ae749ffb23
The v6.0 build-system hardening arc lands 5 of the 10 improvements
proposed in local/docs/BUILD-SYSTEM-IMPROVEMENTS.md. All scripts
have unit tests (62 -> 86, all pass in <1s) and the new 'lint-recipe'
Gitea Actions job runs on every PR.
Per-recipe audit & lint scripts (catch R1/R2 violations BEFORE cook):
* audit-patch-idempotency.py — verifies external patches in
local/patches/ still apply against the upstream pinned rev.
Caught 1 real bug on first run: libdrm/02-redox-dispatch.patch
hunk at xf86drm.c:321 no longer matches libdrm-2.4.125.
* audit-kf6-deps.py — fetches upstream, scans for
find_package(KF6Xxx REQUIRED), compares to recipe deps. Catches
missing + dead dependencies in every kf6-* and qt* recipe.
* classify-cook-failure.py — 17-rule cook-failure classifier.
10-30s diagnosis vs 5-10min manual. exit code is intentionally
inverted (0=novel failure, 1=known fix) for CI signal.
* lint-recipe.py — 7-rule recipe lint: R1-NO-PATCH-FILE,
R1-PATH-SOURCE, R2-INLINE-SED, R2-PATCHES-DIR-UNUSED,
NO-LEGACY-MAKE, R1-LEGACY-APPLY-PATCHES, DEP-NOT-FOUND.
1.1s for 171 recipes (down from 60s+ in v1 via recipe-index
precomputation). Strict mode promotes warnings to errors.
Build-system convenience:
* repair-cook.sh — incremental-build optimizer.
Equivalent to 'repo cook <pkg>' but with a fast-path that
skips configure when CMakeCache.txt is newer than source AND
external patches haven't changed. 30-60s vs 5-10min on KF6
recipes. make repair.<pkg> / make clean-repair.<pkg> targets.
* migrate-kf6-seds-to-patches.sh — migration skeleton for
converting 56 inline 'sed -i' chains across the KF6 recipes
to durable external patches in local/patches/<name>/.
Gitea Actions (host-execution, no Docker):
* .gitea/workflows/build-system.yml — 8-job pipeline:
unit-tests, lint-offline, lint-network (nightly),
lint-recipe (NEW), lint-docs, build-mini, build-full,
smoke (QEMU boot).
* .gitea/RUNNER-SETUP.md — one-time Manjaro/Arch host setup.
Build script hardening:
* build-redbear.sh — when a low-level source (relibc,
kernel, base, bootloader, installer) is newer than its pkgar,
clean build/ and sysroot/ across all recipes too. Low-level
package changes leave autotools packages (pcre2, gettext,
libiconv, ...) with stale configure/libtool scripts referencing
the old runtime, causing 'libtool version mismatch' and
'not a valid libtool object' errors. Cleaning forces
re-configuration; stage/ and source/ are preserved so the
cookbook skips unchanged packages that don't use autotools.
* Makefile — wire lint-cook-failure,
lint-cook-failure-explain, lint-recipe, lint-recipe.%,
lint-recipe.strict, lint-recipe.%.strict, repair.%,
clean-repair.%, test-lint-scripts[-quiet]. Replace the
legacy 'validate-patches' target with a deprecation notice
pointing at validate-sources.
Documentation:
* BUILD-SYSTEM-IMPROVEMENTS.md — mark #2 and #5 DONE; full
implementation notes; updated Make-targets table.
* BUILD-SYSTEM-V6-HARDENING-POSTMORTEM.md (NEW) — 226-line durable
record of the 8-session arc: 32 findings categorized, 5 P0
audit-script bugs fixed, 6 over-broad multi-pattern rules
discovered + fixed, test coverage 86/86 in <1s, 7/10
improvements DONE.
* SCRIPT-BEHAVIOR-MATRIX.md — apply-patches.sh row marked
LEGACY/ARCHIVED; build-redbear.sh row no longer claims to
call it.
* boot-logs/README.md (NEW) — frozen-evidence policy:
'do not edit' rule for REDBEAR-FULL-BOOT-*-RESULTS.md files.
* libdrm/02-redox-dispatch.patch.README (NEW) — 8-step regen
procedure for the broken hunk.
Cleanup:
* local/cache/README.md deleted (1-line placeholder).
* legacy 'make validate-patches' target removed.
Per build-system improvement #5: lint-recipe.py's first run on
the live tree surfaced 1 broken-patch reference (redbear-sessiond),
1 dangling cookbook_apply_patches call (tc), 19 sed -i calls in
sddm (warning — cookbook_apply_patches present, drop-x11.py
migration in progress), 4 sed -i calls in qt6-wayland-smoke
(uncovers the same bug class the libwayland fix prevented).
317 lines
10 KiB
Makefile
317 lines
10 KiB
Makefile
# This file contains the build system commands configuration
|
|
# and environment variables
|
|
include mk/config.mk
|
|
|
|
# Build system dependencies
|
|
include mk/depends.mk
|
|
|
|
all: lint-config $(BUILD)/harddrive.img
|
|
|
|
# ── Red Bear OS Build Cache (OBLIGATORY) ─────────────────────────────────
|
|
# Cache sync is a mandatory part of every successful build.
|
|
# The git-tracked cache survives make clean, make distclean, and git clone.
|
|
#
|
|
# Flow:
|
|
# make all → cache-restore (if needed) → build → cache-sync → cache-commit
|
|
#
|
|
# Commands:
|
|
# make cache-sync Sync built → git cache (manual)
|
|
# make cache-commit Sync + git commit (manual)
|
|
# make cache-restore Restore from git cache
|
|
# make cache-status Compare cache vs build state
|
|
|
|
CACHE_SYNC = local/scripts/cache-sync.sh
|
|
CACHE_SAVE = local/scripts/snapshot-cache.sh
|
|
CACHE_RESTORE = local/scripts/restore-cache.sh
|
|
|
|
cache-sync:
|
|
@bash $(CACHE_SYNC)
|
|
|
|
cache-commit:
|
|
@bash $(CACHE_SYNC) --commit
|
|
|
|
cache-restore:
|
|
@echo "Red Bear: restoring from git-tracked cache..."
|
|
@bash $(CACHE_SYNC) --restore
|
|
@bash $(CACHE_RESTORE) 2>/dev/null || true
|
|
|
|
cache-save:
|
|
@bash $(CACHE_SAVE)
|
|
|
|
cache-save-essential:
|
|
@bash $(CACHE_SAVE) --essential
|
|
|
|
cache-verify:
|
|
@bash $(CACHE_RESTORE) --verify
|
|
|
|
cache-list:
|
|
@bash $(CACHE_SAVE) --list
|
|
|
|
cache-status:
|
|
@bash $(CACHE_SYNC) --status
|
|
|
|
# Obligatory cache pipeline — runs before AND after every build
|
|
cache-auto:
|
|
@# ── BEFORE BUILD: restore cache if target is empty ──
|
|
@if [ ! -f $(BUILD)/repo.tag ]; then \
|
|
if ls local/cache/pkgar/*/stage.pkgar >/dev/null 2>&1; then \
|
|
echo "Red Bear: restoring build cache..."; \
|
|
bash $(CACHE_SYNC) --restore; \
|
|
fi; \
|
|
fi
|
|
@# ── AFTER BUILD: sync cache back to git-tracked storage ──
|
|
@if [ -f $(BUILD)/harddrive.img ]; then \
|
|
echo "Red Bear: syncing build cache..."; \
|
|
bash $(CACHE_SYNC); \
|
|
echo "Red Bear: committing cache to git..."; \
|
|
bash $(CACHE_SYNC) --commit 2>/dev/null || echo "Red Bear: cache commit skipped (no changes or not in git repo)"; \
|
|
fi
|
|
|
|
$(BUILD)/harddrive.img: cache-auto
|
|
|
|
live:
|
|
-$(FUMOUNT) $(BUILD)/filesystem/ || true
|
|
-$(FUMOUNT) /tmp/redbear_installer/ || true
|
|
rm -f $(LIVE_ISO) $(LIVE_IMG) $(LIVE_BOOTLOADER) $(LIVE_IPXE)
|
|
$(MAKE) $(LIVE_ISO)
|
|
|
|
popsicle: $(LIVE_ISO)
|
|
popsicle-gtk $(LIVE_ISO)
|
|
|
|
image:
|
|
-$(FUMOUNT) $(BUILD)/filesystem/ || true
|
|
-$(FUMOUNT) /tmp/redbear_installer/ || true
|
|
rm -f $(BUILD)/harddrive.img $(LIVE_ISO) $(LIVE_IMG) $(LIVE_BOOTLOADER) $(LIVE_IPXE)
|
|
$(MAKE) all
|
|
|
|
rebuild:
|
|
-$(FUMOUNT) $(BUILD)/filesystem/ || true
|
|
-$(FUMOUNT) /tmp/redbear_installer/ || true
|
|
rm -rf $(BUILD)/repo.tag $(BUILD)/harddrive.img $(LIVE_ISO) $(LIVE_IMG) $(LIVE_BOOTLOADER) $(LIVE_IPXE)
|
|
$(MAKE) all
|
|
|
|
# To tell that it's not safe
|
|
# to execute the cookbook binary
|
|
NOT_ON_PODMAN?=0
|
|
|
|
clean:
|
|
ifeq ($(PODMAN_BUILD),1)
|
|
ifneq ("$(wildcard $(CONTAINER_TAG))","")
|
|
$(PODMAN_RUN) make $@
|
|
else
|
|
$(info will not run cookbook clean as container is not built)
|
|
$(MAKE) clean PODMAN_BUILD=0 NOT_ON_PODMAN=1 SKIP_CHECK_TOOLS=1
|
|
endif # CONTAINER_TAG
|
|
else
|
|
ifneq ($(NOT_ON_PODMAN),1)
|
|
$(MAKE) repo_clean
|
|
-$(FUMOUNT) $(BUILD)/filesystem/ || true
|
|
-$(FUMOUNT) /tmp/redbear_installer/ || true
|
|
endif # NOT_ON_PODMAN
|
|
rm -rf repo
|
|
rm -rf $(BUILD) $(PREFIX)
|
|
$(MAKE) fstools_clean
|
|
endif # PODMAN_BUILD
|
|
|
|
# distclean: removes build artifacts, toolchain, and upstream source trees.
|
|
# local/ overlay source trees are PROTECTED — the repo binary refuses to
|
|
# unfetch local overlay recipes unless REDBEAR_ALLOW_LOCAL_UNFETCH=1 is set.
|
|
# This is the safe default for Red Bear OS. local/ is NEVER deleted.
|
|
distclean:
|
|
ifneq ($(REDBEAR_RELEASE),)
|
|
$(error distclean is disabled in release mode (REDBEAR_RELEASE=$(REDBEAR_RELEASE)). Sources are immutable. Use: make clean (build artifacts only, safe))
|
|
endif
|
|
ifeq ($(PODMAN_BUILD),1)
|
|
ifneq ("$(wildcard $(CONTAINER_TAG))","")
|
|
$(PODMAN_RUN) make $@
|
|
else
|
|
$(info will not run cookbook unfetch as container is not built)
|
|
$(MAKE) distclean PODMAN_BUILD=0 NOT_ON_PODMAN=1 SKIP_CHECK_TOOLS=1
|
|
endif # CONTAINER_TAG
|
|
else
|
|
ifneq ($(NOT_ON_PODMAN),1)
|
|
$(info ==> distclean: cleaning build artifacts and upstream source trees)
|
|
$(info ==> local/ overlay sources are PROTECTED and will NOT be deleted)
|
|
$(MAKE) fetch_clean
|
|
endif # NOT_ON_PODMAN
|
|
$(MAKE) clean NOT_ON_PODMAN=1
|
|
endif # PODMAN_BUILD
|
|
|
|
# distclean-nuclear: DESTRUCTIVE — also deletes local/ overlay source trees.
|
|
# This is the OLD distclean behavior that can destroy Red Bear work.
|
|
# You must set REDBEAR_ALLOW_LOCAL_UNFETCH=1 for this to actually delete
|
|
# local overlay sources. Without it, the repo binary still protects them.
|
|
# Use ONLY when you are certain you want to discard local overlay source code.
|
|
distclean-nuclear:
|
|
ifeq ($(PODMAN_BUILD),1)
|
|
$(info distclean-nuclear is not supported in Podman mode; use native build)
|
|
else
|
|
$(warning !! distclean-nuclear will attempt to DELETE ALL source trees including local/ overlays)
|
|
$(warning !! This can destroy Red Bear OS work that is not committed to git)
|
|
$(warning !! The repo binary still protects local overlays unless REDBEAR_ALLOW_LOCAL_UNFETCH=1)
|
|
$(MAKE) fetch_clean REDBEAR_ALLOW_LOCAL_UNFETCH=1
|
|
$(MAKE) clean NOT_ON_PODMAN=1
|
|
endif # PODMAN_BUILD
|
|
|
|
pull:
|
|
git pull
|
|
rm -f $(FSTOOLS_TAG)
|
|
|
|
repo: $(BUILD)/repo.tag
|
|
|
|
repo_clean: c.--all
|
|
|
|
fetch_clean: u.--all
|
|
|
|
# Podman build recipes and vars
|
|
include mk/podman.mk
|
|
|
|
# Disk Imaging and Cookbook tools
|
|
include mk/fstools.mk
|
|
|
|
# Cross compiler recipes
|
|
include mk/prefix.mk
|
|
|
|
# Repository maintenance
|
|
include mk/repo.mk
|
|
|
|
# Disk images
|
|
include mk/disk.mk
|
|
|
|
# Emulation recipes
|
|
include mk/qemu.mk
|
|
include mk/virtualbox.mk
|
|
|
|
# CI
|
|
include mk/ci.mk
|
|
|
|
include mk/redbear.mk
|
|
|
|
# Ensure Red Bear OS integration runs before repo cook and disk image creation
|
|
$(BUILD)/harddrive.img: $(REDBEAR_TAG)
|
|
$(LIVE_ISO): $(REDBEAR_TAG)
|
|
$(REPO_TAG): $(REDBEAR_TAG)
|
|
|
|
env: prefix FORCE $(CONTAINER_TAG)
|
|
ifeq ($(PODMAN_BUILD),1)
|
|
$(PODMAN_RUN) make $@
|
|
else
|
|
export PATH="$(PREFIX_PATH):$$PATH" && \
|
|
bash
|
|
endif
|
|
|
|
setenv: FORCE
|
|
@echo export ARCH='$(ARCH)'
|
|
@echo export BOARD='$(BOARD)'
|
|
@echo export CONFIG_NAME='$(CONFIG_NAME)'
|
|
@echo BUILD='$(BUILD)'
|
|
|
|
export RUST_GDB=gdb-multiarch # Necessary when debugging for another architecture than the host
|
|
GDB_KERNEL_FILE=recipes/core/kernel/target/$(TARGET)/build/kernel.sym
|
|
gdb: FORCE
|
|
rust-gdb $(GDB_KERNEL_FILE) --eval-command="target remote :1234"
|
|
|
|
# This target allows debugging a userspace application without requiring gdbserver running inside
|
|
# the VM. Because gdb doesn't know when the userspace application is scheduled by the kernel and as
|
|
# it stops the entire VM rather than just the userspace application that the user wants to debug,
|
|
# connecting to a gdbserver running inside the VM is highly encouraged when possible. This target
|
|
# should only be used when the application to debug runs early during boot before the network stack
|
|
# has started or you need to debug the interaction between the application and the kernel.
|
|
# tl;dr: DO NOT USE THIS TARGET UNLESS YOU HAVE TO
|
|
gdb-userspace: FORCE
|
|
rust-gdb $(GDB_APP_FILE) --eval-command="add-symbol-file $(GDB_KERNEL_FILE)" --eval-command="target remote :1234"
|
|
|
|
# An empty target
|
|
FORCE:
|
|
|
|
.PHONY: lint-patches lint-patches-full lint-kf6-deps lint-cook-failure \
|
|
lint-cook-failure-explain lint-cook-recipe lint-recipe lint-recipe.% \
|
|
lint-recipe.strict lint-recipe.%.strict \
|
|
lint-build-system lint-build-system-full \
|
|
test-lint-scripts test-lint-scripts-quiet \
|
|
repair.% clean-repair.%
|
|
|
|
# Wireshark
|
|
wireshark: FORCE
|
|
wireshark $(BUILD)/network.pcap
|
|
packages-sync: ; @bash local/scripts/sync-packages.sh
|
|
packages-list: ; @ls -la Packages/*.pkgar 2>/dev/null | wc -l && echo "pkgar files in Packages/"
|
|
validate-sources:
|
|
@for d in local/sources/kernel local/sources/relibc local/sources/base local/sources/bootloader local/sources/installer; do \
|
|
if [ -d "$$d/.git" ]; then \
|
|
echo "$$d: $(shell git -C $$d rev-list --count HEAD 2>/dev/null || echo 0) commits, $(shell git -C $$d ls-files 2>/dev/null | wc -l) files"; \
|
|
else \
|
|
echo "$$d: MISSING — run local/scripts/create-forks.sh"; \
|
|
fi; \
|
|
done
|
|
|
|
# v6.0 build-system lint targets. These run the three audit scripts
|
|
# that validate the v6.0 build system: idempotent patches, KF6 dep
|
|
# accuracy, and cook-failure classification. Each target exits non-zero
|
|
# on a real problem so CI can wire them up directly.
|
|
|
|
lint-patches:
|
|
@python3 local/scripts/audit-patch-idempotency.py --no-fetch
|
|
|
|
lint-patches-full:
|
|
@python3 local/scripts/audit-patch-idempotency.py
|
|
|
|
lint-kf6-deps:
|
|
@python3 local/scripts/audit-kf6-deps.py --no-fetch
|
|
|
|
test-lint-scripts:
|
|
@python3 -m unittest discover -s local/scripts/tests -v
|
|
|
|
test-lint-scripts-quiet:
|
|
@python3 -m unittest discover -s local/scripts/tests
|
|
|
|
lint-cook-failure:
|
|
@python3 local/scripts/classify-cook-failure.py --last || \
|
|
(echo "No /tmp/redbear-cook.log or /tmp/build.log found. Run a cook first."; exit 0)
|
|
|
|
lint-cook-failure-explain:
|
|
@python3 local/scripts/classify-cook-failure.py --explain-rule qfloat16
|
|
|
|
# Per-recipe v6.0-policy lint. Catches R1/R2 violations BEFORE the
|
|
# slow cook starts. Per build-system improvement #5.
|
|
# Usage:
|
|
# make lint-recipe # all recipes in local/recipes/
|
|
# make lint-recipe.kf6-kimageformats # one recipe by bare name
|
|
# make lint-recipe.strict # all recipes, warnings as errors
|
|
# make lint-recipe.kf6-kimageformats.strict # one recipe, strict mode
|
|
lint-recipe:
|
|
@python3 local/scripts/lint-recipe.py --all
|
|
|
|
lint-recipe.%:
|
|
@python3 local/scripts/lint-recipe.py $*
|
|
|
|
lint-recipe.strict:
|
|
@python3 local/scripts/lint-recipe.py --all --strict
|
|
|
|
lint-recipe.%.strict:
|
|
@python3 local/scripts/lint-recipe.py $* --strict
|
|
|
|
lint-build-system: lint-patches lint-kf6-deps lint-cook-recipe
|
|
@echo "Build system lint complete."
|
|
|
|
lint-build-system-full: lint-patches-full lint-kf6-deps lint-cook-recipe
|
|
@echo "Full build system lint complete (with network)."
|
|
cascade.%: FORCE
|
|
@bash local/scripts/rebuild-cascade.sh $(basename $(subst cascade,, $*))
|
|
|
|
# Repair-cook wrapper: equivalent to `repo cook <recipe>` but with
|
|
# a fast-path that skips configure + compile if the existing build/
|
|
# is still valid. Per build-system improvement #2.
|
|
# Usage: make repair.qtbase (incremental, fast if cache fresh)
|
|
# make repair.qtbase CLEAN=1 (force full rebuild)
|
|
repair.%: FORCE
|
|
@if [ "$(CLEAN)" = "1" ]; then \
|
|
./local/scripts/repair-cook.sh $* --clean-build; \
|
|
else \
|
|
./local/scripts/repair-cook.sh $*; \
|
|
fi
|
|
# Use `make clean-repair.X` to force a clean rebuild
|
|
# (alias for the CLEAN=1 form above)
|
|
clean-repair.%: FORCE
|
|
@./local/scripts/repair-cook.sh $* --clean-build
|