diff --git a/_service b/_service index c3271fe..125f9e4 100644 --- a/_service +++ b/_service @@ -1,6 +1,6 @@ - https://github.com/jeffmahoney/linux-security-sensor + https://github.com/SUSE/linux-security-sensor velociraptor @PARENT_TAG@~git@TAG_OFFSET@.%h sensor-base-0.6.7 diff --git a/_servicedata b/_servicedata index 7d8a1f5..9e80d49 100644 --- a/_servicedata +++ b/_servicedata @@ -3,4 +3,4 @@ https://github.com/jeffmahoney/linux-security-sensor 0e858552af3d6ab57bae796cc3e50ccef36b4aff https://github.com/SUSE/linux-security-sensor - b5931f73eb6c171a558d09d4ef8b3d4d7292d519 \ No newline at end of file + 8abed37a6dd7d02c637e2c0307b41b05e8e25570 \ No newline at end of file diff --git a/velociraptor-0.6.7.4~git53.0e85855.obscpio b/velociraptor-0.6.7.4~git53.0e85855.obscpio deleted file mode 100644 index 278f1d8..0000000 --- a/velociraptor-0.6.7.4~git53.0e85855.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9fb0aab829afab06e59851f025e2024d4266e0f19bc8180caad8dc050656cdc8 -size 127591950 diff --git a/velociraptor-0.6.7.4~git60.8abed37a.obscpio b/velociraptor-0.6.7.4~git60.8abed37a.obscpio new file mode 100644 index 0000000..adbee12 --- /dev/null +++ b/velociraptor-0.6.7.4~git60.8abed37a.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6434dbc0f203b5bdc29078c70bad621562bd9500fad99f348b2afc9809a3a29f +size 127596046 diff --git a/velociraptor-client.changes b/velociraptor-client.changes index 1dfdd75..e247163 100644 --- a/velociraptor-client.changes +++ b/velociraptor-client.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney + +- Use obsinfo mtime to produce stable build timestamp (bsc#1207369). + +------------------------------------------------------------------- +Tue Jan 24 15:07:09 UTC 2023 - jeffm@suse.com + +- Update to version 0.6.7.4~git60.8abed37a: + * http_comms: create ring buffer temporary file in the same directory + * cronsnoop: plumb in real scope logging + * cronsnoop: don't treat routine errors as fatal + * cronsnoop: fix typo + ------------------------------------------------------------------- Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney @@ -31,11 +45,6 @@ Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller - add memory limit to systemd unit ---------------------------------------------------------------------- -Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller - -- add memory limit to systemd unit - --------------------------------------------------------------------- Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney diff --git a/velociraptor-client.spec b/velociraptor-client.spec index 9a1a9e1..d0dbc46 100644 --- a/velociraptor-client.spec +++ b/velociraptor-client.spec @@ -40,7 +40,7 @@ %endif Name: velociraptor-client -Version: 0.6.7.4~git53.0e85855 +Version: 0.6.7.4~git60.8abed37a Release: 0 Summary: Endpoint visibility and collection tool (endpoint only) Group: System/Monitoring @@ -53,10 +53,12 @@ Source3: %{name}.config.placeholder Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz Source5: update-vendoring.sh Source6: sysconfig.%{name} +Source7: %{projname}.obsinfo Patch1: velociraptor-golang-mage-vendoring.diff Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch Patch3: vendor-build-fixes-for-SLE12.patch Patch4: sdjournal-build-fix-for-SLE12.patch +Patch5: velociraptor-reproducible-timestamp.diff BuildRequires: fileb0x BuildRequires: golang-packaging BuildRequires: mage @@ -107,6 +109,14 @@ cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \ # rm -rf artifacts/definitions/Windows %build + +# Reproductible builds need stable timestamps +timestamp=$(date -Iseconds --utc --date=@$(grep mtime: %{SOURCE7}|sed -e 's/mtime: //')) +git_commit=$(grep commit: %{SOURCE7}|sed -e 's/commit: //g') + +export VELOCIRAPTOR_BUILD_TIME=$timestamp +export VELOCIRAPTOR_GIT_HEAD=$git_commit + PATH=$PATH:/usr/sbin make linux_bare BUILD_LIBBPFGO=%{with bpf} %install diff --git a/velociraptor-reproducible-timestamp.diff b/velociraptor-reproducible-timestamp.diff new file mode 100644 index 0000000..479a45c --- /dev/null +++ b/velociraptor-reproducible-timestamp.diff @@ -0,0 +1,30 @@ +From: Jeff Mahoney +Subject: magefile: use stable timestamps for build + +In order to create reprodicible builds, we can't have timestamps that vary +without anything else changing. +diff --git a/magefile.go b/magefile.go +index 16badc2b..76011657 100644 +--- a/magefile.go ++++ b/magefile.go +@@ -428,10 +428,18 @@ func build_gui_files() error { + } + + func flags() string { +- timestamp := time.Now().Format(time.RFC3339) ++ timestamp := os.Getenv("VELOCIRAPTOR_BUILD_TIME") ++ if timestamp == "" { ++ timestamp = time.Now().Format(time.RFC3339) ++ } + flags := fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.build_time=%s"`, timestamp) + +- flags += fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.commit_hash=%s"`, hash()) ++ head := os.Getenv("VELOCIRAPTOR_GIT_HEAD") ++ if head == "" { ++ head = hash() ++ } ++ ++ flags += fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.commit_hash=%s"`, head) + + // If we are running on the CI pipeline we need to know the run + // number and URL so we can report them. diff --git a/velociraptor.changes b/velociraptor.changes index fd2d27f..d7c6ff8 100644 --- a/velociraptor.changes +++ b/velociraptor.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney + +- Use obsinfo mtime to produce stable build timestamp (bsc#1207369). + +------------------------------------------------------------------- +Tue Jan 24 15:07:09 UTC 2023 - jeffm@suse.com + +- Update to version 0.6.7.4~git60.8abed37a: + * http_comms: create ring buffer temporary file in the same directory + * cronsnoop: plumb in real scope logging + * cronsnoop: don't treat routine errors as fatal + * cronsnoop: fix typo + ------------------------------------------------------------------- Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney diff --git a/velociraptor.obsinfo b/velociraptor.obsinfo index 262d428..c762a2b 100644 --- a/velociraptor.obsinfo +++ b/velociraptor.obsinfo @@ -1,4 +1,4 @@ name: velociraptor -version: 0.6.7.4~git53.0e85855 -mtime: 1674098741 -commit: 0e858552af3d6ab57bae796cc3e50ccef36b4aff +version: 0.6.7.4~git60.8abed37a +mtime: 1674570307 +commit: 8abed37a6dd7d02c637e2c0307b41b05e8e25570 diff --git a/velociraptor.spec b/velociraptor.spec index 31d6a17..e030c5d 100644 --- a/velociraptor.spec +++ b/velociraptor.spec @@ -40,7 +40,7 @@ %endif Name: velociraptor -Version: 0.6.7.4~git53.0e85855 +Version: 0.6.7.4~git60.8abed37a Release: 0 Summary: Endpoint visibility and collection tool Group: System/Monitoring @@ -58,6 +58,7 @@ Source8: vmlinux.h-%{vmlinux_h_version}.tar.xz Source9: update-vendoring.sh Source10: sysconfig.%{name} Source11: sysconfig.%{name}-client +Source12: %{projname}.obsinfo Patch1: velociraptor-golang-mage-vendoring.diff Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch Patch3: vendor-build-fixes-for-SLE12.patch @@ -96,7 +97,7 @@ For just the endpoint agent, please install the 'velociraptor-client' package. %package kafka-humio-gateway Summary: Gateway between Kafka and Humio for Velociraptor Artifacts -Version: 0.6.7.4~git53.0e85855 +Version: 0.6.7.4~git60.8abed37a %description kafka-humio-gateway This tool is used to consume events generated by the Kafka Velociraptor plugin @@ -122,6 +123,14 @@ cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \ # rm -rf artifacts/definitions/Windows %build + +# Reproductible builds need stable timestamps +timestamp=$(date -Iseconds --utc --date=@$(grep mtime: %{SOURCE12}|sed -e 's/mtime: //')) +git_commit=$(grep commit: %{SOURCE12}|sed -e 's/commit: //g') + +export VELOCIRAPTOR_BUILD_TIME=$timestamp +export VELOCIRAPTOR_GIT_HEAD=$git_commit + (cd gui/velociraptor ; npm run build) PATH=$PATH:/usr/sbin make linux BUILD_LIBBPFGO=%{with bpf}