heads icon indicating copy to clipboard operation
heads copied to clipboard
verified publisher icon linuxboot

`musl-cross-make` fails with expired certificate

Open Tonux599 opened this issue 2 months ago • 8 comments

Context of the Build

1. What board are you trying to build? Any

2. What repository:branch are you using to build from?

  • [x] Heads:Master
  • [ ] Other (please specify)

3. What version of coreboot are you trying to build aaeb63df78f8563c46d140f1dcdb51d380392048

4. In building the rom where did you get the blobs?

  • [x] No blobs required
  • [ ] Provided by the company that installed Heads on the device
  • [ ] Extracted from a backup rom taken from this device
  • [ ] Extracted from another backup rom taken from another device (please identify the board model)
  • [ ] Extracted from the online bios using the automated tools provided in Heads
  • [ ] I don't know

5. If using the automated tools to get the blobs did you run the relevant scripts in the blobs directory

  • [ ] Yes
  • [x] No

6. What operating system are you using Debian StandaloneVM

Please describe the problem

Building musl-cross-make gets Linux headers from https://ftp.barfooze.de/pub/sabotage/tarballs//linux-headers-4.19.88-2.tar.xz. However, that address currently has an expired certificate, breaking all builds.

make -C "/home/user/heads/build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c" OUTPUT=/home/user/heads/crossgcc/x86 MAKE=make -j1 --load-average=1  musl-target
make[1]: Entering directory '/home/user/heads/build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c'
make TARGET="x86_64-linux-musl" install
make[2]: Entering directory '/home/user/heads/build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c'
mkdir -p sources/linux-headers-4.19.88-2.tar.xz.tmp
cd sources/linux-headers-4.19.88-2.tar.xz.tmp && wget -c -O linux-headers-4.19.88-2.tar.xz https://ftp.barfooze.de/pub/sabotage/tarballs//linux-headers-4.19.88-2.tar.xz
--2025-10-26 23:59:55--  https://ftp.barfooze.de/pub/sabotage/tarballs//linux-headers-4.19.88-2.tar.xz
Resolving ftp.barfooze.de (ftp.barfooze.de)... 5.9.157.210
Connecting to ftp.barfooze.de (ftp.barfooze.de)|5.9.157.210|:443... connected.
ERROR: cannot verify ftp.barfooze.de's certificate, issued by 'CN=R11,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
To connect to ftp.barfooze.de insecurely, use `--no-check-certificate'.
make[2]: *** [Makefile:87: sources/linux-headers-4.19.88-2.tar.xz] Error 5
make[2]: Leaving directory '/home/user/heads/build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c'
make[1]: *** [Makefile:191: musl-target] Error 2
make[1]: Leaving directory '/home/user/heads/build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c'
make: *** [Makefile:625: /home/user/heads/build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c/.build] Error 1

To Reproduce Build any board.

Additional context Mirror defined in ./build/x86/musl-cross-make-fd6be58297ee21fcba89216ccd0d4aca1e3f1c5c/Makefile as LINUX_HEADERS_SITE = http://ftp.barfooze.de/pub/sabotage/tarballs/.

Maybe we could patch this to use HTTP only, or with a more reliable mirror?

Tonux599 avatar Oct 27 '25 00:10 Tonux599

Emailed "mw+h/[email protected]"

tlaurion avatar Oct 27 '25 04:10 tlaurion

Emailed "mw+h/[email protected]"

Acknowledged. Didn't look to see if there was a mirror maintained by a foundation or something but if so, it should be used and pr made against musl-cross-make project upstream. This is volonteer mirror and volonteer wasn't aware of the problem. Current issue should be fixed in next days with certificate renewal.

This raise the issue of reproducibility for older commits once more, and I myself have not the resources to tackle the problem myself for free.

tlaurion avatar Oct 27 '25 14:10 tlaurion

We could quite easily patch it to https://storage.puri.sm/heads-packages/ (similar to #2010), if @JonathonHall-Purism is happy to host it?

Tonux599 avatar Oct 27 '25 19:10 Tonux599

Have not yet followed the rabbit https://github.com/richfelker/musl-cross-make/issues/128 (why is such old kernel headers needed anyway?)

#2010 merged meanwhile (to be reverted in another PR with proper fix later).

tlaurion avatar Oct 28 '25 02:10 tlaurion

Have not yet followed the rabbit https://github.com/richfelker/musl-cross-make/issues/128 (why is such old kernel headers needed anyway?)

#2010 merged meanwhile (to be reverted in another PR with proper fix later).

https://ftp.barfooze.de/pub/sabotage/tarballs//linux-headers-4.19.88-2.tar.xz can be fetched again, certificate is valid again.

Now what?

tlaurion avatar Oct 29 '25 04:10 tlaurion

Now what?

We can just revert the PR but that won't stop it happening again. I'd be keen to just patch it to https://storage.puri.sm/heads-packages/, but that's down to @JonathonHall-Purism of-course.

Tonux599 avatar Oct 29 '25 16:10 Tonux599

... (why is such old kernel headers needed anyway?)

That's a good question. I'll try and spend some time to see if there is a configuration option to skip it all together at some point.

Tonux599 avatar Oct 29 '25 16:10 Tonux599

... (why is such old kernel headers needed anyway?)

That's a good question. I'll try and spend some time to see if there is a configuration option to skip it all together at some point.

See https://github.com/richfelker/musl-cross-make/issues/128#issuecomment-3462737392

tlaurion avatar Oct 29 '25 17:10 tlaurion