From cbf6c8c941e5b5cd46a8701191c7f9133cbe1184 Mon Sep 17 00:00:00 2001
From: palainp <pierre.alain@tuta.io>
Date: Tue, 18 Apr 2023 11:46:45 +0200
Subject: [PATCH 1/7] update build script

---
 Dockerfile           | 14 ++++++++------
 build-with-docker.sh |  2 +-
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1c1e0f1..8e55ec5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,19 +1,21 @@
 # Pin the base image to a specific hash for maximum reproducibility.
 # It will probably still work on newer images, though, unless an update
 # changes some compiler optimisations (unlikely).
-# ubuntu-20.04
-FROM ubuntu@sha256:b25ef49a40b7797937d0d23eca3b0a41701af6757afca23d504d50826f0b37ce
+# bookworm-slim
+FROM debian@sha256:07c6cb2ae86479dcc1942a89b0a1f4049b6e9415f7de327ff641aed58b8e3100
+# and set the package source to a specific release too
+RUN echo deb http://snapshot.notset.fr/archive/debian/20230418T024659Z bookworm main > /etc/apt/sources.list
 
-RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip make gcc g++ libc-dev
-RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.3/opam-2.1.3-i686-linux && chmod 755 /usr/bin/opam
+RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev
+RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.4/opam-2.1.4-i686-linux && chmod 755 /usr/bin/opam
 
 ENV OPAMROOT=/tmp
 ENV OPAMCONFIRMLEVEL=unsafe-yes
 # Pin last known-good version for reproducible builds.
 # Remove this line (and the base image pin above) if you want to test with the
 # latest versions.
-RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#c9b2f766b7c7009be8cd68ac423d0d5b36044aca
-RUN opam switch create myswitch 4.14.0
+RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#28b35f67988702df5018fbf30d1c725734425670
+RUN opam switch create myswitch 4.14.1
 RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
 RUN mkdir /tmp/orb-build
 ADD config.ml /tmp/orb-build/config.ml
diff --git a/build-with-docker.sh b/build-with-docker.sh
index 7cd77a6..ec91399 100755
--- a/build-with-docker.sh
+++ b/build-with-docker.sh
@@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
 echo Building Firewall...
 docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum ./dist/qubes-firewall.xen)"
-echo "SHA2 last known: 55a2f823d66473c7d0be66a93289d48b6557f18c9257c6f98aa5a4583663d3c2"
+echo "SHA2 last known: 4a3cd3f555f39c47b9675fd08425eee968a6484cb38aa19fb94f4c96844c2ae6"
 echo "(hashes should match for released versions)"

From ffc8e95bc31583807203f8ad5ae0a8f5b113517e Mon Sep 17 00:00:00 2001
From: palainp <pierre.alain@tuta.io>
Date: Tue, 25 Apr 2023 10:16:57 +0200
Subject: [PATCH 2/7] create a shasum file matching the tarball release

---
 Makefile.user | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile.user b/Makefile.user
index fb04a23..c8a1d5d 100644
--- a/Makefile.user
+++ b/Makefile.user
@@ -7,6 +7,7 @@ tar: build
 	touch _build/mirage-firewall/modules.img
 	cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
 	tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with-docker.sh mirage-firewall
+	sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
 
 fetchmotron: qubes_firewall.xen
 	test-mirage qubes_firewall.xen mirage-fw-test &

From d3e8e691fd95e003461aca5708bda33800fd27d7 Mon Sep 17 00:00:00 2001
From: palainp <pierre.alain@tuta.io>
Date: Tue, 16 May 2023 11:18:34 +0200
Subject: [PATCH 3/7] do not check valid-until in debian release file: this
 permits to keep a debian packages list more than one week

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 8e55ec5..e0eaa70 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@
 # bookworm-slim
 FROM debian@sha256:07c6cb2ae86479dcc1942a89b0a1f4049b6e9415f7de327ff641aed58b8e3100
 # and set the package source to a specific release too
-RUN echo deb http://snapshot.notset.fr/archive/debian/20230418T024659Z bookworm main > /etc/apt/sources.list
+RUN printf "deb [check-valid-until=no] http://snapshot.notset.fr/archive/debian/20230418T024659Z bookworm main" > /etc/apt/sources.list
 
 RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev
 RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.4/opam-2.1.4-i686-linux && chmod 755 /usr/bin/opam

From b288481d2ffc7dc71f37db6aee515babf0dfa56e Mon Sep 17 00:00:00 2001
From: palainp <pierre.alain@tuta.io>
Date: Fri, 26 May 2023 10:27:29 +0200
Subject: [PATCH 4/7] remove memreport to Xen to avoid Qubes trying to get back
 some memory from us

---
 build-with-docker.sh |  2 +-
 memory_pressure.ml   | 19 +++----------------
 2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/build-with-docker.sh b/build-with-docker.sh
index 7cd77a6..b4faef7 100755
--- a/build-with-docker.sh
+++ b/build-with-docker.sh
@@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
 echo Building Firewall...
 docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum ./dist/qubes-firewall.xen)"
-echo "SHA2 last known: 55a2f823d66473c7d0be66a93289d48b6557f18c9257c6f98aa5a4583663d3c2"
+echo "SHA2 last known: d9f7827e2f2c8150ac97a4d348a29f5ee0810a455dbab9233490fff97470f7b8"
 echo "(hashes should match for released versions)"
diff --git a/memory_pressure.ml b/memory_pressure.ml
index 2e9e95a..87289c2 100644
--- a/memory_pressure.ml
+++ b/memory_pressure.ml
@@ -27,19 +27,8 @@ let meminfo stats =
                   SwapTotal: 0 kB\n\
                   SwapFree: 0 kB\n" (mem_total / 1024) (mem_free / 1024)
 
-let report_mem_usage stats =
-  Lwt.async (fun () ->
-    let open Xen_os in
-    Xs.make () >>= fun xs ->
-    Xs.immediate xs (fun h ->
-      Xs.write h "memory/meminfo" (meminfo stats)
-    )
-  )
-
 let init () =
-  Gc.full_major ();
-  let stats = Xen_os.Memory.quick_stat () in
-  report_mem_usage stats
+  Gc.full_major ()
 
 let status () =
   let stats = Xen_os.Memory.quick_stat () in
@@ -48,8 +37,6 @@ let status () =
     Gc.full_major ();
     Xen_os.Memory.trim ();
     let stats = Xen_os.Memory.quick_stat () in
-    if fraction_free stats < 0.6 then begin
-      report_mem_usage stats;
-      `Memory_critical
-    end else `Ok
+    if fraction_free stats < 0.6 then `Memory_critical
+    else `Ok
   )

From a34aab52e97dc3e5495e5700c6adc48cb7e546c1 Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Wed, 5 Jul 2023 17:06:00 +0200
Subject: [PATCH 5/7] Apply suggestions from code review

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index e0eaa70..0c3c0c8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@ FROM debian@sha256:07c6cb2ae86479dcc1942a89b0a1f4049b6e9415f7de327ff641aed58b8e3
 RUN printf "deb [check-valid-until=no] http://snapshot.notset.fr/archive/debian/20230418T024659Z bookworm main" > /etc/apt/sources.list
 
 RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev
-RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.4/opam-2.1.4-i686-linux && chmod 755 /usr/bin/opam
+RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.5/opam-2.1.5-i686-linux && chmod 755 /usr/bin/opam
 
 ENV OPAMROOT=/tmp
 ENV OPAMCONFIRMLEVEL=unsafe-yes

From 8e87f2e9e0b13e60c59f974b73618af12e407aa1 Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Wed, 5 Jul 2023 17:14:14 +0200
Subject: [PATCH 6/7] update sha

---
 build-with-docker.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build-with-docker.sh b/build-with-docker.sh
index b4faef7..e5a9a17 100755
--- a/build-with-docker.sh
+++ b/build-with-docker.sh
@@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
 echo Building Firewall...
 docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum ./dist/qubes-firewall.xen)"
-echo "SHA2 last known: d9f7827e2f2c8150ac97a4d348a29f5ee0810a455dbab9233490fff97470f7b8"
+echo "SHA2 last known: 8ae5314edf5b863b788c4b873e27bc4b206a2ff7ef1051c4c62ae41584ed3e14"
 echo "(hashes should match for released versions)"

From e4f4c3e958f745e4d4a0d2bc2d7afa536583a33a Mon Sep 17 00:00:00 2001
From: Hannes Mehnert <hannes@mehnert.org>
Date: Wed, 5 Jul 2023 17:34:20 +0200
Subject: [PATCH 7/7] changes for 0.8.5

---
 CHANGES.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index e147c1f..f37b080 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,10 @@
+### 0.8.5 (2023-07-05)
+
+- Remove memreport to Xen to avoid Qubes trying to get back some memory
+  (#176 @palainp)
+- Use bookworm and snapshot.notset.fr debian packages for reproducibility
+  (#175 @palainp)
+
 ### 0.8.4 (2022-12-07)
 
 - Fix remote denial of service due to excessive console output (#166 @burghardt,