In case anyone is interested in testing bootstraps of the revised
sandboxing patches applied to the current fink 0.41.0 sources, the
attached fink_sandboxing_v4.diff is identical to
fink_sandboxing_v3.diff with the following fink.sb.5.in manage
corrections...
--- fink_sandboxing_v3.diff 2016-11-06 19:55:56.0 -0500
+++ fink_sandboxing_v4.diff 2016-11-07 11:01:56.0 -0500
@@ -36,7 +36,7 @@
+/opt/local
diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in
--- fink-0.41.0.orig/fink.sb.5.in 1969-12-31 19:00:00.0 -0500
-+++ fink-0.41.0/fink.sb.5.in 2016-11-06 18:40:34.0 -0500
fink-0.41.0/fink.sb.5.in 2016-11-07 11:00:48.0 -0500
@@ -0,0 +1,56 @@
+.\" -*- nroff -*-
+.Dd November 2011
@@ -53,17 +53,17 @@
+.\"
+.\"
+.Sh DESCRIPTION
-+When
++The
+.Xr fink 8
-+is initially installed it prompts you for whether you wish to enable the
-+building of packages within a protected sandbox which blacklists access to
-+those directories listed in
++packaging system defaults to compiling packages within a protected
sandbox that blacklists
++access to directories listed in
+.Nm
-+by hand. In general, these options are meant for advanced users only.
++In general, modifying the list of blacklisted directories meant for
advanced users only.
+.Pp
-+Your
++The default
+.Nm
-+defaults to blacklisting the following directories
++blacklists the following directories
++
+.Bl -tag -width flag -offset indent -compact
+.It /usr/local
+.It /opt/local
I would be curious to hear about success or failure reports. I have no
issues bootstrapping and using the sandboxing.
Just make sure to grab the sandbox friendly updates for gcc5/gcc6 and
llvm-gcc42 from
https://sourceforge.net/p/fink/package-submissions/4835/
https://sourceforge.net/p/fink/package-submissions/4834/
On Sun, Nov 6, 2016 at 10:34 PM, Jack Howarth wrote:
> Daniel and Alexander,
> The attached patch reworks the previously proposed sandboxing
> support by...
>
> 1) Enabling the sandbox usage by default (except during fink bootstraps)
> 2) Adding a 'NoSandbox' field for the Info files which can be used to
> disable the sandbox on a per package basis.
> 3) Retaining the --build-in-sandbox/--no-build-in-sandbox fink flags
> which override the other settings.
>
> The --no-build-in-sandbox fink flag can be used to disable the sandbox
> in any fink build while the --build-in-sandbox fink flag can be used
> to override 'NoSandbox: true' in a particular info file.
>
> The attached fink_sandboxing_v3.diff, applied to stock fink-0.41.0,
> has been verified to bootstrap on 10.11 and exhibit the behaviors
> described above.
> Jack
diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST
--- fink-0.41.0.orig/MANIFEST 2016-09-20 14:16:24.0 -0400
+++ fink-0.41.0/MANIFEST2016-11-06 18:40:34.0 -0500
@@ -24,6 +24,8 @@
fink.8.in
fink.conf.5.in
fink.csh
+fink.sb
+fink.sb.5.in
fink.sh
images/finkDoneFailed.png
images/finkDonePassed.png
diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in
--- fink-0.41.0.orig/fink.8.in 2016-09-20 14:16:24.0 -0400
+++ fink-0.41.0/fink.8.in 2016-11-06 18:40:34.0 -0500
@@ -103,6 +103,14 @@
.It Cm --no-build-as-nobody
Force the the unpack, patch, compile, and install phases to be
performed as root.
+.It Cm --build-in-sandbox
+Execute packaging within a sandbox which blacklists read access to
+those directories listed in
+.Pa @PREFIX@/etc/fink.sb.
+.It Cm --no-build-in-sandbox
+Don't execute within a sandbox, opposite of the
+.Cm --build-in-sandbox
+flag.
.It Cm -m, --maintainer
Perform actions useful to package maintainers: run validation on
the .info file before building and on the .deb after building a
diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb
--- fink-0.41.0.orig/fink.sb1969-12-31 19:00:00.0 -0500
+++ fink-0.41.0/fink.sb 2016-11-06 18:40:34.0 -0500
@@ -0,0 +1,2 @@
+/usr/local
+/opt/local
diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in
--- fink-0.41.0.orig/fink.sb.5.in 1969-12-31 19:00:00.0 -0500
+++ fink-0.41.0/fink.sb.5.in2016-11-07 11:00:48.0 -0500
@@ -0,0 +1,56 @@
+.\" -*- nroff -*-
+.Dd November 2011
+.Dt FINK.SB 5
+.Sh NAME
+.Nm fink.sb
+.Nd sandboxing configuration file for
+.Xr fink 8
+.Sh SYNOPSIS
+@PREFIX@/etc/fink.sb
+.\"
+.\"
+.\" DESCRIPTION
+.\"
+.\"
+.Sh DESCRIPTION
+The
+.Xr fink 8
+packaging system defaults to compiling packages within a protected sandbox
that blacklists
+access to directories listed in
+.Nm
+In general, modifying the list of blacklisted directories meant for advanced
users only.
+.Pp
+The default
+.Nm
+blacklists the following directories
+
+.Bl -tag -width flag -offset indent -compact
+.It /usr/local
+.It /opt/local
+.El
+.Pp
+The blacklisted directories appear one per line in the file.
+.El
+.\"
+.\"
+.\" AUTHOR
+.\"
+.\"
+.Sh AUTHOR
+This manpage is maintained by the