libre: uboot4extlinux-sunxi: switch upstream to not redistribute any nonfree software

If we use prepare() instead of mksource(), we end up redistributing
nonfree software inside the package source, and it would be better not
to have to do that as this could potentially create licensing issues.

The standard solution to avoid that in Parabola is to use mksource(),
however while this worked fine with other packages, I didn't manage to
make it work with this package, probably because the package code is
complex and that we don't fit into simpler cases handled by
mksource().

The complexity here comes from the need to lower the maintenance cost
of supporting multiple ARM computers and setups: the automation
enables to more easily add new computers, make testing way faster, and
simplify the installation instructions.

Since at the end of the day the goal was to share this deblobing work
with other FSDG compliant distributions, I looked for a distro neutral
project that could be interested in deblobing u-boot and which has
also some infrastructure that we could reuse for that (this avoids
costs in time and money of setting up new infrastructure and of
maintaining it).

As Libreboot planned to add support for u-boot anyway and that its
build system is distribution neutral, it was a good fit.

As for the ability to have patches merged in Libreboot for
u-boot-libre, the initial discussions were complicated:
- Libreboot releases sources and binaries of bootloaders targeting
  specific computers. So it would be natural to deblob u-boot and on
  top of that, add support for specific computers in Libreboot in the
  exact same way it is done for the computers that are supported
  through deblobed versions of Coreboot.

  However here we want the various distributions (like Parabola and
  Guix) to be able to use deblobed u-boot source tarballs that follow
  very closely upstream u-boot releases, and that only have changes
  related to deblobing. Linux-libre does the latter and this makes it
  very easy for FSDG compliant distributions to reuse it as-is.

  When adding support for specific computers through u-boot, Libreboot
  would instead be more interested in having specific configuration
  through u-boot environment and/or by combining u-boot with other
  bootloaders like GRUB. It would also be interested in having the
  ability to choose specific u-boot versions and specific extra
  patches to support specific computers.

  As distributions and Libreboot requirements are very similar (they
  both need to deblob u-boot) and also slightly different, it was not
  easy to get that point across, and I hope that people reading this
  commit also get the point across.

- Once I managed to get an agreement that doing that was a good idea
  and that I would be able to get my code merged (provided that the
  code quality was good) and have Libreboot release the files needed,
  I started to implement the code, but I found out week(s) later that
  the agreement was gone. The fix for that was simply to restart
  explaining it all from scratch and get an agreement again.

Beside the initial complications, getting the code reviewed and merged
was really fast (each patch serie review took 1 week or less) and we
can now just ping the Libreboot maintainer on IRC to get files
released.

According to the Libreboot maintainer I'm the de-facto maintainer of
the u-boot related code in Libreboot, so I'll probably have to be
involved somehow in reviewing the code, and then we need to ping her
to get the code merged.

The discussions were done in #libreboot on liberachat, and the merge
requests were sent against Libreboot repositories (both lbmk and
lbwww) in notabug, so following a similar method will probably result
in future patches being merged rapidely if we hope/assume that I will
manage to review the patches as fast as the Libreboot maintainer did.

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>

1 files changed, 66 insertions, 205 deletions

diff --git a/libre/uboot4extlinux-sunxi/PKGBUILD b/libre/uboot4extlinux-sunxi/PKGBUILD
index 22cd02aa2..a33df8fdd 100644
--- a/libre/uboot4extlinux-sunxi/PKGBUILD
+++ b/libre/uboot4extlinux-sunxi/PKGBUILD
@@ -31,6 +31,7 @@
 # point to it when relevant. Examples of that are available for other
 # boards in the ARM installation guide.
 
+_pkgbase=u-boot-libre
 pkgbase=uboot4extlinux-sunxi
 pkgname=("${pkgbase}"
          'uboot4extlinux-a10-olinuxino-lime'
@@ -55,27 +56,67 @@ pkgname=("${pkgbase}"
          'uboot4extlinux-orangepi_pc'
          'uboot4extlinux-orangepi_plus')
 
-pkgver=2021.07
-pkgrel=3
+# We have a ${pkgver}-${pkgrel} that looks like that:
+# '2021.07-r1.parabola3' and all the individual components are needed:
+# - '2021.07' corresponds to the upstream u-boot version. It is needed
+#   to know which u-boot version source code is used.
+# - 'r1' corresponds to the u-boot-libre revision. Without it it would
+#   be impossible to fix bugs inside the u-boot-libre deblob script.
+# - .parabola3 is the Parabola package revision. Without it it would be
+#   impossible to fix bugs inside this PKGBUILD.
+# As for the '-r1', it cannot go inside pkgver, else we end up with an
+# error like that when running makepkg:
+# ==> ERROR: pkgver is not allowed to contain colons, forward slashes,
+#     hyphens or whitespace.
+# so it was moved in pkgrel.
+_pkgver=2021.07
+_pkgrel=r1
+
+pkgver="${_pkgver}"
+pkgrel="${_pkgrel}.parabola3"
+
 arch=('armv7h' 'i686' 'x86_64')
-url="http://git.denx.de/u-boot.git/"
+url="https://libreboot.org/docs/maintain/#resourcesscriptsbuildreleaseu-boot-libre"
 license=('GPL')
 makedepends=('bc' 'dtc' 'python' 'python-setuptools' 'python2' 'swig')
 makedepends_i686+=('arm-none-eabi-gcc')
 makedepends_ppc64le+=('arm-none-eabi-gcc')
 makedepends_x86_64+=('arm-none-eabi-gcc')
-mksource=("ftp://ftp.denx.de/pub/u-boot/u-boot-${pkgver}.tar.bz2")
-noextract=("u-boot-${pkgver}.tar.bz2")
-mksha256sums=('312b7eeae44581d1362c3a3f02c28d806647756c82ba8c72241c7cdbe68ba77e')
 
-source=('extlinux.conf'
+# According to the Libreboot maintainer, we are supposed to use
+# any of the mirrors in https://libreboot.org/download.html#https
+# and not use the rsync server. The rsync server is only supposed
+# to be used by mirrors as it has limited bandwith.
+_mirror="https://mirrors.mit.edu/libreboot/"
+source=("${_mirror}/${_pkgbase}/${_pkgver}-${_pkgrel}/${_pkgbase}-${_pkgver}-${_pkgrel}.tar")
+
+# TODO: this checksum doesn't correspond to the one in
+#       tests/u-boot-libre.sha512. This means that the tarball is not
+#       reproducible yet. According to diffoscope, the only changes so
+#       far seems to be some permissions changes:
+#       │ -drwxr-xr-x [...]     0 1969-12-31 23:00:00.000000 u-boot-libre-2021.07-r1/
+#       │ +drwxrwxr-x [...]     0 1969-12-31 23:00:00.000000 u-boot-libre-2021.07-r1/
+#       │ --rw-r--r-- [...] 16576 1969-12-31 23:00:00.000000 u-boot-libre-2021.07-r1/.azure-pipelines.yml
+#       │ +-rw-rw-r-- [...] 16576 1969-12-31 23:00:00.000000 u-boot-libre-2021.07-r1/.azure-pipelines.yml
+#       I've not checked if some files were added or not but at least it
+#       shows only diffs like the one above, and it doesn't show any file
+#       content diff.
+# TODO: Check the signatures of the released files, not just the content
+# TODO: We also need to look into drivers/dma/MCD_tasks.c. The debian
+#       version of u-boot removes it. It's some data that looks like
+#       code, so while there is a valid license, we might lack
+#       corresponding source code if it's really some code. The debian
+#       commits might have more information about it.
+sha512sums=('4fd4cb762efd6b3e1eede883ee44cbf16f787de7f9bd8d6f9a98d69a22fd75519cce4b9ff713b205d34854597d2f9d6053dabc6097e55cb5be7c7ce71dae2ef6')
+
+source+=('extlinux.conf'
         "${pkgbase}.hook.in"
         'install-uboot4extlinux.sh.in'
         "generate-${pkgbase}-install-text.sh")
-sha256sums=('SKIP'
-            'SKIP'
-            'SKIP'
-            'SKIP')
+sha512sums+=('SKIP'
+             'SKIP'
+             'SKIP'
+             'SKIP')
 
 _defconfigs=('A10-OLinuXino-Lime_defconfig'
              'A10s-OLinuXino-M_defconfig'
@@ -157,203 +198,23 @@ _build_uboot_target()
 
 }
 
-mksource()
+# TODO: We need to fix the timestamps upstream to a valid date
+#       (like the first January 1970at 01:00:00 CET) or something derived
+#       from the release version somehow. Else we have the build log spammed
+#       with errors like that:
+#       make: scripts/Makefile.extrawarn: Timestamp out of range;
+#             substituting 1970-01-01 00:59:59.999999999
+# TODO: While we're at it we could export SOURCE_DATE_SPOCH to try to
+#       make the u-boot package reporducible.
+prepare()
 {
-  cd u-boot-${pkgver}
-
-  # The licenses of some microcodes are nonfree because the header contains the
-  # following: ".No reverse engineering, decompilation, or disassembly of this
-  # software is permitted."
-  rm -rf arch/x86/dts/microcode/
-
-  # The license is nonfree because it contains the following: "Reverse
-  # engineering, decompilation, or disassembly of this software is not
-  # permitted."
-  rm -f Licenses/r8a779x_usb3.txt
-  rm -f drivers/usb/host/xhci-rcar-r8a779x_usb3_v3.h
-
-  # The documentation contains instructions to download and install nonfree
-  # software. Note that if a board doesn't have such instructions it doesn't
-  # necessarily means that it can boot with only free software and viceversa.
-
-  ###########
-  # Amlogic #
-  ###########
-  # Amlogic SOCs Usually have various nonfree components, like the first stages
-  # of the bootloaders and code that runs in TrustZone. They are most likely
-  # not signed.
-  # ---------
-  # TODO: List the nonfree software of specific documentation
-  rm -f doc/board/amlogic/beelink-gtkingpro.rst
-  rm -f doc/board/amlogic/beelink-gtking.rst
-  rm -f doc/board/amlogic/index.rst
-  rm -f doc/board/amlogic/khadas-vim2.rst
-  rm -f doc/board/amlogic/khadas-vim3l.rst
-  rm -f doc/board/amlogic/khadas-vim3.rst
-  rm -f doc/board/amlogic/khadas-vim.rst
-  rm -f doc/board/amlogic/libretech-ac.rst
-  rm -f doc/board/amlogic/libretech-cc.rst
-  rm -f doc/board/amlogic/nanopi-k2.rst
-  rm -f doc/board/amlogic/odroid-c2.rst
-  rm -f doc/board/amlogic/odroid-c4.rst
-  rm -f doc/board/amlogic/odroid-n2.rst
-  rm -f doc/board/amlogic/p200.rst
-  rm -f doc/board/amlogic/p201.rst
-  rm -f doc/board/amlogic/p212.rst
-  rm -f doc/board/amlogic/q200.rst
-  rm -f doc/board/amlogic/s400.rst
-  rm -f doc/board/amlogic/sei510.rst
-  rm -f doc/board/amlogic/sei610.rst
-  rm -f doc/board/amlogic/u200.rst
-  rm -f doc/board/amlogic/w400.rst
-  rm -f doc/board/amlogic/wetek-core2.rst
-
-  #########
-  # Linux #
-  #########
-  # Has intructions to build Linux which is not FSDG compliant.
-  # TODO: Use linux-libre instead, especially because documentation about vboot
-  # could be interesting to have. Vboot is a chain of trust that can work with
-  # only free software. The hardware root of trust can be created by booting on
-  # a flash chip whose security registers are configured to set the first
-  # bootloader component read-only.
-  rm -f doc/uImage.FIT/beaglebone_vboot.txt
-  # Steers very strongly users into using Linux as it shows that the only tested
-  # kernels are Broadcom forks of Linux. We would need to have linux-libre
-  # versions of these or test it with stock linux-libre instead.
-  rm -f doc/README.bcm7xxx
-
-  ############
-  # Mediatek #
-  ############
-  # The instructions uses binaries that lack any corresponding source code.
-  rm -f doc/README.mediatek
-
-  #############
-  # NXP I.MX8 #
-  #############
-  # I.MX8 SOCs require a nonfree firmware for the DDR4 controller. In some
-  # documentation, I didn't find that requirement mentioned, but instead
-  # there are still nonfree files mentioned. So I assume that they might
-  # somehow contain code for that nonfree DDR4 controller, but it might be
-  # worth checking if it's the case or not. The DDR4 controller firmware is not
-  # signed. In addition the I.MX8 HDMI controller requires a signed firmware.
-  # -----------
-  # nonfree DDR4 controller firmware
-  rm -f doc/board/freescale/imx8mp_evk.rst
-  # nonfree DDR4 controller and HDMI firmwares
-  rm -f doc/board/freescale/imx8mq_evk.rst
-  # nonfree DDR4 controller firmware
-  rm -f doc/board/freescale/imx8mn_evk.rst
-  # nonfree imx-sc-firmware-1.2.7.1.bin and imx-seco-2.3.1.bin firmwares
-  rm -f doc/board/freescale/imx8qxp_mek.rst
-  # nonfree DDR4 controller firmware
-  rm -f doc/board/freescale/imx8mm_evk.rst
-  # nonfree imx-sc-firmware-1.1.bin and firmware-imx-8.0.bin firmwares
-  rm -f doc/board/advantech/imx8qm-rom7720-a1.rst
-  # TODO
-  rm -f doc/board/verdin-imx8mm.rst
-  rm -f doc/board/toradex/colibri-imx8x.rst
-  rm -f doc/board/toradex/apalix-imx8x.rst
-  rm -f doc/board/toradex/apalix-imx8.rst
-
-  #######################
-  # NXP nonfree srktool #
-  #######################
-  # The SRK tool is a tool that is involved in one way or another with
-  # authenticated or encrypted boot. I'm unsure if free software replacements
-  # exists or if could easily be replaced with a free software implementation.
-  # In any case the I.MX6 and I.MX5 can proabably be setup for encrypted or
-  # authenticated boot with free software tools. The first and second versions
-  # of the USB Armory has documentation on how to do that.
-  # ---------------------
-  rm -f doc/imx/board/toradex/colibri_imx7.rst
-  rm -f doc/imx/habv4/introduction_habv4.txt
-
-  ##################
-  # Samsung Exynos #
-  ##################
-  # The instructions makes users nonfree components like a nonfree first stage
-  # bootloaders, and nonfree code that runs in TrustZone.
-  rm -f doc/README.odroid
-  # The instructions makes its users download an image and update u-boot in that
-  # image. Because of that, it's extremely likely that the images contains
-  # nonfree components that cannot even be redistributed in another form, and
-  # that the instructions uses that images because of that.
-  rm -f doc/README.s5p4418
-
-  #####################
-  # Texas Instruments #
-  #####################
-  # Users are expected to use nonfree tools and even sign an NDA to get access
-  # to them.
-  rm -f doc/README.ti-secure
-
-  ###########
-  # Unknown #
-  ###########
-  # Everything looks free software, but the code still needs to be reviewed.
-  rm -f doc/board/microchip/mpfs_icicle.rst
-  # OP-TEE is under a free software license but its code needs to be reviewed.
-  rm -f doc/README.tee
-  # The tutorial has instructions to download a downstream u-boot, so it might
-  # have the same issues than u-boot itself if the u-boot is recent enough.
-  rm -f doc/chromium/run_vboot.rst
-
-  #######
-  # x86 #
-  #######
-  # Unless the computer is supported by Libreboot, or that u-boot runs after
-  # some other nonfree boot software like a BIOS or UEFI, it's unlikely to be
-  # able to run with only free software. Though I'm pretty sure that some
-  # exceptions do exists, but they are probably not supported by u-boot.
-  # -----
-  # nonfree Management Engine firmware, RAM intialization code, and video BIOS
-  rm -f doc/board/google/chromebook_link.rst
-  # nonfree SDRAM and hardware intialization code
-  rm -f doc/board/google/chromebook_coral.rst
-
-  # nonfree FSP, video BIOS, Management Engine firmware
-  rm -f doc/board/intel/minnowmax.rst
-  # nonfree FSP, Chipset Micro Code (CMC), microcode
-  rm -f doc/board/intel/crownbay.rst
-
-  # TODO: check
-  # board/intel/edison.rst
-  # Steers userstoward using nonfree FSP
-  rm -f board/intel/slimbootloader.rst
-
-  # Steers users and developers toward using nonfree FSP
-  rm -f doc/device-tree-bindings/fsp/fsp2/apollolake/fsp-m.txt
-
-  # Steers users and developers toward using nonfree FSP
-  rm -f doc/device-tree-bindings/fsp/fsp2/apollolake/fsp-s.txt
-
-  ############
-  # Rockchip #
-  ############
-  # rkbin binaries without license nor source code
-  rm -f doc/board/rockchip/rockchip.rst
-
-  # TODO: check the following files
-  # imx/common/mxs.txt
-  # README.armada-secureboot
-  # README.fdt-control
-  # README.fsl-ddr
-  # README.m54418twr
-  # README.marvell
-  # README.mpc85xxcds
-  # README.mpc85xx-sd-spi-boot
-  # README.OFT
-  # README.rmobile
-  # README.rockchip
-  # README.rockusb
-  # README.socfpga
+  cd "${_pkgbase}-${_pkgver}-${_pkgrel}"
+  find -print0 | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
 }
 
 build()
 {
-  cd u-boot-${pkgver}
+  cd "${_pkgbase}-${_pkgver}-${_pkgrel}"
 
   _target_nr=0
   for _defconfig in ${_defconfigs[@]}; do
@@ -393,7 +254,7 @@ _check_uboot_target()
 
 check()
 {
-  cd u-boot-${pkgver}
+  cd "${_pkgbase}-${_pkgver}-${_pkgrel}"
 
   _target_nr=0
   for _defconfig in ${_defconfigs[@]}; do
@@ -412,7 +273,7 @@ _make_uboot_package()
     _pkgname="$1"
 
     if [ -n "${pkgdir}" ] ; then
-        cd "u-boot-${pkgver}"
+        cd "${_pkgbase}-${_pkgver}-${_pkgrel}"
 
         # Install the u-boot binary
         install -d "${pkgdir}/usr/lib/u-boot/${_pkgname}/"