From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH master] ci: container: fix various breakage in container build
Date: Tue, 10 Feb 2026 12:50:24 +0100 [thread overview]
Message-ID: <20260210115027.1363648-1-a.fatoum@pengutronix.de> (raw)
The LLVM apt repositories can't be used at the moment without further
changes to sequoia configuration:
Signing key on 6084F3CF814B57C1CF12EFD515CF4D18AF4F7421 is not bound:
No binding signature at time 2025-08-09T21:49:56Z
because: Policy rejected non-revocation signature (PositiveCertification)
requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Let's bump the date by four months until this is resolved.
While at it, also make sure to use -y to answer possible upgrade prompts
and do an apt-get update before the second install as well as we delete
the cache in-between.
I briefly considered using the prebuilt LLVM toolchains on kernel.org,
but they do not work for our purposes:
/usr/bin/ld: have you installed the static version of the
clang_rt.fuzzer_no_main-x86_64 library ?
[1]: https://github.com/llvm/llvm-project/issues/153385#issuecomment-3239875987
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
test/Containerfile | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/test/Containerfile b/test/Containerfile
index 8b0c37a6b20a..6e4515f7d582 100644
--- a/test/Containerfile
+++ b/test/Containerfile
@@ -10,7 +10,7 @@ LABEL Description="This image is for building and testing barebox inside a conta
ENV DEBIAN_FRONTEND=noninteractive
# Update and install things from apt now
-RUN apt-get update && apt-get upgrade && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
bison \
build-essential \
coreutils \
@@ -64,8 +64,12 @@ RUN apt-get update && apt-get upgrade && apt-get install -y --no-install-recomme
ENV GCC_VERSION=15.2.0
ENV LLVM_VERSION=20
-RUN apt-get install -y --no-install-recommends lsb-release gnupg \
+RUN apt-get update && apt-get install -y --no-install-recommends lsb-release gnupg \
&& wget https://apt.llvm.org/llvm.sh \
+ && mkdir -p /etc/crypto-policies/back-ends/ \
+ && sed 's/\(sha1\.second_preimage_resistance = \)2026-02-01/\12026-06-01/' \
+ < /usr/share/apt/default-sequoia.config \
+ > /etc/crypto-policies/back-ends/apt-sequoia.config \
&& chmod +x llvm.sh && ./llvm.sh ${LLVM_VERSION} \
&& apt-get remove -y lsb-release gnupg \
&& apt-get autoremove -y --purge \
--
2.47.3
next reply other threads:[~2026-02-10 11:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-10 11:50 Ahmad Fatoum [this message]
2026-02-11 9:34 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260210115027.1363648-1-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox