From a9dc9724ae2a954405dd4dbc6a1593f1b469c3dd Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 13 Sep 2023 13:46:57 +0800
Subject: [PATCH 1/5] git-version: Make shebang #!/bin/bash

There is some bash-ism in the script.
---
 git-version.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/git-version.sh b/git-version.sh
index db2ed62a1..7a430fec3 100755
--- a/git-version.sh
+++ b/git-version.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 if [ "$1" = sysv ]; then
     SYSV="INCLUDE"

From c858ba4e17a445591520ddcea8b288b8e3d6db42 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 13 Sep 2023 14:08:06 +0800
Subject: [PATCH 2/5] build: Add "make dist"

For creating a tarball without .git directory easier.  The tarball will
include version.ent and LFS-RELEASE files so the book rendered from it
won't show "unknown" for all dates.
---
 .gitignore     |  1 +
 Makefile       | 11 ++++++++++-
 git-version.sh |  7 +++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index f2a347215..9595dd32f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 lfs-bootscripts-*.tar.xz
+lfs-*.tar.xz
 conditional.ent
 version.ent
 appendices/*.script
diff --git a/Makefile b/Makefile
index 13d0f52a8..1c23a55f5 100644
--- a/Makefile
+++ b/Makefile
@@ -209,5 +209,14 @@ dump-commands: validate
 
 all: book nochunks pdf dump-commands
 
-.PHONY : all book dump-commands nochunks pdf profile-html tmpdir validate md5sums wget-list version
+dist:
+	$(Q)DIST=/tmp/LFS-RELEASE ./git-version.sh $(REV)
+	$(Q)rm -f lfs-$$(</tmp/LFS-RELEASE).tar.xz
+	$(Q)tar cJf lfs-$$(</tmp/LFS-RELEASE).tar.xz \
+		$(shell git ls-tree HEAD . --name-only) version.ent \
+		-C /tmp LFS-RELEASE \
+		--transform "s,^,lfs-$$(</tmp/LFS-RELEASE)/,"
+	$(Q)echo "Generated XML tarball lfs-$$(</tmp/LFS-RELEASE).tar.xz"
+
+.PHONY : all book dump-commands nochunks pdf profile-html tmpdir validate md5sums wget-list version dist
 
diff --git a/git-version.sh b/git-version.sh
index 7a430fec3..4a3c6d1e4 100755
--- a/git-version.sh
+++ b/git-version.sh
@@ -17,6 +17,11 @@ echo "<!ENTITY % systemd \"$SYSTEMD\">"  >> conditional.ent
 if ! git status > /dev/null; then
     # Either it's not a git repository, or git is unavaliable.
     # Just workaround.
+
+	if [ -e LFS-RELEASE ]; then
+		exit 0
+	fi
+
     echo "<![ %sysv; ["                                    >  version.ent
     echo "<!ENTITY version           \"unknown\">"         >> version.ent
     echo "]]>"                                             >> version.ent
@@ -65,3 +70,5 @@ echo "<!ENTITY version          \"$versiond\">"            >> version.ent
 echo "]]>"                                                 >> version.ent
 echo "<!ENTITY releasedate       \"$full_date\">"          >> version.ent
 echo "<!ENTITY copyrightdate     \"1999-$year\">"          >> version.ent
+
+[ -z "$DIST" ] || echo $version > "$DIST"

From 48d8f5a51d5dfe58ac6d205fa7430f364225fab2 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 13 Sep 2023 14:31:39 +0800
Subject: [PATCH 3/5] glibc: Fix CVE-2023-4527

---
 chapter08/glibc.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/chapter08/glibc.xml b/chapter08/glibc.xml
index 3932a2147..c648fe129 100644
--- a/chapter08/glibc.xml
+++ b/chapter08/glibc.xml
@@ -55,6 +55,18 @@
 
 <screen><userinput remap="pre">patch -Np1 -i ../&glibc-memalign-patch;</userinput></screen>
 
+    <!-- CVE-2023-4527
+         https://sourceware.org/bugzilla/show_bug.cgi?id=30842
+         https://sourceware.org/ml/libc-alpha/2023-September/151522.html -->
+    <para>Then fix a security vulnerability exploitable when the
+    <option>no-aaaa</option> option is used in
+    <filename>/etc/resolv.conf</filename>:</para>
+
+<screen><userinput remap="pre">sed \
+  -E "/__res_context_search/\
+      {N;N;s/(search \(([^,]*,){6}[^,]*)NULL/\1\&amp;alt_dns_packet_buffer/}" \
+  -i resolv/nss_dns/dns-host.c</userinput></screen>
+
     <para>The Glibc documentation recommends building Glibc
     in a dedicated build directory:</para>
 

From 80da60f0c070dee52f7add18aea74c0e124ed8f7 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 13 Sep 2023 15:39:25 +0800
Subject: [PATCH 4/5] stripping: Compress the kept debug info with Zlib

---
 chapter08/stripping.xml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/chapter08/stripping.xml b/chapter08/stripping.xml
index 68e0f8da1..b7b983d73 100644
--- a/chapter08/stripping.xml
+++ b/chapter08/stripping.xml
@@ -29,9 +29,12 @@
   needed by the linker (for static libraries) or dynamic linker (for
   dynamically linked binaries and shared libraries).</para>
 
-  <para>The debugging symbols from selected libraries are preserved
-  in separate files.  That debugging information is needed to run
-  regression tests with <ulink
+  <!-- TODO: Zstd is better than Zlib for both speed and size.
+             Unfortunately Valgrind does not support Zstd-compressed debug
+             info yet: https://bugs.kde.org/show_bug.cgi?id=469782 -->
+  <para>The debugging symbols from selected libraries are compressed with
+  <application>Zlib</application> and preserved in separate files.  That
+  debugging information is needed to run regression tests with <ulink
   url='&blfs-book;/general/valgrind.html'>valgrind</ulink> or <ulink
   url='&blfs-book;/general/gdb.html'>gdb</ulink> later, in BLFS.
   </para>
@@ -78,7 +81,7 @@
 cd /usr/lib
 
 for LIB in $save_usrlib; do
-    objcopy --only-keep-debug $LIB $LIB.dbg
+    objcopy --only-keep-debug --compress-debug-sections=zlib $LIB $LIB.dbg
     cp $LIB /tmp/$LIB
     strip --strip-unneeded /tmp/$LIB
     objcopy --add-gnu-debuglink=$LIB.dbg /tmp/$LIB

From b91b12adf3d7926f570b900f758e4670de3d4ec1 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 13 Sep 2023 16:07:33 +0800
Subject: [PATCH 5/5] git-version: Always skip creating version.ent if
 LFS-RELEASE exists

---
 git-version.sh | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/git-version.sh b/git-version.sh
index 4a3c6d1e4..5d8d32e5d 100755
--- a/git-version.sh
+++ b/git-version.sh
@@ -14,14 +14,13 @@ fi
 echo "<!ENTITY % sysv    \"$SYSV\">"     >  conditional.ent
 echo "<!ENTITY % systemd \"$SYSTEMD\">"  >> conditional.ent
 
+if [ -e LFS-RELEASE ]; then
+	exit 0
+fi
+
 if ! git status > /dev/null; then
     # Either it's not a git repository, or git is unavaliable.
     # Just workaround.
-
-	if [ -e LFS-RELEASE ]; then
-		exit 0
-	fi
-
     echo "<![ %sysv; ["                                    >  version.ent
     echo "<!ENTITY version           \"unknown\">"         >> version.ent
     echo "]]>"                                             >> version.ent