UBUNTU: [Packaging] Remove fips-checks script

BugLink: https://bugs.launchpad.net/bugs/2055083 This script is now part of `cranky` and there is no need for it to live in debian/ anymore, so remove it. Signed-off-by: Magali Lemes <magali.lemes@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
2024-03-26 19:52:00 +01:00 · 2024-03-26 19:52:00 +01:00 · c58a8c7722
parent fb798d5366
commit c58a8c7722
3 changed files with 0 additions and 144 deletions
--- a/debian/rules.d/0-common-vars.mk
+++ b/debian/rules.d/0-common-vars.mk
@ -218,9 +218,6 @@ do_flavour_header_package=true
 # DTBs
 do_dtbs=false

-# FIPS check
-do_fips_checks=false
-
 # Support parallel=<n> in DEB_BUILD_OPTIONS (see #209008)
 #
 # These 2 environment variables set the -j value of the kernel build. For example,
--- a/debian/rules.d/1-maintainer.mk
+++ b/debian/rules.d/1-maintainer.mk
@ -156,9 +156,6 @@ autoreconstruct:
 	fi

 finalchecks: debian/control
-ifeq ($(do_fips_checks),true)
-	$(DROOT)/scripts/misc/fips-checks
-endif
 	$(DROOT)/scripts/misc/final-checks "$(DEBIAN)" "$(prev_fullver)"

 diffupstream:
--- a/debian/scripts/misc/fips-checks
+++ b/debian/scripts/misc/fips-checks
@ -1,138 +0,0 @@
-#!/bin/bash -eu
-export LC_ALL=C.UTF-8
-
-usage() {
-	cat << EOF
-Usage: ${P:-$(basename "$0")} [-h|--help]
-
-Check if there are any FIPS relevant changes since the last
-release. Any change that is identified should have a justification in
-the justifications file or the check will fail.
-
-Optional arguments:
-  -h, --help            Show this help message and exit.
-  -p, --previous        Version to use as the previous base version.
-  -c, --current         Version to use as the current base version.
-
-EOF
-}
-
-prev_base_version=
-curr_base_version=
-crypto_files=( crypto arch/x86/crypto drivers/char/random.c lib/sha\* )
-
-c_red='\033[0;31m'
-c_green='\033[0;32m'
-c_off='\033[0m'
-
-# Parse arguments
-while [ "$#" -gt 0 ]; do
-	case "$1" in
-		-h|--help)
-			usage
-			exit 0
-			;;
-		-p|--previous)
-			shift
-			prev_base_version="$1"
-			;;
-		-c|--current)
-			shift
-			curr_base_version="$1"
-			;;
-		*)
-			usage
-			exit 1
-			;;
-	esac
-	shift
-done
-
-DEBIAN=
-# shellcheck disable=SC1091
-. debian/debian.env
-
-# Check if the "$DEBIAN" directory exists.
-if [ ! -d "$DEBIAN" ]; then
-	echo "You must run this script from the top directory of this repository."
-	exit 1
-fi
-
-CONF="$DEBIAN/etc/update.conf"
-if [ ! -f "$CONF" ]; then
-	echo "Missing file: $CONF"
-	exit 1
-fi
-# shellcheck disable=SC1090
-. "$CONF"
-
-if [ "$DEBIAN_MASTER" = "" ]; then
-	echo "DEBIAN_MASTER should be defined either in $DEBIAN/etc/update.conf or the environment"
-	exit 1
-fi
-
-# Find the base kernel version use by the previous version
-if [ -z "$prev_base_version" ]; then
-	offset=1
-	# Loop through each entry of the current changelog, searching for an
-	# entry that refers to the master version used as base (ie a line
-	# containing "[ Ubuntu: 4.15.0-39.42 ]"):
-	while true; do
-		changes=$(dpkg-parsechangelog -l"$DEBIAN/changelog" -SChanges -c1 -o"$offset")
-		if ! [ "$changes" ]; then
-			echo "Failed to retrieve base master version from changelog file: $DEBIAN/changelog"
-			exit 1
-		fi
-		prev_base_version=$(echo "$changes" | sed -n -r -e '/^\s.*\[ Ubuntu: ([~0-9.-]*) \]$/{s//\1/p;q}')
-		[ "$prev_base_version" ] && break
-		offset=$(( offset + 1 ))
-	done
-	if [ -z "${prev_base_version}" ]; then
-		echo "Failed to retrieve base version from previous version from changelog: $DEBIAN/changelog"
-		exit 1
-	fi
-fi
-
-# Find the current base kernel version
-if [ -z "$curr_base_version" ]; then
-	curr_base_version=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SVersion)
-	if ! [ "$curr_base_version" ]; then
-		echo "Failed to retrieve current master version from changelog: $DEBIAN_MASTER/changelog"
-		exit 1
-	fi
-fi
-
-# Check base kernel tags
-tag_prefix="Ubuntu-${DEBIAN_MASTER#debian.}-"
-prev_tag="${tag_prefix}${prev_base_version}"
-curr_tag="${tag_prefix}${curr_base_version}"
-for tag in "$prev_tag" "$curr_tag"; do
-	if ! git rev-parse --verify "$tag" &> /dev/null; then
-		echo "Missing tag \"$tag\". Please fetch tags from base kernel."
-		exit 1
-	fi
-done
-
-# Check all the changes
-fails=0
-justifications_file="$DEBIAN/fips.justifications"
-justifications=$(grep -P '^[^#\s]' "$justifications_file" 2> /dev/null || true)
-while read -r id; do
-	short_msg=$(git log --format=%s --max-count=1 "$id")
-	if echo "$justifications" | grep -q -x -F "$short_msg"; then
-		echo -e "${c_green}OK${c_off}   | ${id::12} ${short_msg}"
-		continue
-	fi
-	echo -e "${c_red}FAIL${c_off} | ${id::12} ${short_msg}"
-	fails=$(( fails + 1 ))
-done < <(git rev-list "${prev_tag}..${curr_tag}" -- "${crypto_files[@]}")
-
-echo
-if [ "$fails" -gt 0 ]; then
-	echo "FIPS relevant changes were found without justification: ${fails} change(s)."
-	echo "Please, check the commits above and update the file \"${justifications_file}\"."
-	exit 1
-fi
-
-echo "Check completed without errors."
-exit 0