This includes two logically separate changes:
- on the host, try not to require sudo when running the build scripts
- namely when interacting with the docker daemon, this requires
the unix user on the host to be part of the `docker` group
- this solves part of https://github.com/spesmilo/electrum/issues/7602
- while running inside the docker containers, do not run as root
- this means that e.g. files created in mounted folders should
no longer be owned by root on the host
- there is some code duplication involved here - not sure
how it could be deduped.
aiorpcx 0.20 changed the behaviour/API of TaskGroups.
When used as a context manager, TaskGroups no longer propagate
exceptions raised by their tasks. Instead, the calling code has
to explicitly check the results of tasks and decide whether to re-raise
any exceptions.
This is a significant change, and so this commit introduces "OldTaskGroup",
which should behave as the TaskGroup class of old aiorpcx. All existing
usages of TaskGroup are replaced with OldTaskGroup.
closes https://github.com/spesmilo/electrum/issues/7446
maybe fixes https://github.com/spesmilo/electrum/issues/7640
Looks like by default pip is ignoring the locally available setuptools and wheel,
and downloading the latest ones from the internet at build time...
https://pip.pypa.io/en/stable/reference/build-system/pyproject-toml/?highlight=no-build-isolation#disabling-build-isolationhttps://stackoverflow.com/a/62889268
> When making build requirements available, pip does so in an isolated environment. That is, pip does not install those requirements into the user’s site-packages, but rather installs them in a temporary directory which it adds to the user’s sys.path for the duration of the build. This ensures that build requirements are handled independently of the user’s runtime environment. For example, a project that needs a recent version of setuptools to build can still be installed, even if the user has an older version installed (and without silently replacing that version).
>
> In certain cases, projects (or redistributors) may have workflows that explicitly manage the build environment. For such workflows, build isolation can be problematic. If this is the case, pip provides a --no-build-isolation flag to disable build isolation. Users supplying this flag are responsible for ensuring the build environment is managed appropriately (including ensuring that all required build dependencies are installed).
If only it were that easy!
If we add the "--no-build-isolation" flag, it becomes our responsibility to install *all* build time deps,
hence we now have "requirements-build-makepackages.txt".
Historically, there have often been (visual) issues with new versions of qdarkstyle.
The upper bound restriction was mainly there for this reason: to ~force manually testing new versions.
There is no known issue with newer versions atm.
Remove the upper bound, as there have not been issues with newer versions recently,
and this makes it clear to e.g. packagers that it's fine to use newer versions.
Add a lower bound for a version that has been tested in the past and is known to work ok.
related https://github.com/spesmilo/electrum/issues/7361
The <2.1 pin had been put there as dnspython 2.1 added "poetry" as a build time dep,
which pulled in a significant number of transitive dependencies, and it was also
causing issues with our appimage build.
dnspython 2.2.0 was released since, which no longer needs full poetry, only "poetry-core":
da279dec7e
related https://github.com/spesmilo/electrum/issues/7361
trezorlib requires "dataclasses ; python_version<'3.7'", and our min supported python version is 3.6,
so freeze_packages.sh pins down a version of "dataclasses". However, when creating binaries we
use newer versions of python (typically py3.9 atm), for which dataclasses is not available (it's a backport of py3.7 stuff).
Hmhm, what to do... short-term, I am manually removing the dataclasses pin, so it won't be installed in our binaries.
```
Collecting construct==2.10.67
Downloading construct-2.10.67.tar.gz (57 kB)
|████████████████████████████████| 57 kB 2.7 MB/s
Preparing metadata (setup.py) ... done
Requirement already satisfied: cryptography==36.0.1 in ./build/appimage/electrum.AppDir/usr/lib/python3.9/site-packages (from -r /opt/electrum/contrib/build-linux/appimage/../../../contrib/deterministic-build/requirements-hw.txt (line 74)) (36.0.1)
ERROR: Could not find a version that satisfies the requirement dataclasses==0.8 (from versions: 0.1, 0.2, 0.3, 0.4, 0.5, 0.6)
ERROR: No matching distribution found for dataclasses==0.8
```
The latest release of appimagetool bundles a new enough version of
mksquashfs. We had been building a fork of mksquashfs but all the
relevant patches there had been upstreamed.
Note: we still need a wrapper when calling mksquashfs, as appimagetool
calls it with "-mkfs-time 0" and we have the SOURCE_DATE_EPOCH env var
set; and these two would conflict.
Two ways to fix: either unset SOURCE_DATE_EPOCH for that context, or
build a wrapper that removes the "-mkfs-time 0". The former would be
cleaner but for some reason I did not manage to build reproducibly
that way. The latter seems to work.
related:
- https://github.com/AppImage/AppImageKit/issues/929#issuecomment-580769875
> Now official squashfs 4.4 makes reproducible images by default
- https://github.com/AppImage/AppImageKit/pull/996
-----
closes https://github.com/spesmilo/electrum/issues/6936
Note: if we used the python crowdin client (https://github.com/crowdin/crowdin-api-client-python),
we would do something like this:
```
from crowdin_api import CrowdinClient
class MyCrowdinClient(CrowdinClient):
TOKEN = ...
client = MyCrowdinClient()
with open(locale_file_name, 'rb') as f:
resp = client.storages.add_storage(f)
storage_id = resp['data']['id']
client.source_files.update_file(projectId=crowdin_project_id, storageId=storage_id, fileId=crowdin_file_id)
client.translations.build_crowdin_project_translation(projectId=crowdin_project_id)
```
- added notes about reproducibility requirements
- adapted build scripts from Bitcoin Core that can
- extract signatures from a signed .app
- apply previously extracted signatures to an unsigned .app