fix: do not install man and locale for exported packages

These files aren't used in Talos.

Update dependencies: kmod, flit_core, zstd, change python-setuptools package source to PyPI to avoid datestamped version.

Also use a linter script to validate all the distribution-facing packages for rootfs structure compliance.

Signed-off-by: Dmitrii Sharshakov <[email protected]>

Pkgfile

@@ -144,9 +144,9 @@ vars:
   gzip_sha512: e3d4d4aa4b2e53fdad980620307257c91dfbbc40bcec9baa8d4e85e8327f55e2ece552c9baf209df7b66a07103ab92d4954ac53c86c57fbde5e1dd461143f94c
 
   # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git
-  kmod_version: 33
-  kmod_sha256: dc768b3155172091f56dc69430b5481f2d76ecd9ccb54ead8c2540dbcf5ea9bc
-  kmod_sha512: 32d79d0bb7e89012f18458d4e88325f8e19a7dba6e1d5cff01aec3e618d1757b0f7c119735bf38d02e0d056a14273fd7522fca7c61a4d12a3ea5854bb662fff8
+  kmod_version: 34
+  kmod_sha256: 12e7884484151fbd432b6a520170ea185c159f4393c7a2c2a886ab820313149a
+  kmod_sha512: 214ef8ea78da059a1dd8cce66267690f27ee47e22398e7b0e0b68834c42eb94f2b77cf99ef9c4bdb3f0aee103abda1d9bc9dfc414051e9ad47a72e063802fdbf
 
   # renovate: datasource=github-tags depName=libbpf/libbpf
   libbpf_version: v1.5.0
@@ -296,9 +296,9 @@ vars:
   python_build_sha512: bdf023c6b578ea77c7fc49c71c7d908bcc9ff6b9255b2767e45b09aca0a39a5297d264695a864fe34772e5d8898a18a90f6e262514bf90daf14db762a8bbe4be
 
   # renovate: datasource=github-tags depName=pypa/flit
-  python_flit_core_version: 3.10.1
-  python_flit_core_sha256: caf7f938719658c11699ad014964e10a9fce8cb04fe4ff8bf15c613136b579f0
-  python_flit_core_sha512: 51f797f480102fe89cd69f3fbd91c614b2390a37659c589622f2c7938cc64bc223f710e07365766159b6833d7afdafef4461a92667b6e3ae786df5137a877ee1
+  python_flit_core_version: 3.11.0
+  python_flit_core_sha256: f7ae0e714dce1f733d510bce47a4ce10cd088acffc00053f0a873f625466ca9f
+  python_flit_core_sha512: 99ebec876ee9607b4fc8803719a5e62716bd48df3d2704f4d8cf99504421ec5068c4c59947a1b6f2d1e7e2a714e39e50b30385e04bb14c52c271e1dcadd8b6b5
 
   # renovate: datasource=github-tags depName=projg2/gpep517
   python_gpep517_version: v16
@@ -325,10 +325,10 @@ vars:
   python_packaging_sha256: c448ea78de5134f5002a2aa2bb62a0fb4714bb4ab2d2b00bce8ed6ca22502d5a
   python_packaging_sha512: cab6be7284c6bc2abce7a5bbdc25a40e33378576c5590dad4aef9d835a2205af81ca24af7ae3603d0e4e32f8865d87a621187dae2f86df6ac613c9886d482804
 
-  # renovate: datasource=github-releases depName=pypa/setuptools
-  python_setuptools_version: v75.8.0
-  python_setuptools_sha256: 7a1ab1a2335ac305db3297961774d516d39fe516a9495832011ed16105a439c2
-  python_setuptools_sha512: 500cbd8605970f1ef7d70d512a8f7879b43e6807bb335d8c7f03c18c53ac6212ef3337d2e7678b626adde12b1d6830fe384e001a26c7919ac2594c53e243356a
+  # renovate: datasource=github-releases extractVersion=^v(?<version>.*)$ depName=pypa/setuptools
+  python_setuptools_version: 75.8.0
+  python_setuptools_sha256: c5afc8f407c626b8313a86e10311dd3f661c6cd9c09d4bf8c15c0e11f9f2b0e6
+  python_setuptools_sha512: 4afa657c5259f9f405c39d82d8c264236749861ba2b104e8b26dd49da8ffb27ad3089ea894f2bb65208f480d7a4042114b93228f1cf2b224dc248774d7681a3d
 
   # renovate: datasource=github-tags depName=rhash/RHash
   rhash_version: v1.4.5
@@ -388,8 +388,8 @@ vars:
   zlib_sha512: 580677aad97093829090d4b605ac81c50327e74a6c2de0b85dd2e8525553f3ddde17556ea46f8f007f89e435493c9a20bc997d1ef1c1c2c23274528e3c46b94f
 
   # renovate: datasource=github-tags extractVersion=^v(?<version>.*)$ depName=facebook/zstd
-  zstd_version: 1.5.6
-  zstd_sha256: 8c29e06cf42aacc1eafc4077ae2ec6c6fcb96a626157e0593d5e82a34fd403c1
-  zstd_sha512: 54a578f2484da0520a6e9a24f501b9540a3fe3806785d6bc9db79fc095b7c142a7c121387c7eecd460ca71446603584ef1ba4d29a33ca90873338c9ffbd04f14
+  zstd_version: 1.5.7
+  zstd_sha256: eb33e51f49a15e023950cd7825ca74a4a2b43db8354825ac24fc1b7ee09e6fa3
+  zstd_sha512: b4de208f179b68d4c6454139ca60d66ed3ef3893a560d6159a056640f83d3ee67cdf6ffb88971cdba35449dba4b597eaa8b4ae908127ef7fd58c89f40bf9a705
 labels:
   org.opencontainers.image.source: https://github.com/siderolabs/tools

base/fhs-validator.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env sh
+# Script to validate the adherence to the FHS and our standards for a package
+
+set -euo pipefail
+
+RETVAL=0
+
+check_dir() {
+    local ROOTDIR="$1"
+    local ALLOWED_DIRS="$2"
+
+    for DIR in "$ROOTDIR"/*; do
+        # Empty directory, no matches.
+        [ "$DIR" = "$ROOTDIR/*" ] && break
+        local RELATIVE_DIR=$(basename "$DIR")
+
+        if ! echo "${ALLOWED_DIRS}" | grep -wq "${RELATIVE_DIR}"; then
+            [ -d "${DIR}" ] && echo "Package validator: ${DIR} is not an allowed directory" || echo "Package validator: ${DIR} is not an allowed file"
+            RETVAL=1
+        fi
+    done
+}
+
+ROOTDIR="${1:-/rootfs}"
+
+# Test for extra files/directories
+# bin, lib and other directories moved to /usr are not allowed
+ALLOWED_DIRS="usr etc dev proc sys opt run var root tmp home"
+check_dir "$ROOTDIR" "$ALLOWED_DIRS"
+echo "Validated /"
+
+# No need for this test in pkgs which only have files under /etc for example
+[ ! -d "${ROOTDIR}/usr" ] && exit $RETVAL
+
+# Test for extra files/directories in /usr
+# lib64 and sbin are not allowed
+ALLOWED_USR_DIRS="bin lib share libexec include etc local src var"
+check_dir "$ROOTDIR/usr" "$ALLOWED_USR_DIRS"
+
+# Do not install man pages and locale info for optimal image size
+for DIR in $ROOTDIR/usr/man $ROOTDIR/usr/share/man $ROOTDIR/usr/local/man $ROOTDIR/usr/local/share/man \
+           $ROOTDIR/usr/share/info $ROOTDIR/usr/share/doc $ROOTDIR/usr/share/locale $ROOTDIR/usr/lib/locale; do
+    [ -e ${DIR} ] && echo "Package validator: ${DIR} is not an allowed directory (man/info/locale)" && RETVAL=1
+done
+
+echo "Validated /usr"
+exit $RETVAL

base/pkg.yaml

@@ -2,4 +2,9 @@ name: base
 variant: scratch
 dependencies:
   - image: "{{ .TOOLCHAIN_IMAGE }}"
-    runtime: true
+    to: /rootfs
+finalize:
+  - from: /pkg/fhs-validator.sh
+    to: /usr/bin/fhs-validator
+  - from: /rootfs
+    to: /

python-setuptools/pkg.yaml

@@ -7,7 +7,7 @@ dependencies:
   - stage: tools-zlib
 steps:
   - sources:
-      - url: https://github.com/pypa/setuptools/archive/refs/tags/{{ .python_setuptools_version }}.tar.gz
+      - url: https://pypi.io/packages/source/s/setuptools/setuptools-{{ .python_setuptools_version }}.tar.gz
         destination: setuptools.tar.gz
         sha256: "{{ .python_setuptools_sha256 }}"
         sha512: "{{ .python_setuptools_sha512 }}"

tools-ca-certificates/pkg.yaml

@@ -3,14 +3,17 @@ variant: scratch
 dependencies:
   - stage: base
 steps:
-- sources:
-  - url: https://curl.se/ca/cacert-2024-12-31.pem
-    destination: cacert.pem
-    sha256: a3f328c21e39ddd1f2be1cea43ac0dec819eaa20a90425d7da901a11531b3aa5
-    sha512: bf578937d7826106bae1ebe74a70bfbc439387445a1f41ef57430de9d9aea6fcfa1884381bf0ef14632f6b89e9543642c9b774fcca93837efffdc557c4958dbd
-  install:
-  - |
-    install -m644 -D cacert.pem /rootfs/etc/ssl/certs/ca-certificates
+  - sources:
+      - url: https://curl.se/ca/cacert-2024-12-31.pem
+        destination: cacert.pem
+        sha256: a3f328c21e39ddd1f2be1cea43ac0dec819eaa20a90425d7da901a11531b3aa5
+        sha512: bf578937d7826106bae1ebe74a70bfbc439387445a1f41ef57430de9d9aea6fcfa1884381bf0ef14632f6b89e9543642c9b774fcca93837efffdc557c4958dbd
+    install:
+      - |
+        install -m644 -D cacert.pem /rootfs/etc/ssl/certs/ca-certificates
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
 - from: /rootfs
   to: /

tools-cpio/pkg.yaml

@@ -28,6 +28,10 @@ steps:
       - |
         cd build
         make DESTDIR=/rootfs install
+        rm -rf /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-kmod/pkg.yaml

@@ -2,7 +2,18 @@ name: tools-kmod
 variant: scratch
 dependencies:
   - stage: base
-  - stage: patch
+  - stage: coreutils
+  - stage: libffi
+  - stage: python3
+  - stage: python-setuptools
+  - stage: tools-openssl
+  - stage: tools-zlib
+  - stage: meson
+  - stage: ninja
+  - stage: pkg-config
+  - stage: tools-zstd
+  - stage: tools-xz
+  - stage: gzip
 steps:
   - sources:
       - url: https://www.kernel.org/pub/linux/utils/kernel/kmod/kmod-{{ .kmod_version }}.tar.xz
@@ -12,22 +23,16 @@ steps:
     prepare:
       - |
         tar -xJf kmod.tar.xz --strip-components=1
-
-        patch -p1 < /pkg/patches/strndupa.patch
-
-        mkdir build
-        cd build
-        ../configure \
-            --prefix=/usr \
-            --disable-manpages
+        meson setup build --prefix=/usr -Dmanpages=false --sbindir=bin
     build:
       - |
-        cd build
-        make -j $(nproc)
+        meson compile -C build
     install:
       - |
-        cd build
-        make DESTDIR=/rootfs install
+        meson install -C build --destdir=/rootfs
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-libcap/pkg.yaml

@@ -20,6 +20,9 @@ steps:
       - |
         make DESTDIR=/rootfs PREFIX=/usr lib=/usr/lib sbin=/usr/bin install
         rm -rf /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-libselinux/pkg.yaml

@@ -27,6 +27,9 @@ steps:
     install:
       - |
         make install DESTDIR=/rootfs SUBDIRS="include src" SHLIBDIR=/usr/lib
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-libsepol/pkg.yaml

@@ -23,6 +23,9 @@ steps:
     install:
       - |
         make install DESTDIR=/rootfs SHLIBDIR=/usr/lib
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-openssl/pkg.yaml

@@ -45,6 +45,9 @@ steps:
       - |
         cd openssl
         make DESTDIR=/rootfs install_sw
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-pcre2/pkg.yaml

@@ -32,6 +32,9 @@ steps:
         cd build
         make DESTDIR=/rootfs install
         rm -rf /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-squashfs-tools/pkg.yaml

@@ -26,6 +26,9 @@ steps:
         cd squashfs-tools
         mkdir -p /rootfs/usr/bin
         make install INSTALL_DIR=/rootfs/usr/bin
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-tar/pkg.yaml

@@ -27,6 +27,10 @@ steps:
       - |
         cd build
         make DESTDIR=/rootfs install
+        rm -r /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-util-linux/pkg.yaml

@@ -41,6 +41,10 @@ steps:
         mkdir /rootfs
         make install DESTDIR=/rootfs
         rm -r /rootfs/usr/sbin
+        rm -r /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-xz/pkg.yaml

@@ -34,6 +34,10 @@ steps:
       - |
         cd build
         make DESTDIR=/rootfs install
+        rm -r /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-zlib/pkg.yaml

@@ -24,6 +24,10 @@ steps:
       - |
         cd build
         make DESTDIR=/rootfs install
+        rm -r /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools-zstd/pkg.yaml

@@ -21,6 +21,10 @@ steps:
     install:
       - |
         make DESTDIR=/rootfs install
+        rm -r /rootfs/usr/share
+    test:
+      - |
+        fhs-validator /rootfs
 finalize:
   - from: /rootfs
     to: /

tools/pkg.yaml

@@ -2,7 +2,7 @@ name: tools
 variant: scratch
 shell: /bin/sh
 dependencies:
-  - image: '{{ .TOOLCHAIN_IMAGE }}'
+  - stage: base # toolchain + fhs-validator
   - stage: abseil
   - stage: argp-standalone
   - stage: autoconf