diff --git a/.llhttp.metadata b/.llhttp.metadata new file mode 100644 index 0000000..2e4d7aa --- /dev/null +++ b/.llhttp.metadata @@ -0,0 +1 @@ +a9bc2288b1fbb830bb4f454ea9803fe317472375 SOURCES/llhttp-9.2.1.tar.gz diff --git a/SOURCES/audited-null-licenses.toml b/SOURCES/audited-null-licenses.toml new file mode 100644 index 0000000..4af45e9 --- /dev/null +++ b/SOURCES/audited-null-licenses.toml @@ -0,0 +1,56 @@ +[any] + +[prod] + +[dev] + +# Just a module wrapper around the code in tslib, which does have a proper +# license (0BSD) in its package.json: +# tslib/modules +modules = "" +# A “dummy” module in the tests for tslib +# tslib/test/validateModuleExportsMatchCommonJS +validateModuleExportsMatchCommonJS = "" + +# Similarly, these are all just ES6 module (mjs) or CommonJS (cjs) module +# wrappers in packages that do have proper license information: +# node_modules_dev/@ungap/structured-clone/cjs +# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/mjs +# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/mjs +# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/cjs +# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/mjs +# node_modules_dev/flatted/cjs +cjs = "" +mjs = "" + +# These are all “dummy” modules in the tests for resolve: +# resolve/test/module_dir/zmodules/bbb +bbb = "" +# resolve/test/resolver/invalid_main +"invalid main" = "" +# resolve/test/resolver/incorrect_main +incorrect_main = "" +# resolve/test/resolver/dot_slash_main +dot_slash_main = "" +# resolve/test/resolver/dot_main +dot_main = "" +# resolve/test/resolver/baz +baz = "" +# resolve/test/resolver/browser_field +browser_field = "" +# resolve/test/resolver/symlinked/package +package = "" + +# These are all part of nanoid, which is MIT-licensed. +# nanoid/url-alphabet +url-alphabet = "" +# nanoid/non-secure +non-secure = "" +# nanoid/async +async = "" + +# This is part of yargs, which is MIT-licensed. +# mocha/node_modules/yargs/helpers +helpers = "" diff --git a/SOURCES/check-null-licenses b/SOURCES/check-null-licenses new file mode 100755 index 0000000..12108d5 --- /dev/null +++ b/SOURCES/check-null-licenses @@ -0,0 +1,182 @@ +#!/usr/bin/python3 +# -*- coding: utf-8 -*- + +import json +from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter +from pathlib import Path +from sys import exit, stderr + +try: + import tomllib +except ImportError: + import tomli as tomllib + + +def main(): + args = parse_args() + problem = False + if not args.tree.is_dir(): + return f"Not a directory: {args.tree}" + for pjpath in args.tree.glob("**/package.json"): + name, version, license = parse(pjpath) + identity = f"{name} {version}" + if version in args.exceptions.get(name, ()): + continue # Do not even check the license + elif license is None: + problem = True + print(f"Missing license in package.json for {identity}", file=stderr) + elif isinstance(license, dict): + if isinstance(license.get("type"), str): + continue + print( + ( + "Missing type for (deprecated) license object in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + elif isinstance(license, list): + if license and all( + isinstance(entry, dict) and isinstance(entry.get("type"), str) + for entry in license + ): + continue + print( + ( + "Defective (deprecated) licenses array-of objects in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + elif isinstance(license, str): + continue + else: + print( + ( + "Weird type for license in " + f"package.json for {identity}: {license}" + ), + file=stderr, + ) + problem = True + if problem: + return "At least one missing license was found." + + +def parse(package_json_path): + with package_json_path.open("rb") as pjfile: + pj = json.load(pjfile) + try: + license = pj["license"] + except KeyError: + license = pj.get("licenses") + try: + name = pj["name"] + except KeyError: + name = package_json_path.parent.name + version = pj.get("version", "") + + return name, version, license + + +def parse_args(): + parser = ArgumentParser( + formatter_class=RawDescriptionHelpFormatter, + description=("Search for bundled dependencies without declared licenses"), + epilog=""" + +The exceptions file must be a TOML file with zero or more tables. Each table’s +keys are package names; the corresponding values values are exact version +number strings, or arrays of version number strings, that have been manually +audited to determine their license status and should therefore be ignored. + +Exceptions in a table called “any” are always applied. Otherwise, exceptions +are applied only if a corresponding --with TABLENAME argument is given; +multiple such arguments may be given. + +For +example: + + [any] + example-foo = "1.0.0" + + [prod] + example-bar = [ "2.0.0", "2.0.1",] + + [dev] + example-bat = [ "3.7.4",] + +would always ignore version 1.0.0 of example-foo. It would ignore example-bar +2.0.1 only when called with “--with prod”. + +Comments may (and should) be used to describe the manual audits upon which the +exclusions are based. + +Otherwise, any package.json with missing or null license field in the tree is +considered an error, and the program returns with nonzero status. +""", + ) + parser.add_argument( + "-x", + "--exceptions", + type=FileType("rb"), + help="Manually audited package versions file", + ) + parser.add_argument( + "-w", + "--with", + action="append", + default=[], + help="Enable a table in the exceptions file", + ) + parser.add_argument( + "tree", + metavar="node_modules_dir", + type=Path, + help="Path to search recursively", + default=".", + ) + args = parser.parse_args() + + if args.exceptions is None: + args.exceptions = {} + xname = None + else: + with args.exceptions as xfile: + xname = getattr(xfile, "name", "") + args.exceptions = tomllib.load(args.exceptions) + if not isinstance(args.exceptions, dict): + parser.error(f"Invalid format in {xname}: not an object") + for tablename, table in args.exceptions.items(): + if not isinstance(table, dict): + parser.error(f"Non-table entry in {xname}: {tablename} = {table!r}") + overlay = {} + for key, value in table.items(): + if isinstance(value, str): + overlay[key] = [value] + elif not isinstance(value, list) or not all( + isinstance(entry, str) for entry in value + ): + parser.error( + f"Invalid format in {xname} in [{tablename}]: " + f"{key!r} = {value!r}" + ) + table.update(overlay) + + x = args.exceptions.get("any", {}) + for add in getattr(args, "with"): + try: + x.update(args.exceptions[add]) + except KeyError: + if xname is None: + parser.error(f"No table {add}, as no exceptions file was given") + else: + parser.error(f"No table {add} in {xname}") + # Store the merged dictionary + args.exceptions = x + + return args + + +if __name__ == "__main__": + exit(main()) diff --git a/SOURCES/llhttp-9.2.1-nm-dev.tar.zst b/SOURCES/llhttp-9.2.1-nm-dev.tar.zst new file mode 100644 index 0000000..8e278a5 Binary files /dev/null and b/SOURCES/llhttp-9.2.1-nm-dev.tar.zst differ diff --git a/SOURCES/llhttp-packaging-bundler b/SOURCES/llhttp-packaging-bundler new file mode 100755 index 0000000..e0cb8ef --- /dev/null +++ b/SOURCES/llhttp-packaging-bundler @@ -0,0 +1,110 @@ +#!/bin/bash +set -o nounset +set -o errexit + +OUTPUT_DIR="$(rpm -E '%{_sourcedir}')" +SPEC_FILE="${PWD}/llhttp.spec" + +usage() { + cat 1>&2 <&2 <&2 +VERSION="$(awk '$1 == "Version:" { print $2; exit }' "${SPEC_FILE}")" +echo "Version is ${VERSION}" 1>&2 +echo "Downloading source archive" 1>&2 +spectool -g "${SPEC_FILE}" + +ARCHIVE="$( + find . -mindepth 1 -maxdepth 1 -type f -name '*.tar.gz' -print -quit +)" +echo "Downloaded $(basename "${ARCHIVE}")" 1>&2 + +tar -xzf "${ARCHIVE}" +XDIR="$(find . -mindepth 1 -maxdepth 1 -type d -print -quit)" +echo "Extracted to $(basename "${XDIR}")" 1>&2 + +cd "${XDIR}" + +echo "Downloading prod dependencies" 1>&2 +# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm +# unsuccessfully attempts to build the package. +npm install --no-optional --only=prod --ignore-scripts +echo "Successful prod dependencies download" 1>&2 +mv node_modules/ node_modules_prod + +echo "LICENSES IN BUNDLE:" +LICENSE_FILE="${TMP_DIR}/llhttp-${VERSION}-bundled-licenses.txt" +find . -name 'package.json' -exec jq '.license | strings' '{}' ';' \ + >> "${LICENSE_FILE}" +for what in '.license | objects | .type' '.licenses[] .type' +do + find . -name 'package.json' -exec jq "${what}" '{}' ';' \ + >> "${LICENSE_FILE}" 2>/dev/null +done +sort -u -o "${LICENSE_FILE}" "${LICENSE_FILE}" + +# Locate any dependencies without a provided license +find . -type f -name 'package.json' -execdir jq \ + 'if .license==null and .licenses==null then .name else null end' '{}' '+' | + grep -vE '^null$' | + sort -u > "${TMP_DIR}/nolicense.txt" + +if [[ -s "${TMP_DIR}/nolicense.txt" ]] +then + echo -e "\e[5m\e[41mSome dependencies do not list a license. Manual verification required!\e[0m" + cat "${TMP_DIR}/nolicense.txt" + echo -e "\e[5m\e[41m======================================================================\e[0m" +fi + +echo "Downloading dev dependencies" 1>&2 +# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm +# unsuccessfully attempts to build the package. +npm install --no-optional --only=dev --ignore-scripts +echo "Successful dev dependencies download" 1>&2 +mv node_modules/ node_modules_dev + +if [[ -d node_modules_prod ]] +then + tar -cf "../llhttp-${VERSION}-nm-prod.tar" node_modules_prod +fi +if [[ -d node_modules_dev ]] +then + tar -cf "../llhttp-${VERSION}-nm-dev.tar" node_modules_dev +fi +zstdmt --ultra -22 "../llhttp-${VERSION}-nm-prod.tar" "../llhttp-${VERSION}-nm-dev.tar" + +cd .. +find . -mindepth 1 -maxdepth 1 -type f \( -name "$(basename "${ARCHIVE}")" \ + -o -name "llhttp-${VERSION}*" \) -exec cp -vp '{}' "${OUTPUT_DIR}" ';' diff --git a/SPECS/llhttp.spec b/SPECS/llhttp.spec new file mode 100644 index 0000000..2be40de --- /dev/null +++ b/SPECS/llhttp.spec @@ -0,0 +1,265 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.3) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 1; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + +# This package is rather exotic. The compiled library is a typical shared +# library with a C API. However, it has only a tiny bit of C source code. Most +# of the library is written in TypeScript, which is transpiled to C, via LLVM +# IR, using llparse (https://github.com/nodejs/llparse)—all of which happens +# within the NodeJS ecosystem. +# +# The package therefore “builds like” a NodeJS package, and to the extent they +# are relevant we apply the NodeJS packaging guidelines. However, the result of +# the build “installs like” a traditional C library package and has no NodeJS +# dependencies, including bundled ones. +# +# Furthermore, the package is registered with npm as “llhttp”, but current +# releases are not published there, so we use the GitHub archive as the +# canonical source and use a custom bundler script based on +# nodejs-packaging-bundler to fetch NodeJS build dependencies. +# +# Overall, we cherry-pick from the standard and NodeJS packaging guidelines as +# each seems to best apply, understanding that this package does not fit well +# into any of the usual patterns or templates. +# +# Note that there is now a “release” tarball, e.g. +# https://github.com/nodejs/llhttp/archive/refs/tags/release/v%%{version}tar.gz, +# that allows this package to be built without the NodeJS/TypeScript machinery. +# However, the release archive lacks the original TypeScript source code for +# the generated C code, which we would need to include in the source RPM as an +# additional source even if we do not do the re-generation ourselves. + +Name: llhttp +Version: 9.2.1 +%global so_version 9.2 +Release: %autorelease +Summary: Port of http_parser to llparse + +# License of llhttp is (SPDX) MIT; nothing from the NodeJS dependency bundle is +# installed, so its contents do not contribute to the license of the binary +# RPMs, and we do not need a file llhttp-%%{version}-bundled-licenses.txt. +License: MIT +URL: https://github.com/nodejs/llhttp +Source0: %{url}/archive/v%{version}/llhttp-%{version}.tar.gz + +# Based closely on nodejs-packaging-bundler, except: +# +# - The GitHub source tarball specified in this spec file is used since the +# current version is not typically published on npm +# - No production dependency bundle is generated, since none is needed—and +# therefore, no bundled licenses text file is generated either +Source1: llhttp-packaging-bundler +# Created with llhttp-packaging-bundler (Source1): +Source2: llhttp-%{version}-nm-dev.tar.zst + +# While nothing in the dev bundle is installed, we still choose to audit for +# null licenses at build time and to keep manually-approved exceptions in a +# file. +Source3: check-null-licenses +Source4: audited-null-licenses.toml + +# The compiled RPM does not depend on NodeJS at all, but we cannot *build* it +# on architectures without NodeJS. +ExclusiveArch: %{nodejs_arches} + +# For generating the C source “release” from TypeScript: +BuildRequires: nodejs-devel +BuildRequires: make + +# For compiling the C library +BuildRequires: cmake +BuildRequires: gcc + +# For tests +BuildRequires: gcc-c++ + +# For check-null-licenses +BuildRequires: python3-devel +BuildRequires: (python3dist(tomli) if python3 < 3.11) + +%description +This project is a port of http_parser to TypeScript. llparse is used to +generate the output C source file, which could be compiled and linked with the +embedder's program (like Node.js). + + +%package devel +Summary: Development files for llhttp + +Requires: llhttp%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description devel +The llhttp-devel package contains libraries and header files for +developing applications that use llhttp. + + +%prep +%autosetup + +# Remove build flags specifying ISA extensions not in the architectural +# baseline from the test fixture setup. +sed -r -i 's@([[:blank:]]*)(.*-m(sse4))@\1// \2@' test/fixtures/index.ts + +# We build the library that we install via release/CMakeLists.txt, but the +# tests are built via Makefile targets. Don’t apply non-default optimization or +# debug flags to the test executables. +sed -r -i 's@ -[Og].\b@@g' Makefile + +# Set up bundled (dev) node modules required to generate the C sources from the +# TypeScript sources. +tar --zstd --extract --file='%{SOURCE2}' +mkdir -p node_modules +pushd node_modules +ln -s ../node_modules_dev/* . +ln -s ../node_modules_dev/.bin . +popd + +# We run ts-node out of node_modules/.bin rather than using npx (which we will +# not have available). +sed -r -i 's@\bnpx[[:blank:]](ts-node)\b@node_modules/.bin/\1@' Makefile + + +%build +# Generate the C source “release” from TypeScript using the “node_modules_dev” +# bundle. +%make_build release RELEASE='%{version}' + +# To help prove that nothing from the bundled NodeJS dev dependencies is +# included in the binary packages, remove the “node_modules” symlinks. +rm -rvf node_modules + +cd release +%cmake +%cmake_build + + +%install +cd release +%cmake_install + + +%check +# Symlink the NodeJS bundle again so that we can test with Mocha +mkdir -p node_modules +pushd node_modules +ln -s ../node_modules_dev/* . +ln -s ../node_modules_dev/.bin . +popd + +# Verify that no bundled dev dependency has a null license field, unless we +# already audited it by hand. This reduces the chance of accidentally including +# code with license problems in the source RPM. +%{python3} '%{SOURCE3}' --exceptions '%{SOURCE4}' --with dev node_modules_dev + +%set_build_flags +# http-loose-request.c:7205:20: error: invalid conversion from 'void*' to +# 'const unsigned char*' [-fpermissive] +# 7205 | start = state->_span_pos0; +# | ~~~~~~~^~~~~~~~~~ +# | | +# | void* +export CXXFLAGS="${CXXFLAGS-} -fpermissive" +export CFLAGS="${CFLAGS-} -fpermissive" +export CLANG=gcc +# See scripts.test in package.json: +NODE_ENV=test node -r ts-node/register/type-check ./test/md-test.ts + + +%files +%license release/LICENSE-MIT +%{_libdir}/libllhttp.so.%{so_version}{,.*} + + +%files devel +%doc release/README.md +%{_includedir}/llhttp.h +%{_libdir}/libllhttp.so +%{_libdir}/pkgconfig/libllhttp.pc +%{_libdir}/cmake/llhttp/ + + +%changelog +## START: Generated by rpmautospec +* Thu Apr 11 2024 Benjamin A. Beasley - 9.2.1-1 +- Update to 9.2.1 (close RHBZ#2273352, fix CVE-2024-27982) +- Switch from xz to zstd compression for the “dev” bundle archive + +* Thu Apr 11 2024 Benjamin A. Beasley - 9.2.0-4 +- Format check-null-licenses with “ruff format” + +* Thu Apr 11 2024 Benjamin A. Beasley - 9.2.0-1 +- Update to 9.2.0 (close RHBZ#2263250) + +* Thu Apr 11 2024 Benjamin A. Beasley - 9.1.3-2 +- Compress the dev dependency bundle with xz instead of gzip + +* Thu Nov 30 2023 Benjamin A. Beasley - 9.1.3-1 +- Update to 9.1.3 (close RHBZ#2242220) + +* Thu Nov 30 2023 Benjamin A. Beasley - 9.1.2-1 +- Update to 9.1.2 + +* Thu Nov 30 2023 Benjamin A. Beasley - 9.1.1-1 +- Update to 9.1.1 + +* Thu Nov 30 2023 Benjamin A. Beasley - 9.1.0-1 +- Update to 9.1.0 + +* Thu Nov 30 2023 Benjamin A. Beasley - 9.0.1-1 +- Update to 9.0.1 (close RHBZ#2228290) + +* Thu Nov 30 2023 Benjamin A. Beasley - 9.0.0-1 +- Update to 9.0.0 + +* Sat Jul 29 2023 Benjamin A. Beasley - 8.1.1-1 +- Update to 8.1.1 (close RHBZ#2216591) + +* Sat Jul 29 2023 Benjamin A. Beasley - 8.1.0-3 +- Fix test compiling/execution + +* Sat Jul 29 2023 Benjamin A. Beasley - 8.1.0-2 +- Indicate dirs. in files list with trailing slashes + +* Sat Jul 29 2023 Benjamin A. Beasley - 8.1.0-1 +- Update to 8.1.0 (close RHBZ#2131175) + +* Sat Jul 29 2023 Benjamin A. Beasley - 8.0.0-1 +- Update to 8.0.0 (close RHBZ#2131175) + +* Sat Jul 29 2023 Stephen Gallagher - 6.0.10-1 +- Update to v6.0.10 + +* Sat Jul 29 2023 Miro Hrončok - 6.0.9-2 +- Use tomllib/python-tomli instead of dead upstream python-toml + +* Sat Jul 29 2023 Benjamin A. Beasley - 6.0.9-1 +- Update to 6.0.9 (close RHBZ#2116231) +- Bumped .so version from downstream 0.1 to upstream 6.0 +- Better upstream support for building and installing a shared library +- The -devel package now contains a .pc file +- Tests are now built with gcc and fully respect distro flags + +* Sat Jul 29 2023 Benjamin A. Beasley - 6.0.6-6 +- Drop “forge” macros, which aren’t really doing much here + +* Fri Dec 24 2021 Benjamin A. Beasley - 6.0.6-5 +- Add a note about LLHTTP_STRICT_MODE to the package description + +* Fri Dec 24 2021 Benjamin A. Beasley - 6.0.6-4 +- Revert "Build with LLHTTP_STRICT_MODE enabled" + +* Wed Dec 22 2021 Benjamin A. Beasley - 6.0.6-3 +- Build with LLHTTP_STRICT_MODE enabled + +* Tue Dec 14 2021 Benjamin A. Beasley - 6.0.6-2 +- Dep. on cmake-filesystem is now auto-generated + +* Mon Dec 06 2021 Benjamin A. Beasley - 6.0.6-1 +- Initial package (close RHBZ#2029461) +## END: Generated by rpmautospec