internal/rosa/kernel: 6.12.76 to 6.12.77

Signed-off-by: Ophestra <cat@gensokyo.uk>

README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/security/hakurei">
+  <a href="https://git.gensokyo.uk/rosa/hakurei">
     <picture>
       <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
     </picture>
@@ -8,16 +8,16 @@
 
 <p align="center">
   <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
-  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
   <br/>
-  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
   <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
   <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>
 
 Hakurei is a tool for running sandboxed desktop applications as dedicated
 subordinate users on the Linux kernel. It implements the application container
-of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
+of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
 self-contained Android-like package manager with modern security features.
 
 Interaction with hakurei happens entirely through structures described by
@@ -62,4 +62,4 @@ are very likely to be rejected.
 ## NixOS Module (deprecated)
 
 The NixOS module is in maintenance mode and will be removed once planterette is
-feature-complete. Full module documentation can be found [here](options.md).
+feature-complete. Full module documentation can be found [here](options.md).

cmd/earlyinit/main.go

@@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"runtime"
+	"strings"
 	. "syscall"
 )
 
@@ -12,6 +13,22 @@ func main() {
 	log.SetFlags(0)
 	log.SetPrefix("earlyinit: ")
 
+	var (
+		option map[string]string
+		flags  []string
+	)
+	if len(os.Args) > 1 {
+		option = make(map[string]string)
+		for _, s := range os.Args[1:] {
+			key, value, ok := strings.Cut(s, "=")
+			if !ok {
+				flags = append(flags, s)
+				continue
+			}
+			option[key] = value
+		}
+	}
+
 	if err := Mount(
 		"devtmpfs",
 		"/dev/",
@@ -55,4 +72,56 @@ func main() {
 		}
 	}
 
+	// staying in rootfs, these are no longer used
+	must(os.Remove("/root"))
+	must(os.Remove("/init"))
+
+	must(os.Mkdir("/proc", 0))
+	mustSyscall("mount proc", Mount(
+		"proc",
+		"/proc",
+		"proc",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		"hidepid=1",
+	))
+
+	must(os.Mkdir("/sys", 0))
+	mustSyscall("mount sysfs", Mount(
+		"sysfs",
+		"/sys",
+		"sysfs",
+		0,
+		"",
+	))
+
+	// after top level has been set up
+	mustSyscall("remount root", Mount(
+		"",
+		"/",
+		"",
+		MS_REMOUNT|MS_BIND|
+			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
+		"",
+	))
+
+	must(os.WriteFile(
+		"/sys/module/firmware_class/parameters/path",
+		[]byte("/system/lib/firmware"),
+		0,
+	))
+
+}
+
+// mustSyscall calls [log.Fatalln] if err is non-nil.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		log.Fatalln("cannot "+action+":", err)
+	}
+}
+
+// must calls [log.Fatal] with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
 }

hst/config.go

@@ -82,7 +82,7 @@ type Config struct {
 	//
 	// Do not set this to true, it is insecure under any configuration.
 	//
-	// [the /.flatpak-info hack]: https://git.gensokyo.uk/security/hakurei/issues/21
+	// [the /.flatpak-info hack]: https://git.gensokyo.uk/rosa/hakurei/issues/21
 	DirectPipeWire bool `json:"direct_pipewire,omitempty"`
 
 	// Direct access to PulseAudio socket, no attempt is made to establish

internal/rosa/all.go

@@ -20,8 +20,10 @@ const (
 	LLVMRuntimes
 	LLVMClang
 
-	// EarlyInit is the Rosa OS initramfs init program.
+	// EarlyInit is the Rosa OS init program.
 	EarlyInit
+	// ImageSystem is the Rosa OS /system image.
+	ImageSystem
 	// ImageInitramfs is the Rosa OS initramfs archive.
 	ImageInitramfs
 
@@ -110,21 +112,11 @@ const (
 	PkgConfig
 	Procps
 	Python
-	PythonCfgv
-	PythonDiscovery
-	PythonDistlib
-	PythonFilelock
-	PythonIdentify
 	PythonIniConfig
-	PythonNodeenv
 	PythonPackaging
-	PythonPlatformdirs
 	PythonPluggy
-	PythonPreCommit
 	PythonPyTest
-	PythonPyYAML
 	PythonPygments
-	PythonVirtualenv
 	QEMU
 	Rdfind
 	Rsync

internal/rosa/curl.go

@@ -12,24 +12,11 @@ func (t Toolchain) newCurl() (pkg.Artifact, string) {
 		mustDecode(checksum),
 		pkg.TarBzip2,
 	), &PackageAttr{
-		Patches: [][2]string{
-			{"test459-misplaced-line-break", `diff --git a/tests/data/test459 b/tests/data/test459
-index 7a2e1db7b3..cc716aa65a 100644
---- a/tests/data/test459
-+++ b/tests/data/test459
-@@ -54,8 +54,8 @@ Content-Type: application/x-www-form-urlencoded
- arg
- </protocol>
- <stderr mode="text">
--Warning: %LOGDIR/config:1 Option 'data' uses argument with unquoted whitespace.%SP
--Warning: This may cause side-effects. Consider double quotes.
-+Warning: %LOGDIR/config:1 Option 'data' uses argument with unquoted%SP
-+Warning: whitespace. This may cause side-effects. Consider double quotes.
- </stderr>
- </verify>
- </testcase>
-`},
-		},
+		// remove broken test
+		Writable: true,
+		ScriptEarly: `
+chmod +w tests/data && rm tests/data/test459
+`,
 	}, &MakeHelper{
 		Configure: [][2]string{
 			{"with-openssl"},

internal/rosa/hakurei_release.go

@@ -4,13 +4,13 @@ package rosa
 
 import "hakurei.app/internal/pkg"
 
-const hakureiVersion = "0.3.6"
+const hakureiVersion = "0.3.7"
 
 // hakureiSource is the source code of a hakurei release.
 var hakureiSource = pkg.NewHTTPGetTar(
-	nil, "https://git.gensokyo.uk/security/hakurei/archive/"+
+	nil, "https://git.gensokyo.uk/rosa/hakurei/archive/"+
 		"v"+hakureiVersion+".tar.gz",
-	mustDecode("Yul9J2yV0x453lQP9KUnG_wEJo_DbKMNM7xHJGt4rITCSeX9VRK2J4kzAxcv_0-b"),
+	mustDecode("Xh_sdITOATEAQN5_UuaOyrWsgboxorqRO9bml3dGm8GAxF8NFpB7MqhSZgjJxAl2"),
 	pkg.TarGzip,
 )
 

internal/rosa/images.go

@@ -1,6 +1,9 @@
 package rosa
 
-import "hakurei.app/internal/pkg"
+import (
+	"hakurei.app/container/fhs"
+	"hakurei.app/internal/pkg"
+)
 
 func init() {
 	artifactsM[EarlyInit] = Metadata{
@@ -24,12 +27,36 @@ echo
 	}
 }
 
+func (t Toolchain) newImageSystem() (pkg.Artifact, string) {
+	return t.New("system.img", TNoToolchain, t.AppendPresets(nil,
+		SquashfsTools,
+	), nil, nil, `
+mksquashfs /mnt/system /work/system.img
+`, pkg.Path(fhs.AbsRoot.Append("mnt"), false, t.AppendPresets(nil,
+		Musl,
+		Mksh,
+		Toybox,
+
+		Kmod,
+		Kernel,
+		Firmware,
+	)...)), Unversioned
+}
+func init() {
+	artifactsM[ImageSystem] = Metadata{
+		Name:        "system-image",
+		Description: "Rosa OS system image",
+
+		f: Toolchain.newImageSystem,
+	}
+}
+
 func (t Toolchain) newImageInitramfs() (pkg.Artifact, string) {
-	return t.New("initramfs", TNoToolchain, []pkg.Artifact{
-		t.Load(Zstd),
-		t.Load(EarlyInit),
-		t.Load(GenInitCPIO),
-	}, nil, nil, `
+	return t.New("initramfs", TNoToolchain, t.AppendPresets(nil,
+		Zstd,
+		EarlyInit,
+		GenInitCPIO,
+	), nil, nil, `
 gen_init_cpio -t 4294967295 -c /usr/src/initramfs | zstd > /work/initramfs.zst
 `, pkg.Path(AbsUsrSrc.Append("initramfs"), false, pkg.NewFile("initramfs", []byte(`
 dir /dev 0755 0 0

internal/rosa/kernel.go

@@ -2,12 +2,12 @@ package rosa
 
 import "hakurei.app/internal/pkg"
 
-const kernelVersion = "6.12.76"
+const kernelVersion = "6.12.77"
 
 var kernelSource = pkg.NewHTTPGetTar(
 	nil, "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/"+
 		"snapshot/linux-"+kernelVersion+".tar.gz",
-	mustDecode("h0UATNznQbzplvthAqNLjVF-DJQHzGyhiy4za-9Ig9tOIpnoH9mWHbEjASV6lOl2"),
+	mustDecode("_MyFL0MqqNwAJx4fP8L9FkUayXIqEJto5trAPr_9UJvaT5TK1tvlU8leS82Hw2uw"),
 	pkg.TarGzip,
 )
 

internal/rosa/kernel_amd64.config

@@ -2,15 +2,15 @@
 # Automatically generated file; DO NOT EDIT.
 # Linux/x86 6.12.76 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 22.1.0"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.1"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=220100
+CONFIG_CLANG_VERSION=220101
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=220100
+CONFIG_AS_VERSION=220101
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=220100
+CONFIG_LLD_VERSION=220101
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -2402,7 +2402,7 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y
 #
 # Firmware loader
 #
-CONFIG_FW_LOADER=m
+CONFIG_FW_LOADER=y
 CONFIG_FW_LOADER_DEBUG=y
 CONFIG_FW_LOADER_PAGED_BUF=y
 CONFIG_FW_LOADER_SYSFS=y
@@ -2749,7 +2749,7 @@ CONFIG_BLK_DEV_NULL_BLK=m
 CONFIG_BLK_DEV_FD=m
 # CONFIG_BLK_DEV_FD_RAWCMD is not set
 CONFIG_CDROM=m
-CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
+CONFIG_BLK_DEV_PCIESSD_MTIP32XX=y
 CONFIG_ZRAM=m
 # CONFIG_ZRAM_BACKEND_LZ4 is not set
 # CONFIG_ZRAM_BACKEND_LZ4HC is not set
@@ -2775,9 +2775,9 @@ CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
 CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
-CONFIG_VIRTIO_BLK=m
+CONFIG_XEN_BLKDEV_FRONTEND=y
+# CONFIG_XEN_BLKDEV_BACKEND is not set
+CONFIG_VIRTIO_BLK=y
 CONFIG_BLK_DEV_RBD=m
 CONFIG_BLK_DEV_UBLK=m
 CONFIG_BLKDEV_UBLK_LEGACY_OPCODES=y
@@ -2788,13 +2788,12 @@ CONFIG_BLK_DEV_RNBD_SERVER=m
 #
 # NVME Support
 #
-CONFIG_NVME_KEYRING=m
-CONFIG_NVME_AUTH=m
-CONFIG_NVME_CORE=m
-CONFIG_BLK_DEV_NVME=m
+CONFIG_NVME_KEYRING=y
+CONFIG_NVME_AUTH=y
+CONFIG_NVME_CORE=y
+CONFIG_BLK_DEV_NVME=y
 CONFIG_NVME_MULTIPATH=y
 # CONFIG_NVME_VERBOSE_ERRORS is not set
-CONFIG_NVME_HWMON=y
 CONFIG_NVME_FABRICS=m
 CONFIG_NVME_RDMA=m
 CONFIG_NVME_FC=m
@@ -2911,10 +2910,10 @@ CONFIG_KEBA_CP500=m
 #
 # SCSI device support
 #
-CONFIG_SCSI_MOD=m
+CONFIG_SCSI_MOD=y
 CONFIG_RAID_ATTRS=m
-CONFIG_SCSI_COMMON=m
-CONFIG_SCSI=m
+CONFIG_SCSI_COMMON=y
+CONFIG_SCSI=y
 CONFIG_SCSI_DMA=y
 CONFIG_SCSI_NETLINK=y
 CONFIG_SCSI_PROC_FS=y
@@ -2922,7 +2921,7 @@ CONFIG_SCSI_PROC_FS=y
 #
 # SCSI support type (disk, tape, CD-ROM)
 #
-CONFIG_BLK_DEV_SD=m
+CONFIG_BLK_DEV_SD=y
 CONFIG_CHR_DEV_ST=m
 CONFIG_BLK_DEV_SR=m
 CONFIG_CHR_DEV_SG=m
@@ -3042,7 +3041,7 @@ CONFIG_SCSI_DEBUG=m
 CONFIG_SCSI_PMCRAID=m
 CONFIG_SCSI_PM8001=m
 CONFIG_SCSI_BFA_FC=m
-CONFIG_SCSI_VIRTIO=m
+CONFIG_SCSI_VIRTIO=y
 CONFIG_SCSI_CHELSIO_FCOE=m
 CONFIG_SCSI_LOWLEVEL_PCMCIA=y
 CONFIG_PCMCIA_AHA152X=m
@@ -3052,7 +3051,7 @@ CONFIG_PCMCIA_SYM53C500=m
 # CONFIG_SCSI_DH is not set
 # end of SCSI device support
 
-CONFIG_ATA=m
+CONFIG_ATA=y
 CONFIG_SATA_HOST=y
 CONFIG_PATA_TIMINGS=y
 CONFIG_ATA_VERBOSE_ERROR=y
@@ -3064,39 +3063,39 @@ CONFIG_SATA_PMP=y
 #
 # Controllers with non-SFF native interface
 #
-CONFIG_SATA_AHCI=m
+CONFIG_SATA_AHCI=y
 CONFIG_SATA_MOBILE_LPM_POLICY=3
-CONFIG_SATA_AHCI_PLATFORM=m
-CONFIG_AHCI_DWC=m
-CONFIG_AHCI_CEVA=m
+CONFIG_SATA_AHCI_PLATFORM=y
+CONFIG_AHCI_DWC=y
+CONFIG_AHCI_CEVA=y
 CONFIG_SATA_INIC162X=m
-CONFIG_SATA_ACARD_AHCI=m
-CONFIG_SATA_SIL24=m
+CONFIG_SATA_ACARD_AHCI=y
+CONFIG_SATA_SIL24=y
 CONFIG_ATA_SFF=y
 
 #
 # SFF controllers with custom DMA interface
 #
-CONFIG_PDC_ADMA=m
-CONFIG_SATA_QSTOR=m
+CONFIG_PDC_ADMA=y
+CONFIG_SATA_QSTOR=y
 CONFIG_SATA_SX4=m
 CONFIG_ATA_BMDMA=y
 
 #
 # SATA SFF controllers with BMDMA
 #
-CONFIG_ATA_PIIX=m
-CONFIG_SATA_DWC=m
+CONFIG_ATA_PIIX=y
+CONFIG_SATA_DWC=y
 # CONFIG_SATA_DWC_OLD_DMA is not set
-CONFIG_SATA_MV=m
-CONFIG_SATA_NV=m
-CONFIG_SATA_PROMISE=m
-CONFIG_SATA_SIL=m
-CONFIG_SATA_SIS=m
-CONFIG_SATA_SVW=m
-CONFIG_SATA_ULI=m
-CONFIG_SATA_VIA=m
-CONFIG_SATA_VITESSE=m
+CONFIG_SATA_MV=y
+CONFIG_SATA_NV=y
+CONFIG_SATA_PROMISE=y
+CONFIG_SATA_SIL=y
+CONFIG_SATA_SIS=y
+CONFIG_SATA_SVW=y
+CONFIG_SATA_ULI=y
+CONFIG_SATA_VIA=y
+CONFIG_SATA_VITESSE=y
 
 #
 # PATA SFF controllers with BMDMA
@@ -3130,7 +3129,7 @@ CONFIG_PATA_RDC=m
 CONFIG_PATA_SCH=m
 CONFIG_PATA_SERVERWORKS=m
 CONFIG_PATA_SIL680=m
-CONFIG_PATA_SIS=m
+CONFIG_PATA_SIS=y
 CONFIG_PATA_TOSHIBA=m
 CONFIG_PATA_TRIFLEX=m
 CONFIG_PATA_VIA=m
@@ -3172,8 +3171,8 @@ CONFIG_PATA_PARPORT_ON26=m
 #
 # Generic fallback / legacy drivers
 #
-CONFIG_PATA_ACPI=m
-CONFIG_ATA_GENERIC=m
+CONFIG_PATA_ACPI=y
+CONFIG_ATA_GENERIC=y
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
@@ -9621,11 +9620,11 @@ CONFIG_EFI_SECRET=m
 CONFIG_SEV_GUEST=m
 CONFIG_TDX_GUEST_DRIVER=m
 CONFIG_VIRTIO_ANCHOR=y
-CONFIG_VIRTIO=m
-CONFIG_VIRTIO_PCI_LIB=m
-CONFIG_VIRTIO_PCI_LIB_LEGACY=m
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_PCI_LIB=y
+CONFIG_VIRTIO_PCI_LIB_LEGACY=y
 CONFIG_VIRTIO_MENU=y
-CONFIG_VIRTIO_PCI=m
+CONFIG_VIRTIO_PCI=y
 CONFIG_VIRTIO_PCI_ADMIN_LEGACY=y
 CONFIG_VIRTIO_PCI_LEGACY=y
 CONFIG_VIRTIO_VDPA=m

internal/rosa/kernel_arm64.config

@@ -2,15 +2,15 @@
 # Automatically generated file; DO NOT EDIT.
 # Linux/arm64 6.12.76 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 22.1.0"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.1"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=220100
+CONFIG_CLANG_VERSION=220101
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=220100
+CONFIG_AS_VERSION=220101
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=220100
+CONFIG_LLD_VERSION=220101
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -2384,7 +2384,7 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y
 #
 # Firmware loader
 #
-CONFIG_FW_LOADER=m
+CONFIG_FW_LOADER=y
 CONFIG_FW_LOADER_DEBUG=y
 CONFIG_FW_LOADER_PAGED_BUF=y
 CONFIG_FW_LOADER_SYSFS=y
@@ -2849,8 +2849,8 @@ CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
 CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
+CONFIG_XEN_BLKDEV_FRONTEND=y
+# CONFIG_XEN_BLKDEV_BACKEND is not set
 CONFIG_VIRTIO_BLK=m
 CONFIG_BLK_DEV_RBD=m
 CONFIG_BLK_DEV_UBLK=m
@@ -2862,13 +2862,12 @@ CONFIG_BLK_DEV_RNBD_SERVER=m
 #
 # NVME Support
 #
-CONFIG_NVME_KEYRING=m
-CONFIG_NVME_AUTH=m
-CONFIG_NVME_CORE=m
-CONFIG_BLK_DEV_NVME=m
+CONFIG_NVME_KEYRING=y
+CONFIG_NVME_AUTH=y
+CONFIG_NVME_CORE=y
+CONFIG_BLK_DEV_NVME=y
 CONFIG_NVME_MULTIPATH=y
 # CONFIG_NVME_VERBOSE_ERRORS is not set
-CONFIG_NVME_HWMON=y
 CONFIG_NVME_FABRICS=m
 CONFIG_NVME_RDMA=m
 CONFIG_NVME_FC=m
@@ -2977,10 +2976,10 @@ CONFIG_KEBA_CP500=m
 #
 # SCSI device support
 #
-CONFIG_SCSI_MOD=m
+CONFIG_SCSI_MOD=y
 CONFIG_RAID_ATTRS=m
-CONFIG_SCSI_COMMON=m
-CONFIG_SCSI=m
+CONFIG_SCSI_COMMON=y
+CONFIG_SCSI=y
 CONFIG_SCSI_DMA=y
 CONFIG_SCSI_NETLINK=y
 CONFIG_SCSI_PROC_FS=y
@@ -2988,7 +2987,7 @@ CONFIG_SCSI_PROC_FS=y
 #
 # SCSI support type (disk, tape, CD-ROM)
 #
-CONFIG_BLK_DEV_SD=m
+CONFIG_BLK_DEV_SD=y
 CONFIG_CHR_DEV_ST=m
 CONFIG_BLK_DEV_SR=m
 CONFIG_CHR_DEV_SG=m
@@ -3108,7 +3107,7 @@ CONFIG_SCSI_DEBUG=m
 CONFIG_SCSI_PMCRAID=m
 CONFIG_SCSI_PM8001=m
 CONFIG_SCSI_BFA_FC=m
-CONFIG_SCSI_VIRTIO=m
+CONFIG_SCSI_VIRTIO=y
 CONFIG_SCSI_CHELSIO_FCOE=m
 CONFIG_SCSI_LOWLEVEL_PCMCIA=y
 CONFIG_PCMCIA_AHA152X=m
@@ -3118,7 +3117,7 @@ CONFIG_PCMCIA_SYM53C500=m
 # CONFIG_SCSI_DH is not set
 # end of SCSI device support
 
-CONFIG_ATA=m
+CONFIG_ATA=y
 CONFIG_SATA_HOST=y
 CONFIG_PATA_TIMINGS=y
 CONFIG_ATA_VERBOSE_ERROR=y
@@ -3130,23 +3129,23 @@ CONFIG_SATA_PMP=y
 #
 # Controllers with non-SFF native interface
 #
-CONFIG_SATA_AHCI=m
+CONFIG_SATA_AHCI=y
 CONFIG_SATA_MOBILE_LPM_POLICY=3
-CONFIG_SATA_AHCI_PLATFORM=m
-CONFIG_AHCI_BRCM=m
-CONFIG_AHCI_DWC=m
+CONFIG_SATA_AHCI_PLATFORM=y
+CONFIG_AHCI_BRCM=y
+CONFIG_AHCI_DWC=y
 CONFIG_AHCI_IMX=m
-CONFIG_AHCI_CEVA=m
-CONFIG_AHCI_MTK=m
-CONFIG_AHCI_MVEBU=m
-CONFIG_AHCI_SUNXI=m
-CONFIG_AHCI_TEGRA=m
+CONFIG_AHCI_CEVA=y
+CONFIG_AHCI_MTK=y
+CONFIG_AHCI_MVEBU=y
+CONFIG_AHCI_SUNXI=y
+CONFIG_AHCI_TEGRA=y
 CONFIG_AHCI_XGENE=m
-CONFIG_AHCI_QORIQ=m
-CONFIG_SATA_AHCI_SEATTLE=m
+CONFIG_AHCI_QORIQ=y
+CONFIG_SATA_AHCI_SEATTLE=y
 CONFIG_SATA_INIC162X=m
-CONFIG_SATA_ACARD_AHCI=m
-CONFIG_SATA_SIL24=m
+CONFIG_SATA_ACARD_AHCI=y
+CONFIG_SATA_SIL24=y
 CONFIG_ATA_SFF=y
 
 #
@@ -3160,19 +3159,19 @@ CONFIG_ATA_BMDMA=y
 #
 # SATA SFF controllers with BMDMA
 #
-CONFIG_ATA_PIIX=m
-CONFIG_SATA_DWC=m
+CONFIG_ATA_PIIX=y
+CONFIG_SATA_DWC=y
 # CONFIG_SATA_DWC_OLD_DMA is not set
-CONFIG_SATA_MV=m
-CONFIG_SATA_NV=m
-CONFIG_SATA_PROMISE=m
-CONFIG_SATA_RCAR=m
-CONFIG_SATA_SIL=m
-CONFIG_SATA_SIS=m
-CONFIG_SATA_SVW=m
-CONFIG_SATA_ULI=m
-CONFIG_SATA_VIA=m
-CONFIG_SATA_VITESSE=m
+CONFIG_SATA_MV=y
+CONFIG_SATA_NV=y
+CONFIG_SATA_PROMISE=y
+CONFIG_SATA_RCAR=y
+CONFIG_SATA_SIL=y
+CONFIG_SATA_SIS=y
+CONFIG_SATA_SVW=y
+CONFIG_SATA_ULI=y
+CONFIG_SATA_VIA=y
+CONFIG_SATA_VITESSE=y
 
 #
 # PATA SFF controllers with BMDMA
@@ -3207,7 +3206,7 @@ CONFIG_PATA_RDC=m
 CONFIG_PATA_SCH=m
 CONFIG_PATA_SERVERWORKS=m
 CONFIG_PATA_SIL680=m
-CONFIG_PATA_SIS=m
+CONFIG_PATA_SIS=y
 CONFIG_PATA_TOSHIBA=m
 CONFIG_PATA_TRIFLEX=m
 CONFIG_PATA_VIA=m
@@ -3249,8 +3248,8 @@ CONFIG_PATA_PARPORT_ON26=m
 #
 # Generic fallback / legacy drivers
 #
-CONFIG_PATA_ACPI=m
-CONFIG_ATA_GENERIC=m
+CONFIG_PATA_ACPI=y
+CONFIG_ATA_GENERIC=y
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
@@ -10436,11 +10435,11 @@ CONFIG_VMGENID=m
 CONFIG_NITRO_ENCLAVES=m
 CONFIG_ARM_PKVM_GUEST=y
 CONFIG_VIRTIO_ANCHOR=y
-CONFIG_VIRTIO=m
-CONFIG_VIRTIO_PCI_LIB=m
-CONFIG_VIRTIO_PCI_LIB_LEGACY=m
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_PCI_LIB=y
+CONFIG_VIRTIO_PCI_LIB_LEGACY=y
 CONFIG_VIRTIO_MENU=y
-CONFIG_VIRTIO_PCI=m
+CONFIG_VIRTIO_PCI=y
 CONFIG_VIRTIO_PCI_LEGACY=y
 CONFIG_VIRTIO_VDPA=m
 CONFIG_VIRTIO_PMEM=m

internal/rosa/llvm.go

@@ -73,14 +73,8 @@ func llvmFlagName(flag int) string {
 	}
 }
 
-const (
-	llvmVersionMajor = "22"
-	llvmVersion      = llvmVersionMajor + ".1.1"
-)
-
 // newLLVMVariant returns a [pkg.Artifact] containing a LLVM variant.
 func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
-	const checksum = "bQvV6D8AZvQykg7-uQb_saTbVavnSo1ykNJ3g57F5iE-evU3HuOYtcRnVIXTK76e"
 
 	if attr == nil {
 		panic("LLVM attr must be non-nil")
@@ -169,7 +163,7 @@ ln -s ld.lld /work/system/bin/ld
 	return t.NewPackage("llvm", llvmVersion, pkg.NewHTTPGetTar(
 		nil, "https://github.com/llvm/llvm-project/archive/refs/tags/"+
 			"llvmorg-"+llvmVersion+".tar.gz",
-		mustDecode(checksum),
+		mustDecode(llvmChecksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		Patches:   attr.patches,
@@ -316,7 +310,7 @@ ln -s clang++ /work/system/bin/c++
 ninja check-all
 `,
 
-		patches: [][2]string{
+		patches: slices.Concat([][2]string{
 			{"add-rosa-vendor", `diff --git a/llvm/include/llvm/TargetParser/Triple.h b/llvm/include/llvm/TargetParser/Triple.h
 index 9c83abeeb3b1..5acfe5836a23 100644
 --- a/llvm/include/llvm/TargetParser/Triple.h
@@ -488,7 +482,7 @@ index 64324a3f8b01..15ce70b68217 100644
                                     "/System/Library/Frameworks"};
  
 `},
-		},
+		}, clangPatches),
 	})
 
 	return

internal/rosa/llvm_amd64.go

@@ -0,0 +1,4 @@
+package rosa
+
+// clangPatches are patches applied to the LLVM source tree for building clang.
+var clangPatches [][2]string

internal/rosa/llvm_arm64.go

@@ -0,0 +1,12 @@
+package rosa
+
+// clangPatches are patches applied to the LLVM source tree for building clang.
+var clangPatches [][2]string
+
+// one version behind, latest fails 5 tests with 2 flaky on arm64
+const (
+	llvmVersionMajor = "21"
+	llvmVersion      = llvmVersionMajor + ".1.8"
+
+	llvmChecksum = "8SUpqDkcgwOPsqHVtmf9kXfFeVmjVxl4LMn-qSE1AI_Xoeju-9HaoPNGtidyxyka"
+)

internal/rosa/llvm_latest.go

@@ -0,0 +1,11 @@
+//go:build !arm64
+
+package rosa
+
+// latest version of LLVM, conditional to temporarily avoid broken new releases
+const (
+	llvmVersionMajor = "22"
+	llvmVersion      = llvmVersionMajor + ".1.1"
+
+	llvmChecksum = "bQvV6D8AZvQykg7-uQb_saTbVavnSo1ykNJ3g57F5iE-evU3HuOYtcRnVIXTK76e"
+)

internal/rosa/meson.go

@@ -9,8 +9,8 @@ import (
 
 func (t Toolchain) newMeson() (pkg.Artifact, string) {
 	const (
-		version  = "1.10.1"
-		checksum = "w895BXF_icncnXatT_OLCFe2PYEtg4KrKooMgUYdN-nQVvbFX3PvYWHGEpogsHtd"
+		version  = "1.10.2"
+		checksum = "18VmKUVKuXCwtawkYCeYHseC3cKpi86OhnIPaV878wjY0rkXH8XnQwUyymnxFgcl"
 	)
 	return t.New("meson-"+version, 0, []pkg.Artifact{
 		t.Load(Zlib),

internal/rosa/python.go

@@ -195,103 +195,4 @@ func init() {
 		PythonPluggy,
 		PythonPygments,
 	)
-
-	artifactsM[PythonCfgv] = newViaPip(
-		"cfgv",
-		"validate configuration and produce human readable error messages",
-		"3.5.0", "py2.py3", "none", "any",
-		"yFKTyVRlmnLKAxvvge15kAd_GOP1Xh3fZ0NFImO5pBdD5e0zj3GRmA6Q1HdtLTYO",
-		"https://files.pythonhosted.org/packages/"+
-			"db/3c/33bac158f8ab7f89b2e59426d5fe2e4f63f7ed25df84c036890172b412b5/",
-	)
-
-	artifactsM[PythonIdentify] = newViaPip(
-		"identify",
-		"file identification library for Python",
-		"2.6.17", "py2.py3", "none", "any",
-		"9RxK3igO-Pxxof5AuCAGiF_L1SWi4SpuSF1fWNXCzE2D4oTRSob-9VpFMLlybrSv",
-		"https://files.pythonhosted.org/packages/"+
-			"40/66/71c1227dff78aaeb942fed29dd5651f2aec166cc7c9aeea3e8b26a539b7d/",
-	)
-
-	artifactsM[PythonNodeenv] = newViaPip(
-		"nodeenv",
-		"a tool to create isolated node.js environments",
-		"1.10.0", "py2.py3", "none", "any",
-		"ihUb4-WQXYIhYOOKSsXlKIzjzQieOYl6ojro9H-0DFzGheaRTtuyZgsCmriq58sq",
-		"https://files.pythonhosted.org/packages/"+
-			"88/b2/d0896bdcdc8d28a7fc5717c305f1a861c26e18c05047949fb371034d98bd/",
-	)
-
-	artifactsM[PythonPyYAML] = newViaPip(
-		"pyyaml",
-		"a complete YAML 1.1 parser",
-		"6.0.3", "cp314", "cp314", "musllinux_1_2_x86_64",
-		"4_jhCFpUNtyrFp2HOMqUisR005u90MHId53eS7rkUbcGXkoaJ7JRsY21dREHEfGN",
-		"https://files.pythonhosted.org/packages/"+
-			"d7/ce/af88a49043cd2e265be63d083fc75b27b6ed062f5f9fd6cdc223ad62f03e/",
-	)
-
-	artifactsM[PythonDistlib] = newViaPip(
-		"distlib",
-		"used as the basis for third-party packaging tools",
-		"0.4.0", "py2.py3", "none", "any",
-		"lGLLfYVhUhXOTw_84zULaH2K8n6pk1OOVXmJfGavev7N42msbtHoq-XY5D_xULI_",
-		"https://files.pythonhosted.org/packages/"+
-			"33/6b/e0547afaf41bf2c42e52430072fa5658766e3d65bd4b03a563d1b6336f57/",
-	)
-
-	artifactsM[PythonFilelock] = newViaPip(
-		"filelock",
-		"a platform-independent file locking library for Python",
-		"3.25.0", "py3", "none", "any",
-		"0gSQIYNUEjOs1JBxXjGwfLnwFPFINwqyU_Zqgj7fT_EGafv_HaD5h3Xv2Rq_qQ44",
-		"https://files.pythonhosted.org/packages/"+
-			"f9/0b/de6f54d4a8bedfe8645c41497f3c18d749f0bd3218170c667bf4b81d0cdd/",
-	)
-
-	artifactsM[PythonPlatformdirs] = newViaPip(
-		"platformdirs",
-		"a Python package for determining platform-specific directories",
-		"4.9.4", "py3", "none", "any",
-		"JGNpMCX2JMn-7c9bk3QzOSNDgJRR_5lH-jIqfy0zXMZppRCdLsTNbdp4V7QFwxOI",
-		"https://files.pythonhosted.org/packages/"+
-			"63/d7/97f7e3a6abb67d8080dd406fd4df842c2be0efaf712d1c899c32a075027c/",
-	)
-
-	artifactsM[PythonDiscovery] = newViaPip(
-		"python_discovery",
-		"looks for a python installation",
-		"1.1.1", "py3", "none", "any",
-		"Jk_qGMfZYm0fdNOSvMdVQZuQbJlqu3NWRm7T2fRtiBXmHLQyOdJE3ypI_it1OJR0",
-		"https://files.pythonhosted.org/packages/"+
-			"75/0f/2bf7e3b5a4a65f623cb820feb5793e243fad58ae561015ee15a6152f67a2/",
-		PythonFilelock,
-		PythonPlatformdirs,
-	)
-
-	artifactsM[PythonVirtualenv] = newViaPip(
-		"virtualenv",
-		"a tool for creating isolated virtual python environments",
-		"21.1.0", "py3", "none", "any",
-		"SLvdr3gJZ7GTS-kiRyq2RvJdrQ8SZYC1pglbViWCMLCuAIcbLNjVEUJZ4hDtKUxm",
-		"https://files.pythonhosted.org/packages/"+
-			"78/55/896b06bf93a49bec0f4ae2a6f1ed12bd05c8860744ac3a70eda041064e4d/",
-		PythonDistlib,
-		PythonDiscovery,
-	)
-
-	artifactsM[PythonPreCommit] = newViaPip(
-		"pre_commit",
-		"a framework for managing and maintaining multi-language pre-commit hooks",
-		"4.5.1", "py2.py3", "none", "any",
-		"9G2Hv5JpvXFZVfw4pv_KAsmHD6bvot9Z0YBDmW6JeJizqTA4xEQCKel-pCERqQFK",
-		"https://files.pythonhosted.org/packages/"+
-			"5d/19/fd3ef348460c80af7bb4669ea7926651d1f95c23ff2df18b9d24bab4f3fa/",
-		PythonCfgv,
-		PythonIdentify,
-		PythonNodeenv,
-		PythonPyYAML,
-		PythonVirtualenv,
-	)
 }

internal/rosa/tamago.go

@@ -17,6 +17,7 @@ func (t Toolchain) newTamaGo() (pkg.Artifact, string) {
 	), nil, []string{
 		"CC=cc",
 		"GOCACHE=/tmp/gocache",
+		"CGO_ENABLED=0",
 	}, `
 mkdir /work/system # "${TMPDIR}"
 cp -r /usr/src/tamago /work/system

package.nix

@@ -30,7 +30,7 @@
 
 buildGo126Module rec {
   pname = "hakurei";
-  version = "0.3.6";
+  version = "0.3.7";
 
   srcFiltered = builtins.path {
     name = "${pname}-src";