lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAK7LNATvziJ8EvnZ1mBMhG7Vs-9_9--4+UQnW4H2GQvuZseUgw@mail.gmail.com>
Date:   Thu, 30 Nov 2023 03:23:11 +0900
From:   Masahiro Yamada <masahiroy@...nel.org>
To:     Guillem Jover <guillem@...ian.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        linux-kbuild@...r.kernel.org, Ben Hutchings <ben@...adent.org.uk>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Nicolas Schier <nicolas@...sle.eu>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] kbuild: deb-pkg: remove the fakeroot builds support

On Wed, Nov 29, 2023 at 12:04 PM Guillem Jover <guillem@...ian.org> wrote:
>
> Hi!
>
> On Wed, 2023-11-29 at 08:53:56 +0900, Masahiro Yamada wrote:
> > In 2017, the dpkg suite introduced the rootless builds support with the
> > following commits:
> >
> >   - 2436807c87b0 ("dpkg-deb: Add support for rootless builds")
> >   - fca1bfe84068 ("dpkg-buildpackage: Add support for rootless builds")
> >
> > This feature is available in the default dpkg on Debian 10 and Ubuntu
> > 20.04.
> >
> > Remove the old method.
> >
> > Signed-off-by: Masahiro Yamada <masahiroy@...nel.org>
> > ---
> >
> > Changes in v3:
> >   - Remove DEB_RULES_REQUIRES_ROOT=no again
> >     (resent in order to clarify which one should be applied)
>
> Thanks, as this variable is supposed to be defined by the build driver
> (such as dpkg-buildpackage) that calls debian/rules, as covered in the
> rootless-builds.txt spec.
>
> > diff --git a/scripts/Makefile.package b/scripts/Makefile.package
> > index 0c3adc48dfe8..a81dfb1f5181 100644
> > --- a/scripts/Makefile.package
> > +++ b/scripts/Makefile.package
> > @@ -109,8 +109,6 @@ debian-orig: linux.tar$(debian-orig-suffix) debian
> >               cp $< ../$(orig-name); \
> >       fi
> >
> > -KBUILD_PKG_ROOTCMD ?= 'fakeroot -u'
> > -
> >  PHONY += deb-pkg srcdeb-pkg bindeb-pkg
> >
> >  deb-pkg:    private build-type := source,binary
> > @@ -125,7 +123,7 @@ deb-pkg srcdeb-pkg bindeb-pkg:
> >       $(if $(findstring source, $(build-type)), \
> >               --unsigned-source --compression=$(KDEB_SOURCE_COMPRESS)) \
> >       $(if $(findstring binary, $(build-type)), \
> > -             -R'$(MAKE) -f debian/rules' -j1 -r$(KBUILD_PKG_ROOTCMD) -a$$(cat debian/arch), \
> > +             -R'$(MAKE) -f debian/rules' -j1 -a$$(cat debian/arch), \
>
> Since dpkg 1.14.7, dpkg-buildpackage uses fakeroot if available, so
> regardless of anything else this removal seems safe.


You are right.

Even without the explicit -r option, fakeroot will be used
when dpkg-buildpackage determines it is necessary.


Only a use-case I can come up with is,
the fakeroot command is not installed on the system, and a user
may want to do  "make bindeb-pkg KBUILD_PKG_ROOTCMD=sudo"
as a backup plan.


Anyway, now we always assume "--root-command=none" should work,
so -r$(KBUILD_PKG_ROOTCMD) is unneeded.




> >               --no-check-builddeps) \
> >       $(DPKG_FLAGS))
> >
> > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > index d7dd0d04c70c..2fe51e6919da 100755
> > --- a/scripts/package/builddeb
> > +++ b/scripts/package/builddeb
> > @@ -36,19 +36,13 @@ create_package() {
> >       sh -c "cd '$pdir'; find . -type f ! -path './DEBIAN/*' -printf '%P\0' \
> >               | xargs -r0 md5sum > DEBIAN/md5sums"
> >
> > -     # Fix ownership and permissions
> > -     if [ "$DEB_RULES_REQUIRES_ROOT" = "no" ]; then
> > -             dpkg_deb_opts="--root-owner-group"
> > -     else
> > -             chown -R root:root "$pdir"
> > -     fi
> >       # a+rX in case we are in a restrictive umask environment like 0077
> >       # ug-s in case we build in a setuid/setgid directory
> >       chmod -R go-w,a+rX,ug-s "$pdir"
> >
> >       # Create the package
> >       dpkg-gencontrol -p$pname -P"$pdir"
> > -     dpkg-deb $dpkg_deb_opts ${KDEB_COMPRESS:+-Z$KDEB_COMPRESS} --build "$pdir" ..
> > +     dpkg-deb --root-owner-group ${KDEB_COMPRESS:+-Z$KDEB_COMPRESS} --build "$pdir" ..
>
> If you want to make sure dpkg-deb supports that option, perhaps add
> «dpkg (>= 1.19.0)» to the package Build-Depends? If that version seems
> old enough to be assumed to be present, then unconditionally using it
> seems fine.



Personally, I do not want to list an essential tool
in the dependency.

The Debian kernel does not do it either.

Anyway, thank you for your comments.



> >  }
> >
> >  install_linux_image () {
>
> Otherwise, the change LGTM.
>
> Thanks,
> Guillem



-- 
Best Regards
Masahiro Yamada

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ