build system audit: implement Phase 1-3 fixes comprehensively
Phase 1 (Critical): - Fix broken config includes: redbear-minimal -> redbear-mini in wifi/bt experimental configs - Fix 05_boot-essential.target dependency: 00_base -> 04_drivers for correct boot ordering - Fix IOMMU service dependency: 00_base -> 05_boot-essential - Fix firmware-loader dependency: 00_base -> 05_boot-essential - Fix messagebus shell: /usr/bin/zsh -> /usr/bin/false (security) - Add offline gate to fetch-firmware.sh (REPO_OFFLINE=1 blocks network access) - Add --upstream gate to fetch-all-sources.sh (network access requires explicit opt-in) - Gate U-Boot wget calls in mk/qemu.mk with REPO_OFFLINE check - Fix patch-inclusion-gate.sh: rewrite from Python deps to pure shell implementation - Fix build-redbear.sh: remove direct patch application, let repo fetch handle it atomically Phase 2 (High): - Increase redbear-full filesystem_size: 4096 -> 8192 MiB for KDE desktop - Deprecate redbear-greeter-services.toml (orphaned, not included by any config) - Add cascade rebuild target to Makefile (make cascade.<package>) - Gate cargo-update.sh with REDBEAR_ALLOW_UPSTREAM - Add deprecation notice to apply-patches.sh - Make protected recipe list data-driven via config/protected-recipes.toml - Replace 127-entry hardcoded Rust matches! with TOML config file reader Phase 3 (Medium): - Fix 5 phantom doc references in local/AGENTS.md (retired/removed docs) - Fix stale config names: redbear-minimal -> redbear-mini across scripts - Fix duplicate references in docs/README.md - Fix run_full.sh and run_mini.sh: hardcoded paths -> relative paths + error handling
This commit is contained in:
@@ -231,3 +231,5 @@ packages-sync: ; @bash local/scripts/sync-packages.sh
|
||||
packages-list: ; @ls -la Packages/*.pkgar 2>/dev/null | wc -l && echo "pkgar files in Packages/"
|
||||
validate-patches:
|
||||
@bash local/scripts/validate-patches.sh
|
||||
cascade.%: FORCE
|
||||
@bash local/scripts/rebuild-cascade.sh $(basename $(subst cascade,, $*))
|
||||
|
||||
@@ -0,0 +1,96 @@
|
||||
# Protected recipes — these recipes are NEVER re-fetched from upstream.
|
||||
# They use offline/archived sources from sources/redbear-<release>/.
|
||||
#
|
||||
# Protection reasons:
|
||||
# - patched: carries Red Bear patches (upstream changes could break patches)
|
||||
# - custom: Red Bear-specific recipe (no upstream equivalent)
|
||||
# - core: core system component (kernel, libc, bootloader, etc.)
|
||||
#
|
||||
# The Rust code in src/cook/fetch.rs reads this file at startup.
|
||||
# Recipes NOT listed here but carrying patches (patches = [...] in recipe.toml)
|
||||
# are automatically protected by the recipe_has_patches() check.
|
||||
|
||||
# Core patched recipes (upstream + Red Bear patches)
|
||||
[patched]
|
||||
recipes = [
|
||||
"relibc", "bootloader", "kernel", "base", "base-initfs",
|
||||
"installer", "redoxfs", "grub",
|
||||
]
|
||||
|
||||
# Red Bear custom core recipes
|
||||
[custom]
|
||||
recipes = [
|
||||
"ext4d", "fatd",
|
||||
]
|
||||
|
||||
# Red Bear driver infrastructure
|
||||
[drivers]
|
||||
recipes = [
|
||||
"redox-driver-sys", "linux-kpi", "firmware-loader",
|
||||
"redbear-btusb", "redbear-iwlwifi",
|
||||
"redox-drm", "amdgpu",
|
||||
]
|
||||
|
||||
# Red Bear system tools
|
||||
[system]
|
||||
recipes = [
|
||||
"cub", "evdevd", "udev-shim", "iommu",
|
||||
"redbear-firmware", "redbear-hwutils", "redbear-info", "rbos-info",
|
||||
"redbear-meta", "redbear-netctl", "redbear-netctl-console",
|
||||
"redbear-netstat", "redbear-btctl", "redbear-wifictl",
|
||||
"redbear-traceroute", "redbear-mtr", "redbear-nmap",
|
||||
"redbear-sessiond", "redbear-authd", "redbear-session-launch",
|
||||
"redbear-greeter", "redbear-dbus-services", "redbear-notifications",
|
||||
"redbear-upower", "redbear-udisks", "redbear-polkit", "redbear-quirks",
|
||||
"redbear-release",
|
||||
]
|
||||
|
||||
# Qt stack with Red Bear patches
|
||||
[qt]
|
||||
recipes = [
|
||||
"qtbase", "qtwayland", "qtdeclarative", "qtbase-compat",
|
||||
]
|
||||
|
||||
# Graphics / display stack with Red Bear patches
|
||||
[graphics]
|
||||
recipes = [
|
||||
"libdrm", "mesa",
|
||||
"libwayland", "libevdev", "libinput",
|
||||
"dbus", "glib",
|
||||
]
|
||||
|
||||
# Red Bear library stubs and custom libs
|
||||
[libs]
|
||||
recipes = [
|
||||
"libepoxy-stub", "libdisplay-info-stub", "lcms2-stub",
|
||||
"libxcvt-stub", "libudev-stub", "zbus", "libqrencode",
|
||||
]
|
||||
|
||||
# Red Bear Wayland
|
||||
[wayland]
|
||||
recipes = [
|
||||
"qt6-wayland-smoke", "smallvil", "seatd-redox",
|
||||
]
|
||||
|
||||
# Red Bear KDE (47 recipes)
|
||||
[kde]
|
||||
recipes = [
|
||||
"kf6-extra-cmake-modules", "kf6-kcoreaddons", "kf6-kwidgetsaddons",
|
||||
"kf6-kconfig", "kf6-ki18n", "kf6-kcodecs", "kf6-kguiaddons",
|
||||
"kf6-kcolorscheme", "kf6-kauth", "kf6-kitemmodels", "kf6-kitemviews",
|
||||
"kf6-karchive", "kf6-kwindowsystem", "kf6-knotifications",
|
||||
"kf6-kjobwidgets", "kf6-kconfigwidgets", "kf6-kcrash", "kf6-kdbusaddons",
|
||||
"kf6-kglobalaccel", "kf6-kservice", "kf6-kpackage", "kf6-kiconthemes",
|
||||
"kf6-kxmlgui", "kf6-ktextwidgets", "kf6-solid", "kf6-sonnet",
|
||||
"kf6-kio", "kf6-kbookmarks", "kf6-kcompletion", "kf6-kdeclarative",
|
||||
"kf6-kcmutils", "kf6-kidletime", "kf6-kwayland", "kf6-knewstuff",
|
||||
"kf6-kwallet", "kf6-prison", "kf6-kirigami",
|
||||
"kdecoration", "kwin", "plasma-desktop", "plasma-workspace",
|
||||
"plasma-framework", "plasma-wayland-protocols", "kirigami",
|
||||
]
|
||||
|
||||
# Orbutils (has local patch)
|
||||
[other]
|
||||
recipes = [
|
||||
"orbutils",
|
||||
]
|
||||
@@ -7,7 +7,7 @@
|
||||
# The current slice is explicit-startup, USB-attached, BLE-first, and intentionally not wired to
|
||||
# USB-class autospawn yet.
|
||||
|
||||
include = ["redbear-minimal.toml", "redbear-bluetooth-services.toml"]
|
||||
include = ["redbear-mini.toml", "redbear-bluetooth-services.toml"]
|
||||
|
||||
[general]
|
||||
filesystem_size = 2048
|
||||
|
||||
@@ -17,14 +17,14 @@
|
||||
include = ["redbear-mini.toml"]
|
||||
|
||||
[general]
|
||||
filesystem_size = 4096
|
||||
filesystem_size = 8192
|
||||
|
||||
[users.messagebus]
|
||||
uid = 100
|
||||
gid = 100
|
||||
name = "messagebus"
|
||||
home = "/nonexistent"
|
||||
shell = "/usr/bin/zsh"
|
||||
shell = "/usr/bin/false"
|
||||
|
||||
[users.root]
|
||||
password = "password"
|
||||
@@ -239,7 +239,7 @@ data = """
|
||||
[unit]
|
||||
description = "Firmware loading scheme"
|
||||
requires_weak = [
|
||||
"00_base.target",
|
||||
"05_boot-essential.target",
|
||||
]
|
||||
|
||||
[service]
|
||||
@@ -253,7 +253,7 @@ data = """
|
||||
[unit]
|
||||
description = "Boot essential services target"
|
||||
requires_weak = [
|
||||
"00_base.target",
|
||||
"04_drivers.target",
|
||||
]
|
||||
"""
|
||||
|
||||
@@ -263,7 +263,7 @@ data = """
|
||||
[unit]
|
||||
description = "IOMMU DMA remapping daemon"
|
||||
requires_weak = [
|
||||
"00_base.target",
|
||||
"05_boot-essential.target",
|
||||
]
|
||||
|
||||
[service]
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# Red Bear greeter/login service wiring
|
||||
#
|
||||
# This fragment is intended to be included by the active desktop/graphics target.
|
||||
# DEPRECATED: This fragment is NO LONGER INCLUDED by any active config.
|
||||
# All greeter/auth/session wiring is now inlined in redbear-full.toml.
|
||||
# This file is retained for reference only. Do not include it in new configs.
|
||||
# To add greeter services, edit redbear-full.toml directly.
|
||||
|
||||
[[files]]
|
||||
# Original contents below (preserved for reference):
|
||||
#[[files]]
|
||||
path = "/etc/init.d/05_boot-essential.target"
|
||||
data = """
|
||||
[unit]
|
||||
|
||||
@@ -19,7 +19,7 @@ uid = 100
|
||||
gid = 100
|
||||
name = "messagebus"
|
||||
home = "/nonexistent"
|
||||
shell = "/usr/bin/zsh"
|
||||
shell = "/usr/bin/false"
|
||||
|
||||
[packages]
|
||||
# Red Bear OS branding and host utilities.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Red Bear OS shared network profile wiring
|
||||
#
|
||||
# Shared by redbear-minimal, redbear-desktop, redbear-full, and redbear-kde.
|
||||
# Shared by redbear-mini, redbear-full, and other network-enabled configs.
|
||||
|
||||
[[files]]
|
||||
path = "/etc/netctl"
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
# to the bounded Wi-Fi path and adds the first Intel driver-side package on top of the shared
|
||||
# firmware/control/profile tooling.
|
||||
|
||||
include = ["redbear-minimal.toml"]
|
||||
include = ["redbear-mini.toml"]
|
||||
|
||||
[general]
|
||||
filesystem_size = 2048
|
||||
|
||||
+1
-3
@@ -21,8 +21,7 @@ current/canonical versus historical/reference split obvious.
|
||||
> **Red Bear note:** newer subsystem plans can also live under `local/docs/` when they are Red Bear-
|
||||
> specific rather than general Redox architecture material. In particular, see
|
||||
> `local/docs/WIFI-IMPLEMENTATION-PLAN.md` for the current Wi-Fi direction,
|
||||
> `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path,
|
||||
> and `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path.
|
||||
> `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path.
|
||||
|
||||
> **Repository model:** RedBearOS relates to Redox in the same way Ubuntu relates to Debian.
|
||||
> Upstream Redox remains the base platform; Red Bear carries packaging, patch, validation, and
|
||||
@@ -101,7 +100,6 @@ This summary is only a quick orientation layer. For canonical current-state deta
|
||||
- `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md` for repository-wide execution order,
|
||||
- `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical comprehensive plan,
|
||||
- `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile,
|
||||
- `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile,
|
||||
- and the active subsystem plans under `local/docs/` for detailed current workstreams.
|
||||
|
||||
- **Compile targets**: the supported compile targets are `redbear-mini`, `redbear-full`, and `redbear-grub`
|
||||
|
||||
+3
-9
@@ -534,15 +534,10 @@ When mainline updates affect our work:
|
||||
- `local/docs/DRM-MODERNIZATION-EXECUTION-PLAN.md` is the current DRM-focused execution plan beneath
|
||||
the canonical desktop path. It keeps Intel and AMD at the same evidence bar while separating
|
||||
display/KMS maturity from render/3D maturity.
|
||||
- Older GPU-specific docs such as `local/docs/AMD-FIRST-INTEGRATION.md`,
|
||||
`local/docs/HARDWARE-3D-ASSESSMENT.md`, and `local/docs/DMA-BUF-IMPROVEMENT-PLAN.md` remain
|
||||
useful reference material, but they are not the planning authority when sequencing or acceptance
|
||||
criteria differ.
|
||||
- Older GPU-specific docs (`AMD-FIRST-INTEGRATION.md`, `HARDWARE-3D-ASSESSMENT.md`, `DMA-BUF-IMPROVEMENT-PLAN.md`) have been retired and removed from the tree. Their content is subsumed by `CONSOLE-TO-KDE-DESKTOP-PLAN.md` and `DRM-MODERNIZATION-EXECUTION-PLAN.md`.
|
||||
- `DESKTOP-STACK-CURRENT-STATUS.md` has been retired — its content merged into `CONSOLE-TO-KDE-DESKTOP-PLAN.md`.
|
||||
- `local/docs/AMD-FIRST-INTEGRATION.md` remains the deeper AMD-specific technical roadmap, but AMD
|
||||
and Intel machines are now equal-priority Red Bear OS targets.
|
||||
- The earlier Phase 0–3 reassessment bridge has been retired. Its reconciliation role is now
|
||||
covered by `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md`,
|
||||
`local/docs/DESKTOP-STACK-CURRENT-STATUS.md`, and `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md`.
|
||||
- `local/docs/WIFI-IMPLEMENTATION-PLAN.md` is the current Wi-Fi architecture and rollout plan,
|
||||
including the bounded role of `linux-kpi` and the native wireless control-plane direction.
|
||||
- `local/docs/USB-IMPLEMENTATION-PLAN.md` and `local/docs/BLUETOOTH-IMPLEMENTATION-PLAN.md` should
|
||||
@@ -551,8 +546,7 @@ When mainline updates affect our work:
|
||||
IRQ delivery, MSI/MSI-X quality, IOMMU validation, and other low-level controller completeness work.
|
||||
- `local/docs/QUIRKS-SYSTEM.md` documents the hardware quirks infrastructure: compiled-in tables,
|
||||
TOML runtime files, DMI matching, driver integration, and the linux-kpi C FFI bridge.
|
||||
- `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` is the current follow-up plan for removing quirks drift,
|
||||
integrating quirks into real drivers, and converging on one source of truth.
|
||||
- `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` has been retired — quirks convergence is tracked in `QUIRKS-SYSTEM.md` and the canonical desktop path plan.
|
||||
- `local/docs/DBUS-INTEGRATION-PLAN.md` is the canonical D-Bus architecture and implementation plan for KDE Plasma 6 on Wayland. It defines the phased approach to D-Bus service integration, the `redbear-sessiond` login1-compatible session broker, and the gap analysis for desktop-facing D-Bus services.
|
||||
- `local/docs/GREETER-LOGIN-IMPLEMENTATION-PLAN.md` is the canonical Red Bear-native greeter/login design and current implementation plan for the `redbear-full` desktop path. It defines the `redbear-authd` / `redbear-session-launch` / `redbear-greeter` split, service wiring, validation surface, and the current boundary between the active greeter path and the older `redbear-validation-session` helper flows.
|
||||
|
||||
|
||||
@@ -1,6 +1,10 @@
|
||||
#!/usr/bin/env bash
|
||||
# apply-patches.sh — Apply all Red Bear OS overlays on top of upstream Redox build system.
|
||||
#
|
||||
# DEPRECATION NOTICE: Patches are now applied atomically by 'repo fetch' via recipe.toml.
|
||||
# This script is retained for: (1) build-system git patches, (2) recipe symlinks.
|
||||
# Do NOT use this for recipe source patching — that is handled by the cookbook.
|
||||
#
|
||||
# Usage: ./local/scripts/apply-patches.sh [--force] [--dry-run]
|
||||
#
|
||||
# This script:
|
||||
|
||||
@@ -124,57 +124,8 @@ stash_nested_repo_if_dirty() {
|
||||
stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
|
||||
|
||||
if [ "$APPLY_PATCHES" = "1" ] && [ -z "${REDBEAR_RELEASE:-}" ]; then
|
||||
echo ">>> Applying local patches..."
|
||||
|
||||
apply_patch_dir() {
|
||||
local patch_dir="$1"
|
||||
local target_dir="$2"
|
||||
local label="$3"
|
||||
|
||||
if [ "$label" = "relibc" ] && [ -d "$target_dir/.git" ]; then
|
||||
if ! git -C "$target_dir" diff --quiet || ! git -C "$target_dir" diff --cached --quiet || [ -n "$(git -C "$target_dir" ls-files --others --exclude-standard)" ]; then
|
||||
echo " STASH relibc source (dirty nested checkout)"
|
||||
rm -f "$target_dir/.git/index.lock"
|
||||
git -C "$target_dir" stash push --all -m "build-redbear-auto-stash" > /dev/null 2>&1 || true
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -d "$patch_dir" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
for patch_file in "$patch_dir"/*.patch; do
|
||||
[ -f "$patch_file" ] || continue
|
||||
patch_name=$(basename "$patch_file")
|
||||
|
||||
if [ "$label" = "base" ] && [ "$patch_name" = "P0-acpid-power-methods.patch" ]; then
|
||||
acpid_file="$target_dir/drivers/acpid/src/acpi.rs"
|
||||
if [ -f "$acpid_file" ] && grep -q "pub fn evaluate_acpi_method(" "$acpid_file"; then
|
||||
echo " SKIP $patch_name (ACPI power helper methods already present)"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -d "$target_dir" ]; then
|
||||
echo " SKIP $patch_name ($label source not fetched yet)"
|
||||
continue
|
||||
fi
|
||||
if patch --dry-run -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1; then
|
||||
patch -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1
|
||||
echo " OK $patch_name"
|
||||
else
|
||||
echo " SKIP $patch_name (already applied or won't apply)"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
apply_patch_dir "$PROJECT_ROOT/local/patches/kernel" "$PROJECT_ROOT/recipes/core/kernel/source" "kernel"
|
||||
apply_patch_dir "$PROJECT_ROOT/local/patches/base" "$PROJECT_ROOT/recipes/core/base/source" "base"
|
||||
apply_patch_dir "$PROJECT_ROOT/local/patches/relibc" "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
|
||||
apply_patch_dir "$PROJECT_ROOT/local/patches/bootloader" "$PROJECT_ROOT/recipes/core/bootloader/source" "bootloader"
|
||||
apply_patch_dir "$PROJECT_ROOT/local/patches/installer" "$PROJECT_ROOT/recipes/core/installer/source" "installer"
|
||||
|
||||
stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc"
|
||||
echo ">>> Patches are applied by 'repo fetch' via recipe.toml (atomic mechanism)"
|
||||
echo ">>> Skipping direct patch application (was bypassing cookbook atomicity)"
|
||||
echo ""
|
||||
elif [ -n "${REDBEAR_RELEASE:-}" ]; then
|
||||
echo ">>> Release mode: skipping patch application (patches pre-applied in archived sources)"
|
||||
|
||||
@@ -12,6 +12,15 @@ VENDOR="amd"
|
||||
SUBSET="all"
|
||||
COPIED_COUNT=0
|
||||
|
||||
# Offline gate: this script downloads from the network.
|
||||
# Block if REPO_OFFLINE=1 (the default during builds).
|
||||
if [ "${REPO_OFFLINE:-1}" = "1" ] && [ -z "${REDBEAR_ALLOW_UPSTREAM:-}" ]; then
|
||||
echo "ERROR: fetch-firmware.sh requires network access but REPO_OFFLINE=1." >&2
|
||||
echo " Set REPO_OFFLINE=0 or pass REDBEAR_ALLOW_UPSTREAM=1 to override." >&2
|
||||
echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
Usage: $(basename "$0") [--vendor amd|intel] [--subset all|rdna|dmc|wifi|bluetooth]
|
||||
|
||||
@@ -43,6 +43,8 @@ else
|
||||
mv $@.partial $@
|
||||
cp redbear.ipxe $(LIVE_IPXE)
|
||||
endif
|
||||
@echo "NOTE: $(LIVE_ISO) is a raw disk image with iPXE boot, not an ISO9660 image."
|
||||
@echo " Use 'make live' for the full live image with bootloader embedded."
|
||||
|
||||
$(BUILD)/filesystem.img: $(FSTOOLS) $(REPO_TAG)
|
||||
ifeq ($(FSTOOLS_IN_PODMAN),1)
|
||||
|
||||
+12
@@ -381,10 +381,22 @@ $(WINDOWS_DISK): $(BUILD)/harddrive.img
|
||||
cp "$<" "$@"
|
||||
|
||||
$(BUILD)/raspi3bp_uboot.rom:
|
||||
ifneq ($(REPO_OFFLINE),1)
|
||||
wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/raspberry_pi/rpi3/u-boot-rpi-3-b-plus.bin
|
||||
else
|
||||
@echo "SKIP: raspi3bp_uboot.rom download blocked (REPO_OFFLINE=1)"
|
||||
@echo " Set REPO_OFFLINE=0 to download ARM U-Boot firmware for non-x86 QEMU targets."
|
||||
test -f $@ || (echo "ERROR: $@ not found and network access disabled" >&2 && false)
|
||||
endif
|
||||
|
||||
$(BUILD)/qemu_uboot.rom:
|
||||
ifneq ($(REPO_OFFLINE),1)
|
||||
wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/qemu/qemu_arm64/u-boot-qemu-arm64.bin
|
||||
else
|
||||
@echo "SKIP: qemu_uboot.rom download blocked (REPO_OFFLINE=1)"
|
||||
@echo " Set REPO_OFFLINE=0 to download ARM U-Boot firmware for non-x86 QEMU targets."
|
||||
test -f $@ || (echo "ERROR: $@ not found and network access disabled" >&2 && false)
|
||||
endif
|
||||
|
||||
qemu: qemu-deps
|
||||
$(QEMU) $(QEMUFLAGS)
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# This script runs "make f.recipe" and "cargo update" in the specified recipe
|
||||
if [ "${REDBEAR_ALLOW_UPSTREAM:-0}" = "0" ]; then
|
||||
echo "ERROR: cargo-update.sh modifies Cargo.lock files and may require network access." >&2
|
||||
echo " Set REDBEAR_ALLOW_UPSTREAM=1 to override." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
recipe_name="$1"
|
||||
recipe_path=$(find recipes -name "$recipe_name" -maxdepth 4)
|
||||
|
||||
@@ -34,6 +34,7 @@ cd "$REPO_ROOT"
|
||||
REPO_BIN="./target/release/repo"
|
||||
CONFIG_NAME="${1:-redbear-full}"
|
||||
ACTION="fetch"
|
||||
ALLOW_UPSTREAM="${ALLOW_UPSTREAM:-0}"
|
||||
|
||||
# ── Colors (disabled when not a terminal) ───────────────────────────
|
||||
if [ -t 1 ]; then
|
||||
@@ -56,9 +57,10 @@ usage() {
|
||||
echo " --status Show which sources already exist locally"
|
||||
echo " --preflight Smart blake3/size check — show what needs updating"
|
||||
echo " --force Force re-download even if checksums match"
|
||||
echo " --upstream Allow network access for source fetching (gated)"
|
||||
echo " --help Show this help"
|
||||
echo ""
|
||||
echo "Configs: redbear-full, redbear-minimal, redbear-live-full, redbear-live-minimal"
|
||||
echo "Configs: redbear-full, redbear-mini, redbear-grub"
|
||||
echo "Default config: redbear-full"
|
||||
}
|
||||
|
||||
@@ -91,6 +93,10 @@ while [[ $# -gt 0 ]]; do
|
||||
FORCE_FETCH=1
|
||||
shift
|
||||
;;
|
||||
--upstream)
|
||||
ALLOW_UPSTREAM=1
|
||||
shift
|
||||
;;
|
||||
--help|-h)
|
||||
usage
|
||||
exit 0
|
||||
@@ -481,7 +487,7 @@ case "$ACTION" in
|
||||
preflight)
|
||||
build_repo
|
||||
if [ "$ALL_CONFIGS" -eq 1 ]; then
|
||||
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
|
||||
for cfg in redbear-full redbear-mini redbear-grub; do
|
||||
preflight_scan "$cfg" || true
|
||||
done
|
||||
else
|
||||
@@ -491,7 +497,7 @@ case "$ACTION" in
|
||||
list)
|
||||
build_repo
|
||||
if [ "$ALL_CONFIGS" -eq 1 ]; then
|
||||
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
|
||||
for cfg in redbear-full redbear-mini redbear-grub; do
|
||||
list_for_config "$cfg" 2>/dev/null || true
|
||||
done
|
||||
else
|
||||
@@ -501,12 +507,19 @@ case "$ACTION" in
|
||||
fetch)
|
||||
build_repo
|
||||
|
||||
if [ "$ALLOW_UPSTREAM" -eq 0 ] && [ "${REDBEAR_ALLOW_UPSTREAM:-0}" -eq 0 ]; then
|
||||
echo "ERROR: fetch-all-sources.sh requires network access." >&2
|
||||
echo " Pass --upstream or set REDBEAR_ALLOW_UPSTREAM=1 to enable." >&2
|
||||
echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -n "$SINGLE_RECIPE" ]; then
|
||||
fetch_single_recipe "$SINGLE_RECIPE"
|
||||
elif [ "$ALL_CONFIGS" -eq 1 ]; then
|
||||
echo "==> Fetching sources for ALL configs"
|
||||
echo " This ensures every recipe needed by any config is downloaded."
|
||||
for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do
|
||||
for cfg in redbear-full redbear-mini redbear-grub; do
|
||||
fetch_for_config "$cfg" 2>/dev/null || {
|
||||
echo " WARNING: failed to fetch for $cfg (some recipes may not exist)"
|
||||
echo ""
|
||||
|
||||
@@ -1,10 +1,12 @@
|
||||
#!/usr/bin/env bash
|
||||
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable.
|
||||
# patch-inclusion-gate.sh — block image creation unless Red Bear patches are wired.
|
||||
#
|
||||
# Verifies that:
|
||||
# 1. Every patch file referenced in recipe.toml exists on disk
|
||||
# 2. Every patch file in local/patches/ is wired into at least one recipe
|
||||
#
|
||||
# Public scripts that create harddrive images or live ISOs must call this before
|
||||
# invoking `make all`, `make live`, or a direct image target. The cookbook still
|
||||
# applies patches from recipe.toml; this gate verifies the durable patch store is
|
||||
# classified and that active ledger entries are wired into recipes.
|
||||
# invoking `make all`, `make live`, or a direct image target.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
@@ -18,12 +20,36 @@ if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
ledger_gate="local/scripts/classify-patches-ledger.py"
|
||||
if [ ! -x "$ledger_gate" ]; then
|
||||
echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2
|
||||
errors=0
|
||||
|
||||
# Check 1: every patch referenced in recipe.toml must exist on disk
|
||||
while IFS= read -r recipe_toml; do
|
||||
recipe_dir="$(dirname "$recipe_toml")"
|
||||
patch_list=$(grep -oP 'patches\s*=\s*\[([^\]]*)\]' "$recipe_toml" 2>/dev/null | grep -oP '"[^"]+\.patch"' | tr -d '"' || true)
|
||||
|
||||
for patch_name in $patch_list; do
|
||||
patch_path="$recipe_dir/$patch_name"
|
||||
if [ ! -f "$patch_path" ]; then
|
||||
echo "ERROR: $recipe_toml references '$patch_name' but file not found at $patch_path" >&2
|
||||
errors=$((errors + 1))
|
||||
fi
|
||||
done
|
||||
done < <(find recipes local/recipes -name "recipe.toml" -not -path "*/source/*" 2>/dev/null)
|
||||
|
||||
# Check 2: every patch in local/patches/ should be wired into at least one recipe
|
||||
while IFS= read -r patch_file; do
|
||||
patch_name=$(basename "$patch_file")
|
||||
component=$(basename "$(dirname "$patch_file")")
|
||||
|
||||
wired=$(grep -rl "\"$patch_name\"" recipes/ local/recipes/ --include="recipe.toml" 2>/dev/null | head -1 || true)
|
||||
if [ -z "$wired" ]; then
|
||||
echo "WARNING: local/patches/$component/$patch_name is not wired into any recipe.toml" >&2
|
||||
fi
|
||||
done < <(find local/patches -name "*.patch" -type f 2>/dev/null)
|
||||
|
||||
if [ "$errors" -gt 0 ]; then
|
||||
echo "ERROR: $errors patch reference(s) broken. Fix before building." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ">>> Verifying Red Bear patch inclusion before image creation"
|
||||
python3 local/scripts/ensure-patches-wired.py
|
||||
python3 "$ledger_gate" --strict
|
||||
echo ">>> Patch inclusion gate passed"
|
||||
|
||||
+1
-1
@@ -29,7 +29,7 @@ Examples:
|
||||
$(basename "$0") # Run existing image
|
||||
$(basename "$0") --build # Build + run
|
||||
$(basename "$0") --build --upstream # Build + run with upstream source refresh enabled
|
||||
$(basename "$0") -b -c redbear-minimal # Build minimal + run
|
||||
$(basename "$0") -b -c redbear-mini # Build mini + run
|
||||
$(basename "$0") -- QEMUFLAGS="-m 8G" # Run with 8G RAM
|
||||
$(basename "$0") -b -- serial=yes # Build + run with serial console
|
||||
$(basename "$0") -b -- gpu=virtio kvm=no # Build + run with virtio GPU, no KVM
|
||||
|
||||
+26
-7
@@ -1,9 +1,28 @@
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH
|
||||
case ":${PATH}:" in
|
||||
*":$HOME/.cargo/bin:"*) ;;
|
||||
*) export PATH="$HOME/.cargo/bin:$PATH" ;;
|
||||
esac
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
||||
IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-full/harddrive.img}"
|
||||
BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
|
||||
RAM="${QEMU_RAM:-8192}"
|
||||
|
||||
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/rbos/build/x86_64/redbear-full.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio
|
||||
if [ ! -f "$IMAGE" ]; then
|
||||
echo "ERROR: Image not found at $IMAGE" >&2
|
||||
echo " Run 'make all CONFIG_NAME=redbear-full' first." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$BIOS" ]; then
|
||||
echo "ERROR: OVMF firmware not found at $BIOS" >&2
|
||||
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exec qemu-system-x86_64 \
|
||||
-m "${RAM}" \
|
||||
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
|
||||
-drive file="$IMAGE",format=raw \
|
||||
-device virtio-gpu-pci \
|
||||
-enable-kvm \
|
||||
-serial mon:stdio
|
||||
|
||||
+24
-7
@@ -1,9 +1,26 @@
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH
|
||||
case ":${PATH}:" in
|
||||
*":$HOME/.cargo/bin:"*) ;;
|
||||
*) export PATH="$HOME/.cargo/bin:$PATH" ;;
|
||||
esac
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
||||
IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-mini/harddrive.img}"
|
||||
BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}"
|
||||
RAM="${QEMU_RAM:-8192}"
|
||||
|
||||
qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/RedBear-OS/build/x86_64/redbear-mini.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio
|
||||
if [ ! -f "$IMAGE" ]; then
|
||||
echo "ERROR: Image not found at $IMAGE" >&2
|
||||
echo " Run 'make all CONFIG_NAME=redbear-mini' first." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$BIOS" ]; then
|
||||
echo "ERROR: OVMF firmware not found at $BIOS" >&2
|
||||
echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exec qemu-system-x86_64 \
|
||||
-m "${RAM}" \
|
||||
-drive if=pflash,format=raw,readonly=on,file="$BIOS" \
|
||||
-drive file="$IMAGE",format=raw \
|
||||
-serial mon:stdio
|
||||
|
||||
+24
-128
@@ -58,134 +58,30 @@ pub(crate) fn cleanup_workspace_pollution(recipe_dir: &Path, logger: &PtyOut) {
|
||||
}
|
||||
|
||||
fn redbear_protected_recipe(name: &str) -> bool {
|
||||
matches!(
|
||||
name,
|
||||
// Core patched recipes (upstream + Red Bear patches)
|
||||
"relibc"
|
||||
| "bootloader"
|
||||
| "kernel"
|
||||
| "base"
|
||||
| "base-initfs"
|
||||
| "installer"
|
||||
| "redoxfs"
|
||||
| "grub"
|
||||
// Red Bear custom core recipes
|
||||
| "ext4d"
|
||||
| "fatd"
|
||||
// Red Bear driver infrastructure
|
||||
| "redox-driver-sys"
|
||||
| "linux-kpi"
|
||||
| "firmware-loader"
|
||||
| "redbear-btusb"
|
||||
| "redbear-iwlwifi"
|
||||
// Red Bear GPU stack
|
||||
| "redox-drm"
|
||||
| "amdgpu"
|
||||
// Red Bear system tools
|
||||
| "cub"
|
||||
| "evdevd"
|
||||
| "udev-shim"
|
||||
| "iommu"
|
||||
| "redbear-firmware"
|
||||
| "redbear-hwutils"
|
||||
| "redbear-info"
|
||||
| "rbos-info"
|
||||
| "redbear-meta"
|
||||
| "redbear-netctl"
|
||||
| "redbear-netctl-console"
|
||||
| "redbear-netstat"
|
||||
| "redbear-btctl"
|
||||
| "redbear-wifictl"
|
||||
| "redbear-traceroute"
|
||||
| "redbear-mtr"
|
||||
| "redbear-nmap"
|
||||
| "redbear-sessiond"
|
||||
| "redbear-authd"
|
||||
| "redbear-session-launch"
|
||||
| "redbear-greeter"
|
||||
| "redbear-dbus-services"
|
||||
| "redbear-notifications"
|
||||
| "redbear-upower"
|
||||
| "redbear-udisks"
|
||||
| "redbear-polkit"
|
||||
| "redbear-quirks"
|
||||
// Red Bear branding
|
||||
| "redbear-release"
|
||||
// Qt stack with Red Bear patches (must not be re-fetched online)
|
||||
| "qtbase"
|
||||
| "qtwayland"
|
||||
| "qtdeclarative"
|
||||
| "qtbase-compat"
|
||||
// Graphics / display stack with Red Bear patches
|
||||
| "libdrm"
|
||||
| "mesa"
|
||||
// Wayland / input stack with Red Bear patches
|
||||
| "libwayland"
|
||||
| "libevdev"
|
||||
| "libinput"
|
||||
// IPC / system libraries with Red Bear patches
|
||||
| "dbus"
|
||||
| "glib"
|
||||
// Red Bear library stubs and custom libs
|
||||
| "libepoxy-stub"
|
||||
| "libdisplay-info-stub"
|
||||
| "lcms2-stub"
|
||||
| "libxcvt-stub"
|
||||
| "libudev-stub"
|
||||
| "zbus"
|
||||
| "libqrencode"
|
||||
// Red Bear Wayland
|
||||
| "qt6-wayland-smoke"
|
||||
| "smallvil"
|
||||
| "seatd-redox"
|
||||
// Red Bear KDE (47 recipes)
|
||||
| "kf6-extra-cmake-modules"
|
||||
| "kf6-kcoreaddons"
|
||||
| "kf6-kwidgetsaddons"
|
||||
| "kf6-kconfig"
|
||||
| "kf6-ki18n"
|
||||
| "kf6-kcodecs"
|
||||
| "kf6-kguiaddons"
|
||||
| "kf6-kcolorscheme"
|
||||
| "kf6-kauth"
|
||||
| "kf6-kitemmodels"
|
||||
| "kf6-kitemviews"
|
||||
| "kf6-karchive"
|
||||
| "kf6-kwindowsystem"
|
||||
| "kf6-knotifications"
|
||||
| "kf6-kjobwidgets"
|
||||
| "kf6-kconfigwidgets"
|
||||
| "kf6-kcrash"
|
||||
| "kf6-kdbusaddons"
|
||||
| "kf6-kglobalaccel"
|
||||
| "kf6-kservice"
|
||||
| "kf6-kpackage"
|
||||
| "kf6-kiconthemes"
|
||||
| "kf6-kxmlgui"
|
||||
| "kf6-ktextwidgets"
|
||||
| "kf6-solid"
|
||||
| "kf6-sonnet"
|
||||
| "kf6-kio"
|
||||
| "kf6-kbookmarks"
|
||||
| "kf6-kcompletion"
|
||||
| "kf6-kdeclarative"
|
||||
| "kf6-kcmutils"
|
||||
| "kf6-kidletime"
|
||||
| "kf6-kwayland"
|
||||
| "kf6-knewstuff"
|
||||
| "kf6-kwallet"
|
||||
| "kf6-prison"
|
||||
| "kf6-kirigami"
|
||||
| "kdecoration"
|
||||
| "kwin"
|
||||
| "plasma-desktop"
|
||||
| "plasma-workspace"
|
||||
| "plasma-framework"
|
||||
| "plasma-wayland-protocols"
|
||||
| "kirigami"
|
||||
// Orbutils (has local patch)
|
||||
| "orbutils"
|
||||
)
|
||||
static PROTECTED: std::sync::OnceLock<std::collections::HashSet<String>> = std::sync::OnceLock::new();
|
||||
let set = PROTECTED.get_or_init(|| {
|
||||
let mut set = std::collections::HashSet::new();
|
||||
let config_path = std::path::Path::new("config/protected-recipes.toml");
|
||||
if let Ok(contents) = std::fs::read_to_string(config_path) {
|
||||
if let Ok(value) = contents.parse::<toml::Value>() {
|
||||
if let Some(table) = value.as_table() {
|
||||
for section in table.values() {
|
||||
if let Some(arr) = section.get("recipes").and_then(|v| v.as_array()) {
|
||||
for item in arr {
|
||||
if let Some(s) = item.as_str() {
|
||||
set.insert(s.to_string());
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
eprintln!("WARNING: config/protected-recipes.toml not found, falling back to empty protected list");
|
||||
}
|
||||
set
|
||||
});
|
||||
set.contains(name)
|
||||
}
|
||||
|
||||
fn redbear_allow_protected_fetch() -> bool {
|
||||
|
||||
Reference in New Issue
Block a user