ae749ffb23
The v6.0 build-system hardening arc lands 5 of the 10 improvements
proposed in local/docs/BUILD-SYSTEM-IMPROVEMENTS.md. All scripts
have unit tests (62 -> 86, all pass in <1s) and the new 'lint-recipe'
Gitea Actions job runs on every PR.
Per-recipe audit & lint scripts (catch R1/R2 violations BEFORE cook):
* audit-patch-idempotency.py — verifies external patches in
local/patches/ still apply against the upstream pinned rev.
Caught 1 real bug on first run: libdrm/02-redox-dispatch.patch
hunk at xf86drm.c:321 no longer matches libdrm-2.4.125.
* audit-kf6-deps.py — fetches upstream, scans for
find_package(KF6Xxx REQUIRED), compares to recipe deps. Catches
missing + dead dependencies in every kf6-* and qt* recipe.
* classify-cook-failure.py — 17-rule cook-failure classifier.
10-30s diagnosis vs 5-10min manual. exit code is intentionally
inverted (0=novel failure, 1=known fix) for CI signal.
* lint-recipe.py — 7-rule recipe lint: R1-NO-PATCH-FILE,
R1-PATH-SOURCE, R2-INLINE-SED, R2-PATCHES-DIR-UNUSED,
NO-LEGACY-MAKE, R1-LEGACY-APPLY-PATCHES, DEP-NOT-FOUND.
1.1s for 171 recipes (down from 60s+ in v1 via recipe-index
precomputation). Strict mode promotes warnings to errors.
Build-system convenience:
* repair-cook.sh — incremental-build optimizer.
Equivalent to 'repo cook <pkg>' but with a fast-path that
skips configure when CMakeCache.txt is newer than source AND
external patches haven't changed. 30-60s vs 5-10min on KF6
recipes. make repair.<pkg> / make clean-repair.<pkg> targets.
* migrate-kf6-seds-to-patches.sh — migration skeleton for
converting 56 inline 'sed -i' chains across the KF6 recipes
to durable external patches in local/patches/<name>/.
Gitea Actions (host-execution, no Docker):
* .gitea/workflows/build-system.yml — 8-job pipeline:
unit-tests, lint-offline, lint-network (nightly),
lint-recipe (NEW), lint-docs, build-mini, build-full,
smoke (QEMU boot).
* .gitea/RUNNER-SETUP.md — one-time Manjaro/Arch host setup.
Build script hardening:
* build-redbear.sh — when a low-level source (relibc,
kernel, base, bootloader, installer) is newer than its pkgar,
clean build/ and sysroot/ across all recipes too. Low-level
package changes leave autotools packages (pcre2, gettext,
libiconv, ...) with stale configure/libtool scripts referencing
the old runtime, causing 'libtool version mismatch' and
'not a valid libtool object' errors. Cleaning forces
re-configuration; stage/ and source/ are preserved so the
cookbook skips unchanged packages that don't use autotools.
* Makefile — wire lint-cook-failure,
lint-cook-failure-explain, lint-recipe, lint-recipe.%,
lint-recipe.strict, lint-recipe.%.strict, repair.%,
clean-repair.%, test-lint-scripts[-quiet]. Replace the
legacy 'validate-patches' target with a deprecation notice
pointing at validate-sources.
Documentation:
* BUILD-SYSTEM-IMPROVEMENTS.md — mark #2 and #5 DONE; full
implementation notes; updated Make-targets table.
* BUILD-SYSTEM-V6-HARDENING-POSTMORTEM.md (NEW) — 226-line durable
record of the 8-session arc: 32 findings categorized, 5 P0
audit-script bugs fixed, 6 over-broad multi-pattern rules
discovered + fixed, test coverage 86/86 in <1s, 7/10
improvements DONE.
* SCRIPT-BEHAVIOR-MATRIX.md — apply-patches.sh row marked
LEGACY/ARCHIVED; build-redbear.sh row no longer claims to
call it.
* boot-logs/README.md (NEW) — frozen-evidence policy:
'do not edit' rule for REDBEAR-FULL-BOOT-*-RESULTS.md files.
* libdrm/02-redox-dispatch.patch.README (NEW) — 8-step regen
procedure for the broken hunk.
Cleanup:
* local/cache/README.md deleted (1-line placeholder).
* legacy 'make validate-patches' target removed.
Per build-system improvement #5: lint-recipe.py's first run on
the live tree surfaced 1 broken-patch reference (redbear-sessiond),
1 dangling cookbook_apply_patches call (tc), 19 sed -i calls in
sddm (warning — cookbook_apply_patches present, drop-x11.py
migration in progress), 4 sed -i calls in qt6-wayland-smoke
(uncovers the same bug class the libwayland fix prevented).
104 lines
3.6 KiB
Python
104 lines
3.6 KiB
Python
#!/usr/bin/env python3
|
|
"""Smoke tests for audit-patch-idempotency.py.
|
|
|
|
Run with:
|
|
python3 -m unittest local/scripts/tests/test_audit_patch_idempotency.py
|
|
"""
|
|
import re
|
|
import sys
|
|
import unittest
|
|
from pathlib import Path
|
|
|
|
SCRIPTS_DIR = Path(__file__).resolve().parent.parent
|
|
sys.path.insert(0, str(SCRIPTS_DIR))
|
|
|
|
import importlib.util # noqa: E402
|
|
_spec = importlib.util.spec_from_file_location(
|
|
"api", SCRIPTS_DIR / "audit-patch-idempotency.py"
|
|
)
|
|
assert _spec is not None and _spec.loader is not None
|
|
api = importlib.util.module_from_spec(_spec)
|
|
_spec.loader.exec_module(api)
|
|
|
|
|
|
class TestCollectPatches(unittest.TestCase):
|
|
"""The patch collector walks local/patches/<component>/NN-*.patch."""
|
|
|
|
def test_collect_real_patches(self):
|
|
# On the live tree, this should find at least 10 patches.
|
|
patches = list(api.collect_patches())
|
|
self.assertGreater(len(patches), 0)
|
|
# Every patch is a 2-tuple (component, Path).
|
|
for comp, p in patches:
|
|
self.assertIsInstance(comp, str)
|
|
self.assertTrue(p.exists())
|
|
|
|
def test_collect_filter_by_component(self):
|
|
# Should find the 3 libdrm patches.
|
|
patches = list(api.collect_patches(component_filter="libdrm"))
|
|
for _, name in patches:
|
|
self.assertIn("libdrm", str(name))
|
|
|
|
def test_collect_nonexistent_component(self):
|
|
patches = list(api.collect_patches(component_filter="does-not-exist-xyz"))
|
|
self.assertEqual(patches, [])
|
|
|
|
|
|
class TestPatchNameValidation(unittest.TestCase):
|
|
"""The regex accepts files matching NN-name.patch."""
|
|
|
|
def test_valid_patch_names(self):
|
|
# The collector uses PATCH_NAME_RE — verify it accepts real names.
|
|
names = [
|
|
"01-foo.patch", "02-bar.patch", "99-trailing-numbers.patch",
|
|
"10-multi-word-name-with-dashes.patch",
|
|
]
|
|
for n in names:
|
|
self.assertTrue(api.PATCH_NAME_RE.match(n),
|
|
f"should accept {n!r}")
|
|
|
|
def test_invalid_patch_names(self):
|
|
for n in ["foo.patch", "01-foo", "01-.patch", "foo-01-bar.patch"]:
|
|
self.assertFalse(api.PATCH_NAME_RE.match(n),
|
|
f"should reject {n!r}")
|
|
|
|
|
|
class TestJSONSchemaHonesty(unittest.TestCase):
|
|
"""--no-fetch must produce JSON with skipped entries and a clear message."""
|
|
|
|
def test_no_fetch_json_shape(self):
|
|
import json
|
|
import subprocess
|
|
proc = subprocess.run(
|
|
["python3", str(SCRIPTS_DIR / "audit-patch-idempotency.py"),
|
|
"--no-fetch", "--json"],
|
|
capture_output=True, text=True,
|
|
)
|
|
# With --no-fetch, every entry is skipped -> exit 2 (CI-safe).
|
|
self.assertEqual(proc.returncode, 2)
|
|
data = json.loads(proc.stdout)
|
|
self.assertIn("patches", data)
|
|
self.assertIn("total", data)
|
|
self.assertIn("errors", data)
|
|
self.assertIn("skipped", data)
|
|
# Every entry must be status=skipped.
|
|
for entry in data["patches"]:
|
|
self.assertEqual(entry["status"], "skipped")
|
|
self.assertEqual(data["skipped"], data["total"])
|
|
|
|
def test_no_fetch_text_honest_about_skipping(self):
|
|
import subprocess
|
|
proc = subprocess.run(
|
|
["python3", str(SCRIPTS_DIR / "audit-patch-idempotency.py"),
|
|
"--no-fetch"],
|
|
capture_output=True, text=True,
|
|
)
|
|
# Must NOT say "All N patches are idempotent" when none were
|
|
# actually audited.
|
|
self.assertIn("SKIPPED", proc.stdout)
|
|
self.assertIn("No audit was performed", proc.stdout)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|