guix: use glibc 2.33

glibc 2.32 was the first to ship with support for branch protection when compiled with a compatible compiler, see below. However a number of bugfixes/improvements shipped in glibc 2.33, so use that, rather than trying to backport all relevant changes. glibc 2.32 release notes: https://lwn.net/Articles/828210/ * AArch64 now supports standard branch protection security hardening in glibc when it is built with a GCC that is configured with --enable-standard-branch-protection (or if -mbranch-protection=standard flag is passed when building both GCC target libraries and glibc, in either case a custom GCC is needed). This includes branch target identification (BTI) and pointer authentication for return addresses (PAC-RET). They require armv8.5-a and armv8.3-a architecture extensions respectively for the protection to be effective, otherwise the used instructions are nops. User code can use PAC-RET without libc support, but BTI requires a libc that is built with BTI support, otherwise runtime objects linked into user code will not be BTI compatible. `__libc_single_threaded` added as it is now exported from at least `bitcoin-wallet` and `test_bitcoin`.
2025-01-09 11:27:28 -03:00 · 2023-08-14 15:22:54 +01:00 · 2023-08-14 15:22:54 +01:00 · 1a3b8ce2ba
commit 1a3b8ce2ba
parent 558783625c
2 changed files with 12 additions and 25 deletions
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@ -34,11 +34,11 @@ import lief
 MAX_VERSIONS = {
 'GCC':       (4,3,0),
 'GLIBC': {
-    lief.ELF.ARCH.x86_64: (2,31),
-    lief.ELF.ARCH.ARM:    (2,31),
-    lief.ELF.ARCH.AARCH64:(2,31),
-    lief.ELF.ARCH.PPC64:  (2,31),
-    lief.ELF.ARCH.RISCV:  (2,31),
+    lief.ELF.ARCH.x86_64: (2,33),
+    lief.ELF.ARCH.ARM:    (2,33),
+    lief.ELF.ARCH.AARCH64:(2,33),
+    lief.ELF.ARCH.PPC64:  (2,33),
+    lief.ELF.ARCH.RISCV:  (2,33),
 },
 'LIBATOMIC': (1,0),
 'V':         (0,5,0),  # xkb (bitcoin-qt only)
@ -47,7 +47,7 @@ MAX_VERSIONS = {
 # Ignore symbols that are exported as part of every executable
 IGNORE_EXPORTS = {
 'environ', '_environ', '__environ', '_fini', '_init', 'stdin',
-'stdout', 'stderr',
+'stdout', 'stderr', '__libc_single_threaded',
 }

 # Expected linker-loader names can be found here:
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@ -98,7 +98,7 @@ chain for " target " development."))
                                       #:key
                                       (base-gcc-for-libc linux-base-gcc)
                                       (base-kernel-headers base-linux-kernel-headers)
-                                       (base-libc glibc-2.31)
+                                       (base-libc glibc-2.33)
                                       (base-gcc linux-base-gcc))
  "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
 desirable for building Bitcoin Core release binaries."
@ -450,11 +450,11 @@ inspecting signatures in Mach-O binaries.")
                 (("-rpath=") "-rpath-link="))
               #t))))))))

-(define-public glibc-2.31
-  (let ((commit "7b27c450c34563a28e634cccb399cd415e71ebfe"))
+(define-public glibc-2.33
+  (let ((commit "5f08d1df2c07904c1dc98bdf2b363c65874266f7"))
  (package
    (inherit glibc) ;; 2.35
-    (version "2.31")
+    (version "2.33")
    (source (origin
              (method git-fetch)
              (uri (git-reference
@ -463,7 +463,7 @@ inspecting signatures in Mach-O binaries.")
              (file-name (git-file-name "glibc" commit))
              (sha256
               (base32
-                "017qdpr5id7ddb4lpkzj2li1abvw916m3fc6n7nw28z4h5qbv2n0"))
+                "0a9bxg13h9m19yx4aihix3l9yylv9vf9szkjj96cjg2zglx1izkf"))
              (patches (search-our-patches "glibc-guix-prefix.patch"))))
    (arguments
      (substitute-keyword-arguments (package-arguments glibc)
@ -476,20 +476,7 @@ inspecting signatures in Mach-O binaries.")
                  "--disable-werror",
                  "--disable-timezone-tools",
                  "--disable-profile",
-                  building-on)))
-    ((#:phases phases)
-        `(modify-phases ,phases
-           (add-before 'configure 'set-etc-rpc-installation-directory
-             (lambda* (#:key outputs #:allow-other-keys)
-               ;; Install the rpc data base file under `$out/etc/rpc'.
-               ;; Otherwise build will fail with "Permission denied."
-               ;; Can be removed when we are building 2.32 or later.
-               (let ((out (assoc-ref outputs "out")))
-                 (substitute* "sunrpc/Makefile"
-                   (("^\\$\\(inst_sysconfdir\\)/rpc(.*)$" _ suffix)
-                    (string-append out "/etc/rpc" suffix "\n"))
-                   (("^install-others =.*$")
-                    (string-append "install-others = " out "/etc/rpc\n")))))))))))))
+                  building-on))))))))

 ;; The sponge tool from moreutils.
 (define-public sponge