chore: update dependencies, hermetic build

- Build Python dependencies hermetically
- Download Go dependencies in prepare stage to ensure hermeticity
- Fix ca-certificates permissions (fixes kres network issue)
- Don't build sd-boot here, as we build systemd in pkgs
- Publish packages to not be rebuilt in pkgs
- Update toolchain for newer Go
- Update dependencies
- rekres

Fixes: #424
Ref: siderolabs/pkgs#1153
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>

Author: dsseng

.kres.yaml

@@ -3,6 +3,14 @@ kind: pkgfile.Build
 spec:
   targets:
     - tools
+    - tools-ca-certificates
+    - tools-kmod
+    - tools-libcap
+    - tools-libselinux
+    - tools-libsepol
+    - tools-openssl
+    - tools-pcre2
+    - tools-util-linux
   reproducibleTargetName: tools
 ---
 kind: common.Renovate

Makefile

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-01-15T13:57:46Z by kres 3b3f992.
+# Generated on 2025-02-13T13:00:26Z by kres 5e9dc91.
 
 # common variables
 
@@ -25,7 +25,7 @@ SOURCE_DATE_EPOCH := $(shell git log $(INITIAL_COMMIT_SHA) --pretty=%ct)
 
 # sync bldr image with pkgfile
 
-BLDR_RELEASE := v0.4.0-1-g76a2c8f
+BLDR_RELEASE := v0.4.1
 BLDR_IMAGE := ghcr.io/siderolabs/bldr:$(BLDR_RELEASE)
 BLDR := docker run --rm --user $(shell id -u):$(shell id -g) --volume $(PWD):/src --entrypoint=/bldr $(BLDR_IMAGE) --root=/src
 
@@ -45,6 +45,14 @@ COMMON_ARGS += --build-arg=SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH)
 # targets defines all the available targets
 
 TARGETS = tools
+TARGETS += tools-ca-certificates
+TARGETS += tools-kmod
+TARGETS += tools-libcap
+TARGETS += tools-libselinux
+TARGETS += tools-libsepol
+TARGETS += tools-openssl
+TARGETS += tools-pcre2
+TARGETS += tools-util-linux
 
 # help menu
 

Pkgfile

@@ -2,7 +2,7 @@ name: curl
 variant: scratch
 dependencies:
   - stage: base
-  - stage: openssl
+  - stage: tools-openssl
     runtime: true
   - stage: zlib
     runtime: true

curl/pkg.yaml

@@ -6,7 +6,7 @@ dependencies:
   - stage: autoconf
   - stage: automake
   - stage: libtool
-  - stage: libcap
+  - stage: tools-libcap
 steps:
   - sources:
       - url: https://salsa.debian.org/clint/fakeroot/-/archive/upstream/{{ .fakeroot_version }}/fakeroot-upstream-{{ .fakeroot_version }}.tar.gz

deps.png

@@ -5,7 +5,7 @@ dependencies:
   - stage: zlib
     runtime: true
   - stage: gettext
-  - stage: openssl
+  - stage: tools-openssl
   - stage: curl
     runtime: true
   - stage: autoconf

fakeroot/pkg.yaml

@@ -4,19 +4,17 @@ dependencies:
   - stage: base
   - stage: libffi
   - stage: python3
-  - stage: openssl
+  - stage: python-setuptools
+  - stage: tools-openssl
   - stage: zlib
 steps:
   - sources:
       - url: https://github.com/mesonbuild/meson/releases/download/{{ .meson_version }}/meson-{{ .meson_version }}.tar.gz
         destination: meson.tar.gz
         sha256: "{{ .meson_sha256 }}"
         sha512: "{{ .meson_sha512 }}"
-  - network: default
     prepare:
       - |
-        pip3 install setuptools
-
         tar -xzf meson.tar.gz --strip-components=1
     build:
       - |

git/pkg.yaml

@@ -0,0 +1,29 @@
+name: ninja
+variant: scratch
+dependencies:
+  - stage: base
+  - stage: cmake
+  - stage: curl
+  - stage: libuv
+  - stage: xz
+  - stage: expat
+  - stage: rhash
+steps:
+  - sources:
+      - url: https://github.com/ninja-build/ninja/archive/refs/tags/{{ .ninja_version }}.tar.gz
+        destination: ninja.tar.gz
+        sha256: "{{ .ninja_sha256 }}"
+        sha512: "{{ .ninja_sha512 }}"
+    prepare:
+      - |
+        tar -xzf ninja.tar.gz --strip-components=1
+        cmake -Bbuild -DBUILD_TESTING=OFF
+    build:
+      - |
+        cmake --build build
+    install:
+      - |
+        install -m755 -D build/ninja /rootfs/usr/bin/ninja
+finalize:
+  - from: /rootfs
+    to: /

meson/pkg.yaml

@@ -20,10 +20,10 @@ dependencies:
   - stage: xz
 steps:
   - sources:
-      - url: https://git.kernel.org/pub/scm/devel/pahole/pahole.git/snapshot/pahole-{{.pahole_version }}.tar.gz
+      - url: https://git.kernel.org/pub/scm/devel/pahole/pahole.git/snapshot/pahole-{{ .pahole_version }}.tar.gz
         destination: pahole.tar.gz
-        sha256: "{{.pahole_sha256 }}"
-        sha512: "{{.pahole_sha512 }}"
+        sha256: "{{ .pahole_sha256 }}"
+        sha512: "{{ .pahole_sha512 }}"
     prepare:
       - |
         tar -xzf pahole.tar.gz --strip-components=1