Commit Graph

58 Commits

Author SHA1 Message Date
Lasse Collin fe9e66993f Docs: Remove .github/SECURITY.md
One of the reasons to have this file in the xz repository was to
show vulnerability reporting info in the Security section on GitHub.
On 2024-11-25, I added SECURITY.md to the tukaani-project organization
on GitHub:

    https://github.com/tukaani-project/.github/blob/main/SECURITY.md

GitHub shows that file in all projects in the organization unless
overridden by a project-specific SECURITY.md. Thus, removing
the file from the xz repo makes GitHub show the organization-wide
text instead.

Maintaining a single copy for the whole GitHub organization makes
things simpler. It's also nicer to have fewer GitHub-specific files
in the xz repo. Information how to report bugs (including security
issues) is available in README and on the home page too.

The OpenSSF Scorecard tool didn't find .github/SECURITY.md from the
xz repository. There was a suggestion to move the file to the top-level
directory where Scorecard should find it. However, Scorecard does find
the organization-wide SECURITY.md. Thus, the file isn't needed in the
xz repository to score points in the Scorecard game:

    https://scorecard.dev/viewer/?uri=github.com/tukaani-project/xz

Closes: https://github.com/tukaani-project/xz/issues/148
Closes: https://github.com/tukaani-project/xz/pull/149
2024-11-30 12:05:59 +02:00
Sam James dbca3d078e CI: update FreeBSD, NetBSD, OpenBSD, Solaris actions
Checked the changes and they're all innocuous. This should hopefully
fix the "externally managed" pip error in these jobs that started
recently.
2024-10-02 10:10:54 +03:00
Lasse Collin ec6157570e CI: Add gettext as a dependency to CMake builds 2024-07-02 22:40:37 +03:00
Sam James 7e99856f66 CI: Speed up Valgrind job by using --trace-children-skip-by-arg=...
This addresses the issue I mentioned in
6c095a98fb and speeds up the Valgrind
job a bit, because non-xz tools aren't run unnecessarily with
Valgrind by the script tests.
2024-06-28 14:18:35 +03:00
Lasse Collin dbcdabf68f CI: Use CC="gcc -m32" to get i386 compiler on x86-64
The old method put it in CFLAGS which is a wrong place because
config.guess doesn't read CFLAGS.
2024-06-24 18:15:58 +03:00
Lasse Collin a61c9ab475 CI: Don't require po4a on Solaris 2024-06-03 23:05:31 +03:00
Lasse Collin 5229bdf533 CI: Use set -e on Solaris too 2024-06-03 23:04:32 +03:00
Sam James 35f8649f08 ci: don't pin official GH actions via commit, just tag
There's no real value in doing it via commit for official GH actions. We
can keep using pinned commits for unofficial actions. It's hassle for no
gain.

Maybe going forward we can limit this further by only being paranoid
for the jobs with any access to tokens.
2024-06-03 12:32:34 +03:00
Christoph Junghans e885dae37f ci: set -e on openbsd
Closes: https://github.com/tukaani-project/xz/pull/116
2024-06-03 12:32:34 +03:00
Christoph Junghans 21b02dd128 ci: set -e on netbsd 2024-06-03 12:32:34 +03:00
Christoph Junghans 8641f0c24c ci: actually fail on FreeBSD
Without "set -e" the job will always be successful.

See vmactions/freebsd-vm#72
2024-06-03 12:32:34 +03:00
Andrew Murray ef616683ef Updated actions
Closes: https://github.com/tukaani-project/xz/pull/115
2024-06-03 12:32:34 +03:00
Sam James 57b440d316 ci: add po4a 2024-06-03 12:32:34 +03:00
Sam James 08cdf4be9a ci: add Solaris
Inspired by 3f2a38b011.

It runs on Solaris 5.11 via a VirtualBox VM.
2024-06-03 12:32:34 +03:00
Sam James 9a6761aa35 ci: add SPDX headers
I've checked over each of these and they're straightforward applications
of the relevant Github Actions.
2024-05-02 20:29:59 +03:00
Sam James a607e2b40d ci: add NetBSD 2024-04-25 14:08:52 +03:00
Sam James 72c210336d ci: add FreeBSD 2024-04-25 14:08:52 +03:00
Sam James b526ec2dbf ci: add OpenBSD 2024-04-25 14:08:52 +03:00
Sam James 73f629e321 ci: rename ci_build.sh -> ci_build.bash
We discussed the name and it's less cognitive load to just call it '.bash'
so you don't have an immediate question about if bashisms are OK.
2024-04-11 00:15:35 +03:00
Sam James b5e3470442 ci: make UBSAN abort on errors
Unfortunately, UBSAN doesn't do this by default. See also the change
I made in Meson for this in October [0].

[0] 7b7d2e060b
2024-04-11 00:15:35 +03:00
Sam James 6c095a98fb ci: test Valgrind
Using `--trace-children=yes` has a trade-off here, as it makes
`test_scripts.sh` pretty slow when calling various non-xz utilities.

But I also feel like it's not useless to have Valgrind used there and it's
not easy to exclude Valgrind just for that one test...

I did consider using AX_VALGRIND_CHECK [0][1] but I couldn't get it working
immediately with some conditionally-built tests and I wondered if it was
worth spending time on at least while we're debating xz's future build
system situation.

[0] https://www.gnu.org/software/autoconf-archive/ax_valgrind_check.html
[1] https://tecnocode.co.uk/2014/12/23/automatically-valgrinding-code-with-ax_valgrind_check/
2024-04-11 00:15:35 +03:00
Lasse Collin 780d2c236d Update SECURITY.md. 2024-04-09 21:55:01 +03:00
Lasse Collin 986865ea2f CI: Remove ifunc support. 2024-04-09 18:22:27 +03:00
Lasse Collin 17aa2e1a79 Update website URLs back to tukaani.org.
The XZ projects were moved back to their original URLs.
2024-04-09 18:22:27 +03:00
Jia Tan af071ef770 Docs: Simplify SECURITY.md. 2024-03-26 03:38:12 +08:00
Lasse Collin 22af94128b Add SPDX license identifier into 0BSD source code files. 2024-02-14 18:31:16 +02:00
Lasse Collin 689e0228ba Change most public domain parts to 0BSD.
Translations and doc/xz-file-format.txt and doc/lzma-file-format.txt
were not touched.

COPYING.0BSD was added.
2024-02-14 18:31:12 +02:00
Jia Tan fce4758018 Docs: Update website URLs. 2024-01-19 23:08:14 +08:00
Jia Tan f9b82bc64a CI: Update Upload Artifact Action. 2023-12-15 16:56:31 +08:00
Jia Tan fd170e8557 CI: Test musl libc builds on Ubuntu runner. 2023-11-30 20:09:46 +08:00
Jia Tan 5e3d890f88 CI: Disable sandboxing in fsanitize=address,undefined job.
The sandboxing on Linux now supports Landlock, which restricts all
supported filesystem actions after xz opens the files it needs. The
sandbox is only enabled when one file is input and we are writing to
standard out. With fsanitize=address,undefined, the instrumentation
needs to read additional files after the sandbox is in place. This
forces all xz based test to fail, so the sandbox must instead be
disabled.
2023-10-24 00:50:08 +08:00
Gabriela Gutierrez 37947d4a75 CI: Bump and ref actions by commit SHA in windows-ci.yml
Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch.

It's important to make sure the SHA's are from the original repositories and not forks.

For reference:

https://github.com/msys2/setup-msys2/releases/tag/v2.20.1
27b3aa77f6

https://github.com/actions/checkout/releases/tag/v4.1.0
8ade135a41

https://github.com/actions/upload-artifact/releases/tag/v3.1.3
a8a3f3ad30

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-10-13 20:03:13 +08:00
Gabriela Gutierrez f28cc9bd48 CI: Bump and ref actions by commit SHA in ci.yml
Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch.

It's important to make sure the SHA's are from the original repositories and not forks.

For reference:

https://github.com/actions/checkout/releases/tag/v4.1.0
8ade135a41

https://github.com/actions/upload-artifact/releases/tag/v3.1.3
a8a3f3ad30

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-10-13 20:03:13 +08:00
Jia Tan 01e34aa117 CI: Disable CLANG64 MSYS2 environment until bug is resolved.
lld 17.0.1 searches for libraries to link first in the toolchain
directories before the local directory when building. The is a problem
for us because liblzma.a is installed in MSYS2 CLANG64 by default and
xz.exe will thus use the installed library instead of the one being
built.

This causes tests to fail when they are expecting features to be
disabled. More importantly, it will compile xz.exe with an incorrect
liblzma and could cause unexpected behavior by being unable to update
liblzma code in static builds. The CLANG64 environment can be tested
again once this is fixed.

Link to bug: https://github.com/llvm/llvm-project/issues/67779.
2023-09-29 22:11:54 +08:00
Jia Tan 953e775941 CI: Enable CLMUL in address sanitization test.
The crc64_clmul() function should be ignored by the address sanitizer
now so these builds should still pass.
2023-09-14 21:43:34 +08:00
Jia Tan 7190f4cc7c CI: Fix windows-ci dependency installation.
All of the MSYS2 environments need make, and it does not come with the
toolchain package. The toolchain package will install the needed
compiler toolchains since without this package CMake cannot properly
generate the Makefiles.
2023-07-28 21:56:48 +08:00
Jia Tan 7870396a0c CI: Test CMake builds and test framework with MSYS2. 2023-07-25 20:17:23 +08:00
Jia Tan 6497d1f887 CI: Windows CI rename system matrix variable -> msys2_env.
Calling the MSYS2 environment "system" was a bit vague and should be
more specific.
2023-07-25 20:14:53 +08:00
Jia Tan 785e4121d9 CI: Add Clang64 MSYS2 environment to Windows CI. 2023-07-24 23:11:45 +08:00
Jia Tan f3a055f762 CI: Add Windows runner for Autotools builds with MSYS2.
Only a subset of the tests run by the Linux and MacOS Autotools builds
are run. The most interesting tests are the ones that disable threads,
encoders, and decoders.

The Windows runner will only be run manually since these tests will
likely take much longer than the Linux and MacOS runners. This runner
should be used before merging any large features and before releases.

Currently the clang64 environment fails to due to a warning and
-Werror is enabled for the CI tests. This is still an early version
since the CMake build can be done for MSVC and optionally each of the
MSYS2 environments. GitHub does not allow manually running the CI tests
unless the workflow is checked on the default branch so checking in a
minimum version is a good idea.

Thanks to Arthur S for the original proposing the original patch.

Closes: https://github.com/tukaani-project/xz/pull/34
2023-07-22 18:31:02 +08:00
Jia Tan 45e250a9e9 CI: Add test with -fsanitize=address,undefined.
ci_build.sh was updated to accept disabling of __attribute__ ifunc
and CLMUL. This will allow -fsanitize=address to pass because ifunc
is incompatible with -fsanitize=address. The CLMUL implementation has
optimizations that potentially read past the buffer and mask out the
unwanted bytes.

This test will only run on Autotools Linux.
2023-06-28 23:59:47 +08:00
Jia Tan 596ee722cd CI: Upgrade checkout action from v2 to v3. 2023-06-28 20:48:49 +08:00
Jia Tan dbb3a536ed CI: Add apt update command before installing dependencies.
Without the extra command, all of the CI tests were automatically
failing because the Ubuntu servers could not be reached properly.
2023-06-07 00:23:02 +08:00
Jia Tan 2cf5ae5b5b CI: Adds a build and test for small configuration. 2023-04-25 22:14:28 +08:00
Jia Tan 0fbb2b87a7 Docs: Add missing word to SECURITY.md. 2023-04-07 20:46:41 +08:00
Jia Tan 537c6cd8a9 Docs: Minor edits to SECURITY.md. 2023-04-07 20:43:56 +08:00
Gabriela Gutierrez 6549df8dd5 Docs: Create SECURITY.md
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-04-07 20:43:49 +08:00
Jia Tan d0faa85df5 CI: Tests for disabling threading on CMake builds. 2023-03-29 23:46:43 +08:00
Jia Tan 20cd905d89 CI: Runs CMake feature tests.
Now, CMake will run similar feature disable tests that the Autotools
version did before. In order to do this without repeating lines in
ci.yml, it now makes sense to use the GitHub Workflow matrix to create
a loop.
2023-03-24 23:41:06 +08:00
Jia Tan 4f50763b98 CI: Add doxygen as a dependency.
Autogen now requires --no-doxygen or having doxygen installed to run
without errors.
2023-03-17 01:42:28 +08:00