Fixes calls to make check-security and make check-symbols
to have better integration with the CI and Gitian
The condition in the check-symbols target requiring the configure
flag --enable-glibc-back-compat is removed because that is
exclusive to Linux. By removing it, we enable the check for all
binaries, including those built for Windows and macOs.
Finally, removes configure.ac lines for readelf and cppfilt. Those
are no longer needed because lief is used in their stead.
squash into:
build: clean up security and symbol checks from makefile
Reconfigures the Bitcoin 24.0.1 symbol-check.py script to honor
the maximum versions of dynamic symbols, the allowed system
dependencies and allowed symbol exports. This is important to
maintain when doing minor releases, because changes in these
would potentially lock people out of security updates.
This adds specification of the linker-loader name for i686
binaries because Bitcoin Core no longer supports that
architecture.
The spec was taken from:
https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16
Please note that:
- aarch64 binaries have had a glibc 2.17 requirement since the
first release with 1.14.0, and therefore have a higher glibc
target than all other linux binaries.
- All other values have been taken from the Dogecoin Core v1.14.6
tag, commit 3a29ba6d4.
- Additional win32 and win64 needed libraries have been reverse
engineered from 1.14.6 release binaries.
- Windows minimum version checks have been disabled, as these
need to be set on the release binaries before we check for it.
Disables checks from Bitcoin 24.0.1 security-check.py code that
we currently cannot support on Dogecoin Core without changes to
the build process
- separate-code needs linking using binutils 2.31 and/or
explicit linking with -z,separate-code on binutils 2.30+
- CONTROL_FLOW can be enabled after building with gcc-8
or later. This would require at least a Ubuntu Focal
Gitian implementation, and -fcf-protection enabled on
the boost dependency.
- HIGH_ENTROPY_VA and RELOC_SECTION checks for Windows
binaries need fixes for dogecoin-cli, dogecoin-tx and
test binaries, so that ASLR can be used for these binaries
the same way it was done for dogecoind and dogecoin-qt.
These checks can be re-enabled once these security features are
enabled on release binaries (i.e. those built with Gitian)
Takes the security and symbol checkers from Bitcoin Core v24.0.1
because this uses the python3 capable lief module for reading
multi-platform binaries. This helps getting rid of
incompatibilities when using these tools in Ubuntu releases newer
than Bionic (18.04) and by using the external module, reduces risk
and maintenance cost of custom code.
This commit does NOT reconfigure for Dogecoin 1.14.7 parametrization
Backported from state at: b3f866a8@bitcoin/bitcoin
These constants, when defined at the point of each new release, give us
the ability to detect when a running node may be out of date with
respect to an expected upcoming release.
This is the starting point for adding out-of-date notifications to the
daemon, CLI tool, and Qt binary.
The CC override in intel-ipsec-mb.mk fails for linux builds
when done in a docker container due to it inserting "pc" into
the host variable when not otherwise specified.
This fixes it by only overriding if we're building with mingw.
Introduces a new support header that exposes the macro
EXPERIMENTAL_FEATURE that (a) allows us to clearly mark blocks
of code as experimental (or entire files) and (b) enforces that
none of the annotated code gets compiled if --enable-experimental
was not configured through a static assertion.
Existing experimental features are annotated:
- AVX2 using the intel-ipsec-mb dependency for SHA1/256/512
- ARMv8 intrinsics for SHA1/256
- ARMv82 intrinsics for SHA512
- SSE2 for scrypt
Introduces a configure flag --enable-experimental that controls at
configure time whether or not experimental features can be
enabled. This serves as a circuit breaker to both make sure that
CI jobs are configured properly, and ensures manual compilations
are intentionally configuring experimental / non-production code.
Additionally, experimental features get listed in the summary after
configuration completes if enabled.
Further work can insert compile time checks with static_asserts
against the ALLOW_DOGECOIN_EXPERIMENTAL macro.
Minimizes the use of c_str() in netbase interfaces, by using
std::string when we're passing arguments instead, and only
converting to a C-style string when interfacing with
getaddrinfo.
Introduces attributes.h for definition of NODISCARD macro
Introduces utilstring.h for definition of ValidAsCString()
Backported from: 9cc0230c (partial), d945c6f5 and 9574de8
Original Author: practicalswift <practicalswift@users.noreply.github.com>
This adds two helper functions. One function gets a height parameter from the
incoming RPC request. The other performs the scanning. We can use both
functions for reducing code in other RPC calls that can/should take height
parameters and perform rescanning.
For normal users, --no-same-owner is default, but not so for root, where
it is assumed that root can change ownership willy-nilly. This is not
the case for privilege-limited container environments where we gaslight
the process into thinking it's root.
Cherry-picked from: 89bee1b
-After updating clang+llvm, QT 5.7.1's qfontengine_coretext.mm file's variable QFixed errors out as it's a constructor rather than a type in this context. This patch fixes that error.
This looks like a silly optimization, but this function gets called for
transaction processing, so returning early when there's no point in even
starting to iterate through a string is just smart coding.
