diff --git a/.github/workflows/bundle.yml b/.github/workflows/bundle.yml index 8a1f785..439fbb7 100644 --- a/.github/workflows/bundle.yml +++ b/.github/workflows/bundle.yml @@ -12,7 +12,7 @@ jobs: - name: Create bundles run: | ./create_bundles_in_container.sh - sha512sum *.tar.gz *.tar.xz > SHA512SUMS + sha512sum *.tar.gz *.tar.xz | tee SHA512SUMS - name: Upload bundles uses: actions/upload-artifact@v3 diff --git a/Makefile b/Makefile index 2ff5518..9389d7b 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,7 @@ VERSION := $(shell rpm --specfile *.spec --qf '%{VERSION}\n' | head -1) RELEASE := $(shell rpm --specfile *.spec --qf '%{RELEASE}\n' | head -1 | cut -d. -f1) CHANGELOGTIME := $(shell rpm --specfile *.spec --qf '%{CHANGELOGTIME}\n' | head -1) +SOURCE_DATE_EPOCH := $(shell echo $$(( $(CHANGELOGTIME) - $(CHANGELOGTIME) % 86400 ))) NAME := grafana RPM_NAME := $(NAME) @@ -62,7 +63,7 @@ $(VENDOR_TAR): $(SOURCE_TAR) # Create tarball XZ_OPT=-9 tar \ --sort=name \ - --mtime="@$(CHANGELOGTIME)" \ + --mtime="@$(SOURCE_DATE_EPOCH)" --clamp-mtime \ --owner=0 --group=0 --numeric-owner \ -cJf $@ \ $(SOURCE_DIR)/vendor \ @@ -84,7 +85,7 @@ $(WEBPACK_TAR): $(VENDOR_TAR) # Create tarball tar \ --sort=name \ - --mtime="@$(CHANGELOGTIME)" \ + --mtime="@$(SOURCE_DATE_EPOCH)" --clamp-mtime \ --owner=0 --group=0 --numeric-owner \ -czf $@ \ $(SOURCE_DIR)/public/build \ diff --git a/grafana.spec b/grafana.spec index 4679bd6..489313f 100644 --- a/grafana.spec +++ b/grafana.spec @@ -30,7 +30,7 @@ end} Name: grafana Version: 7.5.15 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -41,13 +41,13 @@ Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name} # Source1 contains the bundled Go and Node.js dependencies # Note: In case there were no changes to this tarball, the NVR of this tarball # lags behind the NVR of this package. -Source1: grafana-vendor-%{version}-1.tar.xz +Source1: grafana-vendor-%{version}-2.tar.xz %if %{compile_frontend} == 0 # Source2 contains the precompiled frontend # Note: In case there were no changes to this tarball, the NVR of this tarball # lags behind the NVR of this package. -Source2: grafana-webpack-%{version}-1.tar.gz +Source2: grafana-webpack-%{version}-2.tar.gz %endif # Source3 contains Grafana configuration defaults for distributions @@ -972,6 +972,11 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio %changelog +* Mon Apr 11 2022 Andreas Gerstmayr 7.5.15-2 +- use clamp-mtime when generating the vendor and webpack tarballs, + to preserve past timestamps but still keep reproducibility +- round tarball mtime timestamp to midnight, to match SOURCE_DATE_EPOCH + * Fri Apr 08 2022 Andreas Gerstmayr 7.5.15-1 - update to 7.5.15 tagged upstream community sources, see CHANGELOG - resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources diff --git a/sources b/sources index 7d229e6..41bdaba 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (grafana-7.5.15.tar.gz) = cce12e40fd63f9b4c6f3604daa730baa02b47b6a452c34c0a182d581791847ba4ad4644668bcf309d38b104409745677d6863d821f4d5e4f275750e8af525c13 -SHA512 (grafana-webpack-7.5.15-1.tar.gz) = caa79dc5d14df069cb470d205b73f5826746e264569aad24397baaa0a27767242e3bfc9ad588bd1ee3af0327c22faf7b878e21884a4dfed82c832c2c354a0c21 -SHA512 (grafana-vendor-7.5.15-1.tar.xz) = 352e594612b5fbd10189bff90f58dc4ee1d9366319f6273f946ae9502dd7194b272e4a25f611df02e6724348aeb0398d18583786c6658249595d949b98ed3179 +SHA512 (grafana-webpack-7.5.15-2.tar.gz) = ea424a699a60b02776bc59c349e3e4cecf12ce9ea554bbae45afa55ab5235e442fde6e690b8a455bf6ff63bb557bf7c5a412ceb32f70bc94cf9e3e68c4e08840 +SHA512 (grafana-vendor-7.5.15-2.tar.xz) = 32d08620e7ebfa4e53a1877f0fcfddb6e006cf9fad725332f215f658127d45dc0b3987352cb7373c84ce7165c33a392ea631b1373491dc09a9a3d0cd5e2ce439