depot_tools/cipd_manifest.txt

# Copyright 2017 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# Pin resolved versions in the repo, to reduce trust in the CIPD backend.
#
# Most of these tools are generated via builders at
# https://ci.chromium.org/p/infra/g/infra/console
#
# For these, the git revision is the one of
# https://chromium.googlesource.com/infra/infra.git.
#
# To regenerate them (after modifying this file):
#   cipd ensure-file-resolve -ensure-file cipd_manifest.txt
$ResolvedVersions cipd_manifest.versions

# Fully supported plaforms.
$VerifiedPlatform linux-amd64 mac-amd64 windows-amd64 windows-386

# Platform with best-effort support: we have some binaries cross-compiled for
# them, but we do not test they work. They also may not have all necessary
# vpython packages.
$VerifiedPlatform linux-386 linux-ppc64 linux-ppc64le linux-s390x
$VerifiedPlatform linux-arm64 linux-armv6l
$VerifiedPlatform linux-mips64 linux-mips64le linux-mipsle

# vpython.
infra/tools/luci/vpython/${platform} git_revision:98a268c6432f18aedd55d62b9621765316dc2a16

# LUCI editor
infra/tools/luci/led/${platform} git_revision:423aa5860a7b6322451baccb1e087f07815ca415

# LUCI config generator
infra/tools/luci/lucicfg/${platform} git_revision:79dd13c2262d61758111e6d7205e44d94ef47fbc

# Mac toolchain installer
infra/tools/mac_toolchain/${os=mac}-${arch} git_revision:47354a337f7eb444f2cb1e1b5d30ac3940f1d097

# LUCI rpc command line tool
infra/tools/prpc/${platform} git_revision:edd5644be66d37cdf82978efb0e5d6504d0d552f

# LUCI authentication command line tool
infra/tools/luci-auth/${platform} git_revision:edd5644be66d37cdf82978efb0e5d6504d0d552f

# LUCI Buildbucket CLI
infra/tools/bb/${platform} git_revision:d0bb723b707deed5f523ad688c63fd48429bb3ee

# CHROMEOS Buildjobs CLI
chromiumos/infra/crosjobs/${platform=linux-amd64} git_revision:ed616d595eb7241d39d34907050d2949121d6ae8
Add vpython to depot_tools for linux and mac BUG=717208 R=dnj@chromium.org Change-Id: If937a382be9aa4d8eb5f957386e8b1b28cc1c3ac Reviewed-on: https://chromium-review.googlesource.com/492086 Reviewed-by: Daniel Jacques <dnj@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Sergey Berezin <sergeyberezin@chromium.org> 8 years ago			`# Copyright 2017 The Chromium Authors. All rights reserved.`
			`# Use of this source code is governed by a BSD-style license that can be`
			`# found in the LICENSE file.`

[cipd] Pin hashes of CIPD packages. Together with already committed cipd_client_version.digests file, this cryptographically binds contents of CIPD packages used by depot_tools with depot_tool's git revision (assuming the CIPD client pinned by cipd_client_version.digests is trusted too, which can presumably be verified when it is being pinned). This holds true even if the CIPD backend is compromised. The worst that can happen is a denial of service (e.g. if the backend refuses to serve packages at all). If a bad backend tries to serve a malicious (unexpected) CIPD client, 'cipd' bootstrap script (and its powershell counterpart) will detect a mismatch between SHA256 of the fetched binary and what's specified in cipd_client_version.digests, and will refuse to run the untrusted binary. Similarly, if the bad backend tries to serve some other unexpected package (in place of a package specified in cipd_manifest.txt), the CIPD client (already verified and trusted as this point) will detect a mismatch between what was fetched and what's pinned in cipd_manifest.versions, and will refuse to install untrusted files. cipd_manifest.versions was generated from cipd_manifest.txt by: $ cipd ensure-file-resolve -ensure-file cipd_manifest.txt This will have to be rerun each time cipd_manifest.txt is updated. There's a presubmit check that verifies *.versions file is up-to-date (it's part of 'cipd ensure-file-verify'). BUG=870166 R=nodir@chromium.org, iannucci@chromium.org, tandrii@chromium.org Change-Id: I25314adf0a9b05c69cd16e75aff01dbc79c87aa5 Reviewed-on: https://chromium-review.googlesource.com/1227435 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> 7 years ago			`# Pin resolved versions in the repo, to reduce trust in the CIPD backend.`
[cipd] Bump CIPD client and vpython versions. The most notable change is in how the integrity of the tag cache file is checked. Once deployed, existing tag cache files will be considered invalid and wiped. The only observable side effect is the following line in the log: "can't deserialize tag cache - no sha256 is recorded in the file" R=tandrii@chromium.org, iannucci@chromium.org Change-Id: I7ea300a4e7ad8be0c1d42ae561c5202420d2db62 Reviewed-on: https://chromium-review.googlesource.com/c/1327823 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> 6 years ago			`#`
cipd: Update lucicfg to 1.7.7. Add link in cipd_manifest.txt to help people figure out which commit to use. R=jchinlee@chromium.org Bug: 808836 Change-Id: I2c03c6a25e79363792a85d976d2a245b0ba6b5b3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1633173 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: Robbie Iannucci <iannucci@chromium.org> 6 years ago			`# Most of these tools are generated via builders at`
			`# https://ci.chromium.org/p/infra/g/infra/console`
			`#`
			`# For these, the git revision is the one of`
			`# https://chromium.googlesource.com/infra/infra.git.`
			`#`
[cipd] Bump CIPD client and vpython versions. The most notable change is in how the integrity of the tag cache file is checked. Once deployed, existing tag cache files will be considered invalid and wiped. The only observable side effect is the following line in the log: "can't deserialize tag cache - no sha256 is recorded in the file" R=tandrii@chromium.org, iannucci@chromium.org Change-Id: I7ea300a4e7ad8be0c1d42ae561c5202420d2db62 Reviewed-on: https://chromium-review.googlesource.com/c/1327823 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> 6 years ago			`# To regenerate them (after modifying this file):`
			`# cipd ensure-file-resolve -ensure-file cipd_manifest.txt`
[cipd] Pin hashes of CIPD packages. Together with already committed cipd_client_version.digests file, this cryptographically binds contents of CIPD packages used by depot_tools with depot_tool's git revision (assuming the CIPD client pinned by cipd_client_version.digests is trusted too, which can presumably be verified when it is being pinned). This holds true even if the CIPD backend is compromised. The worst that can happen is a denial of service (e.g. if the backend refuses to serve packages at all). If a bad backend tries to serve a malicious (unexpected) CIPD client, 'cipd' bootstrap script (and its powershell counterpart) will detect a mismatch between SHA256 of the fetched binary and what's specified in cipd_client_version.digests, and will refuse to run the untrusted binary. Similarly, if the bad backend tries to serve some other unexpected package (in place of a package specified in cipd_manifest.txt), the CIPD client (already verified and trusted as this point) will detect a mismatch between what was fetched and what's pinned in cipd_manifest.versions, and will refuse to install untrusted files. cipd_manifest.versions was generated from cipd_manifest.txt by: $ cipd ensure-file-resolve -ensure-file cipd_manifest.txt This will have to be rerun each time cipd_manifest.txt is updated. There's a presubmit check that verifies *.versions file is up-to-date (it's part of 'cipd ensure-file-verify'). BUG=870166 R=nodir@chromium.org, iannucci@chromium.org, tandrii@chromium.org Change-Id: I25314adf0a9b05c69cd16e75aff01dbc79c87aa5 Reviewed-on: https://chromium-review.googlesource.com/1227435 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> 7 years ago			`$ResolvedVersions cipd_manifest.versions`

Demote linux-386 to "best effort support", just like e.g. linux-ppc64. It seems unfair to completely kill linux-386, while we still provide minimal best-effort support for more exotic platforms like linux-ppc64 or linux-s390x. R=iannucci@chromium.org, tandrii@chromium.org BUG=854300 Change-Id: Ia31ebb42f7e596c495b09bb99ecb376801256d55 Reviewed-on: https://chromium-review.googlesource.com/1111026 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> 7 years ago			`# Fully supported plaforms.`
Revert "cipd: remove windows-386" This reverts commit 314e30187959f6a98d1f1498690c8537711cf0af. Reason for revert: On second thought, I don't think we want this. Original change's description: > cipd: remove windows-386 > > Running depot_tools on Windows 32 bits is not supported anymore. > > Add a comment to cipd_manifest.txt to help people to figure out by themselves > where to look to do a roll. > > Change-Id: I8a8c2d1437ec77c99588261e3eba0abdcb13c105 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1630448 > Auto-Submit: Marc-Antoine Ruel <maruel@chromium.org> > Reviewed-by: Robbie Iannucci <iannucci@chromium.org> > Commit-Queue: Robbie Iannucci <iannucci@chromium.org> TBR=maruel@chromium.org,iannucci@chromium.org Change-Id: I206becbf5bde4bb12e9d71ccab13027171fb017f No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1633030 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: Robbie Iannucci <iannucci@chromium.org> 6 years ago			`$VerifiedPlatform linux-amd64 mac-amd64 windows-amd64 windows-386`
Demote linux-386 to "best effort support", just like e.g. linux-ppc64. It seems unfair to completely kill linux-386, while we still provide minimal best-effort support for more exotic platforms like linux-ppc64 or linux-s390x. R=iannucci@chromium.org, tandrii@chromium.org BUG=854300 Change-Id: Ia31ebb42f7e596c495b09bb99ecb376801256d55 Reviewed-on: https://chromium-review.googlesource.com/1111026 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> 7 years ago
			`# Platform with best-effort support: we have some binaries cross-compiled for`
			`# them, but we do not test they work. They also may not have all necessary`
			`# vpython packages.`
			`$VerifiedPlatform linux-386 linux-ppc64 linux-ppc64le linux-s390x`
[cipd] Bump versions of all CIPD packages + add mips(64)le platform support. New packages are built using SHA256 as instance ID (instead of SHA1). R=iannucci@chromium.org BUG=821194, 867819, 813782 Change-Id: I61cf71386975725f7f63097eeb62f094ff50e396 Reviewed-on: https://chromium-review.googlesource.com/1165598 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> 7 years ago			`$VerifiedPlatform linux-arm64 linux-armv6l`
			`$VerifiedPlatform linux-mips64 linux-mips64le linux-mipsle`
[vpython] Update vpython From https://chromium.googlesource.com/infra/luci/luci-go: git log a90d36d07f65098da34b600f6cfb8a5f05199ac5..63bd11762eec0b8604bc89dcfb9de4f5dad3777a --oneline vpython e638db97 [vpython] Normalize spec before verification. 22c141ce [vpython] Remove maximum script path length check. b1e7bc36 [vpython] Better failure output. 3edc75c8 [vpython] Better VirtualEnv isolation. R=dnj@chromium.org, nodir@chromium.org Bug: Change-Id: I20d06c51760b27e70b9ce65c7ddd856943fab7eb Reviewed-on: https://chromium-review.googlesource.com/731512 Reviewed-by: Nodir Turakulov <nodir@chromium.org> Reviewed-by: Ryan Tseng <hinoka@chromium.org> Commit-Queue: Robbie Iannucci <iannucci@chromium.org> 7 years ago
Add vpython to depot_tools for linux and mac BUG=717208 R=dnj@chromium.org Change-Id: If937a382be9aa4d8eb5f957386e8b1b28cc1c3ac Reviewed-on: https://chromium-review.googlesource.com/492086 Reviewed-by: Daniel Jacques <dnj@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Sergey Berezin <sergeyberezin@chromium.org> 8 years ago			`# vpython.`
[vpython] Roll to 98a268c6432f18aedd55d62b9621765316dc2a16 Newer builds of vpython contain vpython3 as well. Bug: 898348 Change-Id: I63b197690e2ae47bd4c6cd50894c4769e1a18334 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1727581 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: smut <smut@google.com> 6 years ago			`infra/tools/luci/vpython/${platform} git_revision:98a268c6432f18aedd55d62b9621765316dc2a16`
[led] add LUCI editor to depot_tools. R=nodir@chromium.org Bug: 662654 Change-Id: I18898cb426ccbb895a82410dc61910a8b8e48f14 Reviewed-on: https://chromium-review.googlesource.com/517664 Commit-Queue: Robbie Iannucci <iannucci@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> 8 years ago
			`# LUCI editor`
Roll led to latest version 423aa5860 [led] Set logdog prefix as led_run_id property 40c1ac5b5 [led] Set recipe input property for recipes source d9cf01212 [led] When consolidating isolateds, skip empty isolate hashes. 838b3cb14 [led] Pull isolate consolidation out of GetSwarmingTask. 7a6c68c7a [led] Make edit-isolated orthogonal to edit-recipe-bundle. 8e8edcb4f Have led launch set OutputResultJSONPath kitchen argument 93e7d934e [led] Add the ability for led edit-isolated to take a transform program. f5808de3a Fix many shadowed symbols 371e55885 Fix many misspellings 1cc5f65cf [led edit-isolated] Fix bug when inputsref is missing. R=tandrii@chromium.org Change-Id: I8bef431fe57f7331a8f5fc85e898916ee93fa9f7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1788412 Commit-Queue: Andrii Shyshkalov <tandrii@google.com> Reviewed-by: Andrii Shyshkalov <tandrii@google.com> 6 years ago			`infra/tools/luci/led/${platform} git_revision:423aa5860a7b6322451baccb1e087f07815ca415`
depot_tools: add mac_toolchain shim This tool will soon be added as a gclient hook for Mac developers to install the requested Xcode version on their workstations, and it's easier if gclient can assume it on PATH. BUG=475693 R=iannucci@chromium.org Change-Id: I6af90755bb2ee6de1e19e3a475d9a23bf75888c3 Reviewed-on: https://chromium-review.googlesource.com/756888 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Reviewed-by: Aaron Gable <agable@chromium.org> Commit-Queue: Sergey Berezin <sergeyberezin@chromium.org> 7 years ago
[cipd] Add lucicfg tool. It knows how to interpret configuration files written in Starlark-based DSL and produce a bunch of protobuf messages as a result. Will be used to generate various infra configs. In particular, will be used by infra developers (to update configs), by PRESUBMIT.py on dev machines (to verify configs before uploading CLs) and by bots (to verify configs before submitting CLs). R=tandrii@chromium.org BUG=833946 Change-Id: Iceec7d808ce180f7d4a341fab8b5ce11933c2a6b Reviewed-on: https://chromium-review.googlesource.com/c/1444499 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> 6 years ago			`# LUCI config generator`
[lucicfg] Bump lucicfg to v1.8.6. This version can load external proto descriptors. No other significant changes. TBR=tandrii@chromium.org, iannucci@chromium.org BUG=986972 Change-Id: I26317512ffcee0a50e051032d30ec79bbd805644 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1778707 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Auto-Submit: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@google.com> 6 years ago			`infra/tools/luci/lucicfg/${platform} git_revision:79dd13c2262d61758111e6d7205e44d94ef47fbc`
[cipd] Add lucicfg tool. It knows how to interpret configuration files written in Starlark-based DSL and produce a bunch of protobuf messages as a result. Will be used to generate various infra configs. In particular, will be used by infra developers (to update configs), by PRESUBMIT.py on dev machines (to verify configs before uploading CLs) and by bots (to verify configs before submitting CLs). R=tandrii@chromium.org BUG=833946 Change-Id: Iceec7d808ce180f7d4a341fab8b5ce11933c2a6b Reviewed-on: https://chromium-review.googlesource.com/c/1444499 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> 6 years ago
depot_tools: add mac_toolchain shim This tool will soon be added as a gclient hook for Mac developers to install the requested Xcode version on their workstations, and it's easier if gclient can assume it on PATH. BUG=475693 R=iannucci@chromium.org Change-Id: I6af90755bb2ee6de1e19e3a475d9a23bf75888c3 Reviewed-on: https://chromium-review.googlesource.com/756888 Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Reviewed-by: Aaron Gable <agable@chromium.org> Commit-Queue: Sergey Berezin <sergeyberezin@chromium.org> 7 years ago			`# Mac toolchain installer`
Roll mac_toolchain to pick up -verbose. Bug: 962920 Change-Id: Ib52b4fb571381352b63a83ac4c4392ba20677892 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1612291 Auto-Submit: John Budorick <jbudorick@chromium.org> Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Robbie Iannucci <iannucci@chromium.org> Commit-Queue: Robbie Iannucci <iannucci@chromium.org> 6 years ago			`infra/tools/mac_toolchain/${os=mac}-${arch} git_revision:47354a337f7eb444f2cb1e1b5d30ac3940f1d097`
[prpc] Add pRPC CLI tool to depot_tools. This will be used when running infrastructure code locally (e.g. recipes) to correctly interact with LUCI service APIs (such as luci-scheduler.appspot.com). It is also generically useful to explore and interact with LUCI service APIs on the command line (for debugging/scripting). R=tandrii@chromium.org, vadimsh@chromium.org Bug: 808677 Change-Id: I41cfd4cc7e2d245d3a5d2be83f9879f92a8d1bca Reviewed-on: https://chromium-review.googlesource.com/905457 Commit-Queue: Robbie Iannucci <iannucci@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> 7 years ago
			`# LUCI rpc command line tool`
[cipd] Rebuild all Go binaries with Go 1.12. Hopefully it works better on OSX 10.14. R=tandrii@chromium.org BUG=936067 Change-Id: I097802a053b7f17b81f13a69c1f0c153dc327b10 Reviewed-on: https://chromium-review.googlesource.com/c/1489874 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> 6 years ago			`infra/tools/prpc/${platform} git_revision:edd5644be66d37cdf82978efb0e5d6504d0d552f`
[luci-auth] Add statically-linked luci-auth CLI tool. R=tandrii@chromium.org, vadimsh@chromium.org Bug: 809645 Change-Id: I21ad49fa03630955eca6ecd531445bc4acf0c0c6 Reviewed-on: https://chromium-review.googlesource.com/905822 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Robbie Iannucci <iannucci@chromium.org> 7 years ago
			`# LUCI authentication command line tool`
[cipd] Rebuild all Go binaries with Go 1.12. Hopefully it works better on OSX 10.14. R=tandrii@chromium.org BUG=936067 Change-Id: I097802a053b7f17b81f13a69c1f0c153dc327b10 Reviewed-on: https://chromium-review.googlesource.com/c/1489874 Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> 6 years ago			`infra/tools/luci-auth/${platform} git_revision:edd5644be66d37cdf82978efb0e5d6504d0d552f`
[bb] Deploy bb Add bb to depot_tools Bug: 946422 Change-Id: I7f1e5463b7bb1170124c94066b660a1b972884bf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1550200 Commit-Queue: Nodir Turakulov <nodir@chromium.org> Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org> 6 years ago
			`# LUCI Buildbucket CLI`
[bb] Roll to d0bb723b Primarily to pick up https://chromium-review.googlesource.com/c/infra/luci/luci-go/+/1600250 R=vadimsh@chromium.org Change-Id: I01cc74af93b4044f2607d98e7889de7965eaf60b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1650505 Commit-Queue: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Auto-Submit: Nodir Turakulov <nodir@chromium.org> Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> 6 years ago			`infra/tools/bb/${platform} git_revision:d0bb723b707deed5f523ad688c63fd48429bb3ee`
Add crosjobs to cipd_manifest BUG=chromium:973247 Change-Id: I8be6386fc3ab9ce6e8d9558862dfd0a7c74a5e6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1743018 Commit-Queue: Yaakov Shaul <yshaul@chromium.org> Reviewed-by: Robbie Iannucci <iannucci@chromium.org> 6 years ago
			`# CHROMEOS Buildjobs CLI`
Add crosjobs to cipd_manifest BUG=chromium:973247 Change-Id: Ia0c0625446845ff1c590e0ae455b099ecab958ef Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/1746747 Commit-Queue: Yaakov Shaul <yshaul@chromium.org> Reviewed-by: Robbie Iannucci <iannucci@chromium.org> 6 years ago			`chromiumos/infra/crosjobs/${platform=linux-amd64} git_revision:ed616d595eb7241d39d34907050d2949121d6ae8`