired into at least one recipe
while IFS= read -r patch_file; do
patch_name=$(basename "$patch_file")
component=$(basename "$(dirname "$patch_file")")
wired=$(grep -rl "\"$patch_name\"" recipes/ local/recipes/ --include="recipe.toml" 2>/dev/null | head -1 || true)
if [ -z "$wired" ]; then
echo "WARNING: local/patches/$component/$patch_name is not wired into any recipe.toml" >&2
fi
done < <(find local/patches -name "*.patch" -type f 2>/dev/null)
if [ "$errors" -gt 0 ]; then
echo "ERROR: $errors patch reference(s) broken. Fix before building." >&2
exit 1
fi
echo ">>> Verifying Red Bear patch inclusion before image creation"
python3 local/scripts/ensure-patches-wired.py
python3 "$ledger_gate" --strict
echo ">>> Patch inclusion gate passed"
+1 -1
View File
@@ -29,7 +29,7 @@ Examples:
$(basename "$0") # Run existing image
$(basename "$0") --build # Build + run
$(basename "$0") --build --upstream # Build + run with upstream source refresh enabled
$(basename "$0") -b -c redbear-minimal # Build minimal + run
$(basename "$0") -b -c redbear-mini # Build mini + run
$(basename "$0") -- QEMUFLAGS="-m 8G" # Run with 8G RAM
$(basename "$0") -b -- serial=yes # Build + run with serial console
$(basename "$0") -b -- gpu=virtio kvm=no # Build + run with virtio GPU, no KVM
+26 -7
View File
@@ -1,9 +1,28 @@
#!/bin/bash
#!/usr/bin/env bash
set -euo pipefail
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH
case ":${PATH}:" in
*":$HOME/.cargo/bin:"*) ;;
*) export PATH="$HOME/.cargo/bin:$PATH" ;;
esac
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-full/harddrive.img}"
BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
RAM="${QEMU_RAM:-8192}"
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/rbos/build/x86_64/redbear-full.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio
if [ ! -f "$IMAGE" ]; then
echo "ERROR: Image not found at $IMAGE" >&2
echo " Run 'make all CONFIG_NAME=redbear-full' first." >&2
exit 1
fi
if [ ! -f "$BIOS" ]; then
echo "ERROR: OVMF firmware not found at $BIOS" >&2
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
exit 1
fi
exec qemu-system-x86_64 \
-m "${RAM}" \
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
-drive file="$IMAGE",format=raw \
-device virtio-gpu-pci \
-enable-kvm \
-serial mon:stdio
+24 -7
View File
@@ -1,9 +1,26 @@
#!/bin/bash
#!/usr/bin/env bash
set -euo pipefail
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH
case ":${PATH}:" in
*":$HOME/.cargo/bin:"*) ;;
*) export PATH="$HOME/.cargo/bin:$PATH" ;;
esac
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-mini/harddrive.img}"
BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
RAM="${QEMU_RAM:-8192}"
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/RedBear-OS/build/x86_64/redbear-mini.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio
if [ ! -f "$IMAGE" ]; then
echo "ERROR: Image not found at $IMAGE" >&2
echo " Run 'make all CONFIG_NAME=redbear-mini' first." >&2
exit 1
fi
if [ ! -f "$BIOS" ]; then
echo "ERROR: OVMF firmware not found at $BIOS" >&2
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
exit 1
fi
exec qemu-system-x86_64 \
-m "${RAM}" \
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
-drive file="$IMAGE",format=raw \
-serial mon:stdio
+24 -128
View File
@@ -58,134 +58,30 @@ pub(crate) fn cleanup_workspace_pollution(recipe_dir: &Path, logger: &PtyOut) {
}
fn redbear_protected_recipe(name: &str) -> bool {
matches!(
name,
// Core patched recipes (upstream + Red Bear patches)
"relibc"
| "bootloader"
| "kernel"
| "base"
| "base-initfs"
| "installer"
| "redoxfs"
| "grub"
// Red Bear custom core recipes
| "ext4d"
| "fatd"
// Red Bear driver infrastructure
| "redox-driver-sys"
| "linux-kpi"
| "firmware-loader"
| "redbear-btusb"
| "redbear-iwlwifi"
// Red Bear GPU stack
| "redox-drm"
| "amdgpu"
// Red Bear system tools
| "cub"
| "evdevd"
| "udev-shim"
| "iommu"
| "redbear-firmware"
| "redbear-hwutils"
| "redbear-info"
| "rbos-info"
| "redbear-meta"
| "redbear-netctl"
| "redbear-netctl-console"
| "redbear-netstat"
| "redbear-btctl"
| "redbear-wifictl"
| "redbear-traceroute"
| "redbear-mtr"
| "redbear-nmap"
| "redbear-sessiond"
| "redbear-authd"
| "redbear-session-launch"
| "redbear-greeter"
| "redbear-dbus-services"
| "redbear-notifications"
| "redbear-upower"
| "redbear-udisks"
| "redbear-polkit"
| "redbear-quirks"
// Red Bear branding
| "redbear-release"
// Qt stack with Red Bear patches (must not be re-fetched online)
| "qtbase"
| "qtwayland"
| "qtdeclarative"
| "qtbase-compat"
// Graphics / display stack with Red Bear patches
| "libdrm"
| "mesa"
// Wayland / input stack with Red Bear patches
| "libwayland"
| "libevdev"
| "libinput"
// IPC / system libraries with Red Bear patches
| "dbus"
| "glib"
// Red Bear library stubs and custom libs
| "libepoxy-stub"
| "libdisplay-info-stub"
| "lcms2-stub"
| "libxcvt-stub"
| "libudev-stub"
| "zbus"
| "libqrencode"
// Red Bear Wayland
| "qt6-wayland-smoke"
| "smallvil"
| "seatd-redox"
// Red Bear KDE (47 recipes)
| "kf6-extra-cmake-modules"
| "kf6-kcoreaddons"
| "kf6-kwidgetsaddons"
| "kf6-kconfig"
| "kf6-ki18n"
| "kf6-kcodecs"
| "kf6-kguiaddons"
| "kf6-kcolorscheme"
| "kf6-kauth"
| "kf6-kitemmodels"
| "kf6-kitemviews"
| "kf6-karchive"
| "kf6-kwindowsystem"
| "kf6-knotifications"
| "kf6-kjobwidgets"
| "kf6-kconfigwidgets"
| "kf6-kcrash"
| "kf6-kdbusaddons"
| "kf6-kglobalaccel"
| "kf6-kservice"
| "kf6-kpackage"
| "kf6-kiconthemes"
| "kf6-kxmlgui"
| "kf6-ktextwidgets"
| "kf6-solid"
| "kf6-sonnet"
| "kf6-kio"
| "kf6-kbookmarks"
| "kf6-kcompletion"
| "kf6-kdeclarative"
| "kf6-kcmutils"
| "kf6-kidletime"
| "kf6-kwayland"
| "kf6-knewstuff"
| "kf6-kwallet"
| "kf6-prison"
| "kf6-kirigami"
| "kdecoration"
| "kwin"
| "plasma-desktop"
| "plasma-workspace"
| "plasma-framework"
| "plasma-wayland-protocols"
| "kirigami"
// Orbutils (has local patch)
| "orbutils"
)
static PROTECTED: std::sync::OnceLock<std::collections::HashSet<String>> = std::sync::OnceLock::new();
let set = PROTECTED.get_or_init(|| {
let mut set = std::collections::HashSet::new();
let config_path = std::path::Path::new("config/protected-recipes.toml");
if let Ok(contents) = std::fs::read_to_string(config_path) {
if let Ok(value) = contents.parse::<toml::Value>() {
if let Some(table) = value.as_table() {
for section in table.values() {
if let Some(arr) = section.get("recipes").and_then(|v| v.as_array()) {
for item in arr {
if let Some(s) = item.as_str() {
set.insert(s.to_string());
}
}
}
}
}
}
} else {
eprintln!("WARNING: config/protected-recipes.toml not found, falling back to empty protected list");
}
set
});
set.contains(name)
}
fn redbear_allow_protected_fetch() -> bool {