A recent [Twitter thread][mudge] suggested that tools like
[`checksec`][checksec] be used to validate release binaries. Checksec
reports whether modern security features like stack canaries are
employed. Proxy builds appear to do pretty well out-of-the-box.
This change introduces a checksec.sh wrapper that is used by the
Makefile during packaging. A new _package_ github action is introduced
to provide `checksec` and `jq` dependencies at runtime. (Note: the
version of checksec provided by debian does not include JSON output, so
it is instead fetched directly from GitHub).
During an automated release, the generated checksec is compared to an
expected set of values and, if a regression is detected, the release
will fail.
[mudge]: https://twitter.com/dotMudge/status/1249359519471341569
[checksec]: https://github.com/slimm609/checksec.sh
Our docker builds do not permit caching of dependencies or intermediate
build artifacts. However, Docker's new (experimental) buildkit features
add this functionality. I've been using this configuration locally for
some time, and it seems generaly useful enough to promote (especially
since this Dockerfile is only intended for development).
This change also untroduces the `PROXY_FEATURES` build-arg so that the
Dockerfile can be used to support profiling builds.
Furthermore, the `update-rust-versions.sh` script has been updated to
check versions and be more permissive about how it replaces versions in
the Dockerfile.
The docker CI build has been disabled until GitHub Actions has support
for this Dockerfile format.
The first version of the action didn't actually use the rust containers
to drive the build. This change pins the ubuntu and rust versions.
Even though the base OS includes rust-1.37, we want to control our rust
version independently.
Disables Travis on Pull Requests, replacing it with GitHub Actions.
Travis remains enabled for master builds for the moment.
Some Dockerfile changes have been performed to fix the docker
build on newer docker versions.
When running the update-rust-version script, it was easy to run it
without an argument, which breaks existing configuration.
This change improves the script to handle errors, with some other
shell lints addressed.
In order to enforce a minimum-required-Rust version for contributors,
this change introduces a rust-toolchain file and a script that updates
this file and the development Dockerfile.
Signed-off-by: João Oliveira <hello@jxs.pt>
Oliver Gould
João Oliveira