feat: guix to replace gitian and its dashification #5285
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
knst
added
the
Needs Release Notes
doc/release-process.md
Outdated
Member
There was a problem hiding this comment.
does this need to be changed?
Collaborator
Author
There was a problem hiding this comment.
the hashes of artefacts of gitian and guix are not the same.
I think better to have new repo to avoid a confusion
Member
|
My results |
Closed
Collaborator
Author
|
I can't sign binaries successfully by current implementation. |
PastaPastaPasta
approved these changes
Apr 15, 2023
Member
PastaPastaPasta
left a comment
PastaPastaPasta
left a comment
There was a problem hiding this comment.
utACK for merging via merge commit; although I don't love significantly changing the release process doc before we have signed binaries and everything figured out, but gitian still exists after this PR, so it's probably all fine
UdjinM6
approved these changes
Apr 15, 2023
UdjinM6
left a comment
UdjinM6
left a comment
There was a problem hiding this comment.
LGTM, ACK (same hashes for 5dd78dfd9629)
fac4814 doc/release-process: Add torrent creation details (Carl Dong) 5d24cc3 guix/INSTALL: Guix installs init scripts in libdir (Carl Dong) 5da2ee4 guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting (Carl Dong) 318c607 guix: Adapt release-process.md to new Guix process (Carl Dong) fcab35b guix-attest: Produce and sign normalized documents (Carl Dong) c2541fd guix: Overhaul README (Carl Dong) 46ce6ce tree-wide: Rename gitian-keys to builder-keys (Carl Dong) fc4f844 guix: Update various check_tools lists (Carl Dong) 263220a guix: Check for a sane services database (Carl Dong) Pull request description: Based on: bitcoin#21462 Keeping the README in one file so that it's easy to search through. Will add more jumping links later so navigation is easier. Current TODOs: - [x] Shell installer option: prompt user to re-login for `/etc/profile.d` entry to be picked up - [x] Binary tarball option: prompt user to create `/etc/profile.d` entry and re-login - [x] Fanquake docker option: complete section - [x] Arch Linux AUR option: prompt to start `guix-daemon-latest` unit after finishing "optional setup" section - [x] Building from source option: Insert dependency tree diagram that I made - [x] Building from source option: redo sectioning, kind of a mess right now - [x] Optional setup: make clear which parts are only needed if building from source - [x] Workaround 1 for GnuTLS: perhaps mention how to remove Guix build farm's key - [x] Overall (after everything): Make the links work. Note to self: wherever possible, tell user how to check that something is true rather than branching by installation option. ACKs for top commit: fanquake: ACK fac4814 - going to go ahead and merge this now. It's a lot of documentation, and could probably be nit-picked / improved further, however, that can continue over the next few weeks. I'm sure more (backportable) improvements / clarifications will be made while we progress through RCs towards a new release. Tree-SHA512: dc46c0ecdfc67c7c7743ca26e4a603eb3f54adbf81be2f4c1f4c20577ebb84b5250b9c9ec89c0e9860337ab1c7cff94d7963c603287267deecfe1cd987fa070a
Co-authored-by: PastaPastaPasta <6443210+PastaPastaPasta@users.noreply.github.com>
a884a1e guix/INSTALL: Misc fixups (Carl Dong) 3c4d2c4 guix: Silence getent(1) invocation (Carl Dong) Pull request description: Otherwise the `getent(1)` checks will print out the default http, https, and ftp ports, making it seem like something is being spawned that is listening on those ports, which is not the case. ACKs for top commit: fanquake: ACK a884a1e Tree-SHA512: 7706a98fe5f2bcd766fd3a16bfffab899ec45e80d72c485b7bed2a83d2024eddbb44ae4a77e2352e308740ca203c163421a11a5a2327fa94d2032ecceef4d63f
…g files 90b3e48 release: Release with separate SHA256SUMS and sig files (Carl Dong) Pull request description: This allows us to: - remove the rfc4880 EOL hacks, and - release with a SHA256SUMS.asc file that's a combination of all signer signatures ACKs for top commit: achow101: ACK 90b3e48 laanwj: Concept and code review ACK 90b3e48 Tree-SHA512: 5d5086063d303aa0cbd590e5fdf2ae8f555e25f4e43bf67545e33384449b990e94834c711622530ad0eb3dcc83f52746884a5081dadb0acff8dd799cfadafac7
132cae4 doc: Mention the flat directory structure for uploads (Andrew Chow) fb17c99 guix: Don't include directory name in SHA256SUMS (Andrew Chow) Pull request description: The SHA256SUMS file can be used in a sha256sum -c command to verify downloaded binaries. However users are likely to download just a single file and not place this file in the correct directory relative to the SHA256SUMS file for the simple verification command to work. By not including the directory name in the SHA256SUMS file, it will be easier for users to verify downloaded binaries. ACKs for top commit: Zero-1729: re-ACK 132cae4 fanquake: ACK 132cae4 Tree-SHA512: c9ff416b8dfb2f3ceaf4d63afb84aac9fcaefbbf9092f9e095061b472884ec92c7a809e6530c7132a82cfe3ab115a7328e47994a412072e1d4feb26fc502c8c5
PastaPastaPasta
force-pushed
the
guix-dashification
branch
from
c96d251 to
46a5cd4
Compare
PastaPastaPasta
pushed a commit
to vijaydasmp/dash
that referenced
this pull request
Aug 8, 2023
…not using default ports 010eed3 doc: warn that incoming conns are unlikely when not using default ports (Adam Jonas) Pull request description: Closes dashpay#5150. This was mostly copied from dashpay#5285 by sulks, who has since quit GitHub. The issue has remained open for 6 years, but the extra explanation still seems useful. ACKs for top commit: laanwj: re-ACK 010eed3 Tree-SHA512: d240fb06bba41ad8898ced59356c10adefc09f3abb33e277f8e2c5980b40678f2d237f286b476451bb29d2b94032a7dee2ada3b2efe004ed1c2509e70b48e40f
5 tasks
PastaPastaPasta
added a commit
that referenced
this pull request
Nov 21, 2025
…in#26257, bump to Python 3.10, mypy 0.981, fix Docker group assignment, minor housekeeping (misc. changes: part 2) 82723dc fix: don't forget to assign user to group if group exists (Kittywhiskers Van Gogh) 066d409 chore: remove outdated `boot2docker` comment (Kittywhiskers Van Gogh) 29e98e3 chore: document `USER_ID` and `GROUP_ID` in `docker-compose.yml` (Kittywhiskers Van Gogh) 6ea897a chore: drop unmaintained Guix container (Kittywhiskers Van Gogh) 6a1786c fix: resolve `test: =: unary operator expected` error (Kittywhiskers Van Gogh) d6489f0 fix: make copy of `skip` in `GetStackFrames` to avoid clobbering (Kittywhiskers Van Gogh) 4110ff3 lint: mypy 0.981 (Kittywhiskers Van Gogh) 80a44e9 partial bitcoin#26257: python linter flake8 E275 fixup, update dependencies (Kittywhiskers Van Gogh) 7b80dfb merge bitcoin#28347: replace deprecated pkg_resources with importlib.metadata (Kittywhiskers Van Gogh) 04ac20a partial bitcoin#30527: Bump python minimum supported version to 3.10 (Kittywhiskers Van Gogh) Pull request description: ## Additional Information * Dependency for #6988 * Python 3.9's security support elapsed on 31st Oct '25 ([source](https://endoflife.date/python)), in response to that we are switching over to Python 3.10. * Due to [python/mypy#13627](python/mypy#13627) arising as a result of this bump, we also had to upgrade `mypy` to 0.981. Note that this is a divergence from upstream as they opted to upgrade to `mypy` 1.x (see [bitcoin#28009](bitcoin#28009)) but the changes needed to do so are too disruptive given this PR's larger context. Future backports should feel free to overwrite the mypy version and realign with upstream. * CI identified potential clobbering ([build](https://github.com/kwvg/dash/actions/runs/19434684086/job/55606106842#step:8:1804)) in Windows stacktraces code that started to build after [dash#6966](#6966) (see below). Additionally, C++20 has deprecated certain operators like {in,de}crementation courtesy of [P1152](https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1152r3.html), which required additional adaptation. <details> <summary>Build error:</summary> ``` stacktraces.cpp: In function ‘std::vector<long long unsigned int> GetStackFrames(size_t, size_t, const CONTEXT*)’: stacktraces.cpp:167:56: error: variable ‘skip’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Werror=clobbered] 167 | static __attribute__((noinline)) std::vector<uint64_t> GetStackFrames(size_t skip, size_t max_frames, const CONTEXT* pContext = nullptr) | ^~~~~~~~~~~~~~ cc1plus: all warnings being treated as errors ``` </details> * The `AM_CONDITIONAL` for `CRASH_HOOKS_WRAPPED_CXX_ABI` wasn't evaluated due to missing quotations (see below), this has been resolved. <details> <summary>Configure:</summary> ``` checking whether the linker accepts -Wl,-export-dynamic... no checking whether the linker accepts -rdynamic... yes checking whether C++ compiler accepts -gdwarf-4... yes checking whether C++ compiler accepts -fno-standalone-debug... yes checking whether the linker accepts -Wl,-wrap=__cxa_allocate_exception... no ./configure: line 30603: test: =: unary operator expected checking for Linux getrandom syscall... no checking for getentropy via random.h... yes checking for sysctl... yes checking for sysctl KERN_ARND... no checking for fdatasync... no ``` </details> * Currently we offer two containers for Guix builds meant for developers who aren't on Linux, one was introduced by [dash#5285](#5285) (based on [fanquake/core-review](https://github.com/fanquake/core-review)'s container, [source](https://github.com/fanquake/core-review/blob/d8cf188214879ea1b095e2ba34ca5c23dbc3ebd2/guix/imagefile)) and the other introduced by [dash#5449](#5449), the former does not seem to get much use and has been out of sync with its upstream source for a while. As the second container is used by some developers and is updated and maintained to fit Dash's specific needs, the first container has been dropped and documentation has been updated to reflect the same. * As Docker has matured with the WSL2 backend on Windows and the Apple Virtualization framework on macOS, boot2docker has been deprecated (see [boot2docker/boot2docker#1408](boot2docker/boot2docker#1408)) and the comment referencing it has been dropped. * To avoid permissions issues with mounting directories, containers come with `USER_ID` and `GROUP_ID` args ([source](https://github.com/dashpay/dash/blob/23de96916a8b8f97a2c408bb76da1d2149d7227c/contrib/containers/ci/ci-slim.Dockerfile#L123-L131)) that need to be specified at build time if the mount needs different permissions (as is often the case on macOS). To make that option more explicitly clear, it has been specified in `docker-compose.yml` with default values filled in. * [dash#6929](#6929) introduced a fix to prevent unexpected container build failure due to conflicting groups (most commonly GID 20 that on macOS is `staff` but on Linux is `dialout`) but the fix did _not_ assign the default user to that group, that has been resolved here. ## Breaking Changes None expected. ## Checklist - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have added or updated relevant unit/integration/functional/e2e tests - [x] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ ACKs for top commit: UdjinM6: utACK 82723dc ~with one nit~ Tree-SHA512: 0e906d1a7fea9edc52a40a6a6971fa6b2599674e97e99c65a220f99cc44be78f4290be8fb9af7782cac416bcdd2338b7f17a5c50b5fdcf727b1cf84fe44c8686
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue being fixed or feature implemented
This PR switches building dash from gitian to Guix containers. Guix is a transactional package manager much like Nix, but unlike Nix, it has more of a focus on bootstrappability and reproducibility which are attractive for security-sensitive projects like dash, bitcoin.
Prior work: #5194 and #5237
Related issue: https://github.com/dashpay/dash-issues/issues/47
What was done?
getent(1)invocation, doc fixups bitcoin/bitcoin#22511Things to do before merging PR:
How Has This Been Tested?
Followed instruction guix/README.md and got guix builds.
To test: signing binaries (not tested yet). Related instruction: Release Process
To test: gitian build. Related instruction: Release Process
Hashes to compare:
Breaking Changes
That's not really breaking changes, gitian should still work.
But the changes are major and should be included in release notes at least.
Checklist: