Files
RedBear-OS/local/scripts/audit-patch-idempotency.py
T
kellito ae749ffb23 build: ship build-system hardening arc (5 of 10 improvements)
The v6.0 build-system hardening arc lands 5 of the 10 improvements
proposed in local/docs/BUILD-SYSTEM-IMPROVEMENTS.md. All scripts
have unit tests (62 -> 86, all pass in <1s) and the new 'lint-recipe'
Gitea Actions job runs on every PR.

Per-recipe audit & lint scripts (catch R1/R2 violations BEFORE cook):
  * audit-patch-idempotency.py  — verifies external patches in
    local/patches/ still apply against the upstream pinned rev.
    Caught 1 real bug on first run: libdrm/02-redox-dispatch.patch
    hunk at xf86drm.c:321 no longer matches libdrm-2.4.125.
  * audit-kf6-deps.py           — fetches upstream, scans for
    find_package(KF6Xxx REQUIRED), compares to recipe deps. Catches
    missing + dead dependencies in every kf6-* and qt* recipe.
  * classify-cook-failure.py    — 17-rule cook-failure classifier.
    10-30s diagnosis vs 5-10min manual. exit code is intentionally
    inverted (0=novel failure, 1=known fix) for CI signal.
  * lint-recipe.py              — 7-rule recipe lint: R1-NO-PATCH-FILE,
    R1-PATH-SOURCE, R2-INLINE-SED, R2-PATCHES-DIR-UNUSED,
    NO-LEGACY-MAKE, R1-LEGACY-APPLY-PATCHES, DEP-NOT-FOUND.
    1.1s for 171 recipes (down from 60s+ in v1 via recipe-index
    precomputation). Strict mode promotes warnings to errors.

Build-system convenience:
  * repair-cook.sh              — incremental-build optimizer.
    Equivalent to 'repo cook <pkg>' but with a fast-path that
    skips configure when CMakeCache.txt is newer than source AND
    external patches haven't changed. 30-60s vs 5-10min on KF6
    recipes. make repair.<pkg> / make clean-repair.<pkg> targets.
  * migrate-kf6-seds-to-patches.sh — migration skeleton for
    converting 56 inline 'sed -i' chains across the KF6 recipes
    to durable external patches in local/patches/<name>/.

Gitea Actions (host-execution, no Docker):
  * .gitea/workflows/build-system.yml — 8-job pipeline:
    unit-tests, lint-offline, lint-network (nightly),
    lint-recipe (NEW), lint-docs, build-mini, build-full,
    smoke (QEMU boot).
  * .gitea/RUNNER-SETUP.md — one-time Manjaro/Arch host setup.

Build script hardening:
  * build-redbear.sh            — when a low-level source (relibc,
    kernel, base, bootloader, installer) is newer than its pkgar,
    clean build/ and sysroot/ across all recipes too. Low-level
    package changes leave autotools packages (pcre2, gettext,
    libiconv, ...) with stale configure/libtool scripts referencing
    the old runtime, causing 'libtool version mismatch' and
    'not a valid libtool object' errors. Cleaning forces
    re-configuration; stage/ and source/ are preserved so the
    cookbook skips unchanged packages that don't use autotools.
  * Makefile                    — wire lint-cook-failure,
    lint-cook-failure-explain, lint-recipe, lint-recipe.%,
    lint-recipe.strict, lint-recipe.%.strict, repair.%,
    clean-repair.%, test-lint-scripts[-quiet]. Replace the
    legacy 'validate-patches' target with a deprecation notice
    pointing at validate-sources.

Documentation:
  * BUILD-SYSTEM-IMPROVEMENTS.md   — mark #2 and #5 DONE; full
    implementation notes; updated Make-targets table.
  * BUILD-SYSTEM-V6-HARDENING-POSTMORTEM.md (NEW) — 226-line durable
    record of the 8-session arc: 32 findings categorized, 5 P0
    audit-script bugs fixed, 6 over-broad multi-pattern rules
    discovered + fixed, test coverage 86/86 in <1s, 7/10
    improvements DONE.
  * SCRIPT-BEHAVIOR-MATRIX.md   — apply-patches.sh row marked
    LEGACY/ARCHIVED; build-redbear.sh row no longer claims to
    call it.
  * boot-logs/README.md (NEW)   — frozen-evidence policy:
    'do not edit' rule for REDBEAR-FULL-BOOT-*-RESULTS.md files.
  * libdrm/02-redox-dispatch.patch.README (NEW) — 8-step regen
    procedure for the broken hunk.

Cleanup:
  * local/cache/README.md deleted (1-line placeholder).
  * legacy 'make validate-patches' target removed.

Per build-system improvement #5: lint-recipe.py's first run on
the live tree surfaced 1 broken-patch reference (redbear-sessiond),
1 dangling cookbook_apply_patches call (tc), 19 sed -i calls in
sddm (warning — cookbook_apply_patches present, drop-x11.py
migration in progress), 4 sed -i calls in qt6-wayland-smoke
(uncovers the same bug class the libwayland fix prevented).
2026-06-12 13:37:39 +03:00

392 lines
15 KiB
Python
Executable File

#!/usr/bin/env python3
"""Validate the idempotency of every external patch in local/patches/.
Per AGENTS.md "NO OVERLAY-STYLE PATCHES — AMENDED 2026" Rule 2, big
external projects use the cookbook's `cookbook_apply_patches` helper
which checks `git apply --reverse --check` to skip already-applied
patches. If a patch's reverse check fails (because the upstream
source drifted from the patch's expected state), the helper tries to
JSON SCHEMA (with --json):
Top-level:
patches: [PatchEntry, ...] one per patch in local/patches/
total: int len(patches)
errors: int count of all_errors across all entries
skipped: int count of entries that were --no-fetch
Per-entry:
component: str e.g. "mesa", "libdrm"
patch: str filename, e.g. "01-foo.patch"
status: "ok" | "fail" | "skipped"
errors: [str, ...] empty unless status == "fail"
Exit code: 0 if errors == 0, else 1. With --no-fetch, all entries are
"skipped" and the exit code is still 0, so the make lint-patches
target chains should treat skipped_count == total as a soft failure.
apply the patch forward, which fails too because some hunks no
longer apply. The result is a confusing cook failure.
This script catches that class of bug at lint time. For every
[0-9]*.patch under local/patches/<component>/, it:
1. Clones the upstream repo at the pinned rev into a temp dir
2. Applies the patch
3. Verifies `git apply --reverse --check` succeeds on the result
(i.e. the patch is fully reversible — idempotency invariant)
4. Re-applies the patch
5. Verifies the source is byte-identical to step 2's result
(i.e. the patch is idempotent — applying it twice = applying it once)
6. Verifies the result is reproducible: re-clone, re-apply, byte-equal
If any check fails, the script exits non-zero and prints which patches
are non-idempotent. CI or `make lint` should run this on every PR.
Usage:
./local/scripts/audit-patch-idempotency.py [--component <name>] [--verbose]
"""
import argparse
import re
import shutil
import subprocess
import sys
import tempfile
import tomllib
from pathlib import Path
PROJECT_ROOT = Path(__file__).resolve().parents[2]
PATCHES_ROOT = PROJECT_ROOT / "local" / "patches"
SOURCE_ROOT = PROJECT_ROOT / "local" / "sources"
RECIPES_ROOT = PROJECT_ROOT / "local" / "recipes"
MAINLINE_RECIPES = PROJECT_ROOT / "recipes"
PATCH_NAME_RE = re.compile(r"^\d+-[A-Za-z0-9_.-]+\.patch$")
NUM_PREFIX_RE = re.compile(r"^(\d+)-")
def run(cmd, **kwargs):
"""Run a subprocess, returning (returncode, stdout, stderr)."""
proc = subprocess.run(
cmd,
capture_output=True,
text=True,
check=False,
**kwargs,
)
return proc.returncode, proc.stdout, proc.stderr
def collect_patches(component_filter=None):
"""Yield (component, patch_path) for every external patch."""
if not PATCHES_ROOT.is_dir():
return
for component_dir in sorted(PATCHES_ROOT.iterdir()):
if not component_dir.is_dir():
continue
if component_filter and component_dir.name != component_filter:
continue
for patch_path in sorted(component_dir.iterdir()):
if patch_path.is_file() and PATCH_NAME_RE.match(patch_path.name):
yield component_dir.name, patch_path
def resolve_upstream(component) -> "tuple[str | None, str | None] | tuple[str, str | None, Path]":
"""Return (url, rev) for a component by reading its mainline recipe.
The component is matched by the recipe.toml's parent directory name
(e.g. recipes/libs/mesa/recipe.toml matches component="mesa"),
not the category. This means multiple categories with the same
package name (e.g. recipes/wip/demos/mesa-demos) won't accidentally
match.
"""
candidates: list[tuple[str, str, Path]] = []
for recipes_root in (RECIPES_ROOT, MAINLINE_RECIPES):
if not recipes_root.is_dir():
continue
for recipe_toml in recipes_root.rglob("recipe.toml"):
if "source" in recipe_toml.parts or "target" in recipe_toml.parts:
continue
if recipe_toml.parent.name != component:
continue
try:
with open(recipe_toml, "rb") as f:
data = tomllib.load(f)
except (OSError, tomllib.TOMLDecodeError):
continue
source = data.get("source") or {}
if "git" in source:
# Either pinned rev or branch tip — both are valid
# upstream reference points for a patch's "from" state.
if "rev" in source:
rev = str(source["rev"])
elif "branch" in source:
# Branch resolution requires a network call to
# the upstream's `git ls-remote`. Patches that
# track a branch should ideally pin a rev for
# reproducibility; warn but proceed.
rev = f"refs/heads/{source['branch']}"
else:
continue
candidates.append((source["git"], rev, recipe_toml))
elif "tar" in source:
return ("tar", source.get("tar"), recipe_toml)
if not candidates:
return None, None
if len(candidates) > 1:
candidates.sort(key=lambda c: "local" in str(c[2]))
url, rev, _ = candidates[0]
return url, rev
def clone_source(url, rev, target):
"""Clone the upstream repo at the pinned rev into target/."""
if target.exists():
shutil.rmtree(target)
target.mkdir(parents=True)
rc, out, err = run(
["git", "clone", "--quiet", "--no-checkout", url, str(target)],
)
if rc != 0:
return False, f"clone failed: {err.strip()}"
rc, out, err = run(
["git", "-C", str(target), "checkout", "--quiet", rev],
)
if rc != 0:
return False, f"checkout {rev} failed: {err.strip()}"
return True, None
def apply_patch(source_dir, patch_path):
"""Apply patch in source_dir. Return (ok, error_msg)."""
rc, out, err = run(
["git", "-C", str(source_dir), "apply", "--whitespace=nowarn", str(patch_path)],
)
if rc != 0:
return False, (err or out).strip()
return True, None
def check_reverse(source_dir, patch_path):
"""git apply --reverse --check. Returns (ok, error_msg)."""
rc, out, err = run(
["git", "-C", str(source_dir), "apply", "--reverse", "--check", str(patch_path)],
)
if rc != 0:
return False, (err or out).strip()
return True, None
def diff_trees(a, b):
"""Return a unified diff between two source dirs, excluding .git/.
The .git/ directory has timestamps and refs that always differ
between clones, so we exclude it. The actual source tree is the
signal we care about.
"""
proc = subprocess.run(
["diff", "-ruN",
"--exclude=.git",
"--exclude=*.pyc", "--exclude=__pycache__",
str(a), str(b)],
capture_output=True, text=True, check=False,
)
return proc.stdout
def audit_one(component, patch_path, verbose=False):
"""Audit a single patch. Return a list of error strings (empty = OK)."""
errors: list[str] = []
upstream = resolve_upstream(component)
if isinstance(upstream, tuple) and len(upstream) == 3 and upstream[0] == "tar":
return [f"{component}/{patch_path.name}: tar-based source, "
f"manual audit required"]
if not upstream or upstream[0] is None:
return [f"{component}/{patch_path.name}: no upstream recipe found "
f"in local/recipes/ or recipes/"]
url, rev = upstream[0], upstream[1]
if url is None or rev is None:
return [f"{component}/{patch_path.name}: could not resolve upstream "
f"git URL or rev for component {component!r}"]
url = str(url)
rev = str(rev)
# Phase 1: clone, apply, verify reverse + idempotency
with tempfile.TemporaryDirectory(prefix="audit-patch-") as tmp:
tmp_path = Path(tmp)
work = tmp_path / "work"
work2 = tmp_path / "work2"
if verbose:
print(f" cloning {url} @ {rev[:12]}...")
ok, err = clone_source(url, rev, work)
if not ok:
return [f"{component}/{patch_path.name}: clone failed: {err}"]
# Apply once
ok, err = apply_patch(work, patch_path)
if not err:
patch_applied_ok = True
else:
patch_applied_ok = False
errors.append(f"{component}/{patch_path.name}: apply failed: {err}")
if patch_applied_ok:
# Reverse check (idempotency invariant)
ok, rev_err = check_reverse(work, patch_path)
if not ok:
err_msg = rev_err or "unknown error"
errors.append(
f"{component}/{patch_path.name}: --reverse --check FAILED — "
f"patch is not idempotent. Cookbook's cookbook_apply_patches "
f"will fail on a re-cook. Underlying error: {err_msg[:500]}"
)
# Idempotency: apply twice = apply once
ok, err = apply_patch(work, patch_path)
if not err:
# The patch is now applied twice (or rather, applied when
# already applied, which might fail). The cookbook's
# --reverse --check is meant to skip this case. If the
# second apply succeeded, the patch is non-idempotent
# (applying twice is meaningful). If it failed, check
# that the second failure is the expected "already
# applied" error.
errors.append(
f"{component}/{patch_path.name}: second apply SUCCEEDED — "
f"patch is not idempotent. Re-applying after a fresh "
f"cook will apply it twice. Cookbook should skip via "
f"--reverse --check; verify the helper still works."
)
else:
# Expected: second apply fails. Confirm the working tree
# is byte-identical to the first apply.
if verbose:
print(f" re-cloning to verify reproducibility...")
ok, err = clone_source(url, rev, work2)
if not ok:
errors.append(
f"{component}/{patch_path.name}: re-clone failed: {err}"
)
else:
ok, err = apply_patch(work2, patch_path)
if err:
errors.append(
f"{component}/{patch_path.name}: "
f"reproducibility — second apply failed: {err}"
)
else:
diff_out = diff_trees(work, work2)
if diff_out:
errors.append(
f"{component}/{patch_path.name}: non-reproducible — "
f"second apply produces a different tree:\n"
f"{diff_out[:1000]}"
)
return errors
def main():
parser = argparse.ArgumentParser(
description=(
"Validate the idempotency of every external patch in "
"local/patches/."
)
)
parser.add_argument(
"--component",
help="Audit only the given component (default: all)",
)
parser.add_argument(
"--verbose", "-v", action="store_true",
help="Print progress as patches are checked",
)
parser.add_argument(
"--no-fetch", action="store_true",
help="Skip fetching upstream (useful when network is unavailable)",
)
parser.add_argument(
"--json", action="store_true",
help="Emit a machine-readable JSON summary on stdout "
"(use for CI hooks or `make lint` integration).",
)
args = parser.parse_args()
patches = list(collect_patches(args.component))
if not patches:
if args.json:
import json
print(json.dumps({"patches": [], "errors": 0, "skipped": 0}))
else:
print(f"No patches found{' for component ' + args.component if args.component else ''}.",
file=sys.stderr)
return 0
if not args.json:
print(f"Auditing {len(patches)} patch(es)...")
all_errors = []
skipped = 0
json_results = []
for component, patch_path in patches:
entry = {
"component": component,
"patch": patch_path.name,
"status": "ok",
"errors": [],
}
if args.verbose and not args.json:
print(f"[{component}/{patch_path.name}]")
if args.no_fetch:
entry["status"] = "skipped"
if not args.json:
print(f" {component}/{patch_path.name}: SKIPPED (--no-fetch)")
skipped += 1
json_results.append(entry)
continue
errors = audit_one(component, patch_path, verbose=args.verbose and not args.json)
if errors:
entry["status"] = "fail"
entry["errors"] = list(errors)
for e in errors:
if not args.json:
print(f" FAIL: {e}")
all_errors.extend(errors)
elif args.verbose and not args.json:
print(f" OK")
json_results.append(entry)
if args.json:
import json
print(json.dumps({
"patches": json_results,
"total": len(patches),
"errors": len(all_errors),
"skipped": skipped,
}, indent=2))
if skipped == len(patches):
return 2
return 0 if not all_errors else 1
if all_errors:
print()
print(f"FAILED: {len(all_errors)} error(s) across {len(patches)} patch(es).")
print()
print("Common fixes:")
print(" 1. Patch hunks reference content that no longer exists in")
print(" the upstream source. Re-generate the patch from a fresh")
print(" checkout: git diff > local/patches/<component>/NN-...patch")
print(" 2. Patch is order-dependent with a sibling. The cookbook")
print(" applies them in lexical order — make sure NN-prefix order")
print(" matches the actual dependency order.")
print(" 3. Patch has whitespace conflicts with the upstream source.")
print(" Try regenerating with `git diff --ignore-all-space`.")
return 1
if skipped == len(patches):
print()
print(f"All {len(patches)} patch(es) SKIPPED (--no-fetch). "
"No audit was performed; the count of 0 errors is not a "
"pass, just an absence of network-dependent checks.")
return 2
print(f"All {len(patches)} patch(es) are idempotent and reproducible.")
return 0
if __name__ == "__main__":
sys.exit(main())