Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package forgejo for openSUSE:Factory checked
in at 2025-03-11 20:46:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/forgejo (Old)
and /work/SRC/openSUSE:Factory/.forgejo.new.19136 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "forgejo"
Tue Mar 11 20:46:22 2025 rev:23 rq:1252070 version:10.0.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/forgejo/forgejo.changes 2025-02-09
20:35:59.263651407 +0100
+++ /work/SRC/openSUSE:Factory/.forgejo.new.19136/forgejo.changes
2025-03-11 20:47:40.120089428 +0100
@@ -1,0 +2,48 @@
+Tue Mar 11 13:38:40 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- use --legacy-peer-deps to make the node modules handling work
+ again
+
+-------------------------------------------------------------------
+Mon Mar 10 23:10:15 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- move permissions of the log dir and the data dir
+ from forgejo:forgejo u=rwX,g=rwX,o=
+ to forgejo:forgejo u=rwX,g=rX,o=
+
+-------------------------------------------------------------------
+Mon Mar 10 22:51:57 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- update apparmor profile to a profile that is less broad.
+
+-------------------------------------------------------------------
+Mon Mar 10 21:58:05 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- create all directories before actually installing files
+
+-------------------------------------------------------------------
+Mon Mar 10 21:56:00 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- make the HOME dir in the service file the same as the user
+- migrate existing authorized keys files
+ from %{_datadir}/%{name}/.ssh/authorized_keys
+ to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys
+
+-------------------------------------------------------------------
+Mon Mar 10 14:52:02 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- fix file list to lock down permissions more
+
+-------------------------------------------------------------------
+Mon Mar 10 03:16:51 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- don't require the apparmor subpackage when apparmor is installed
+ the current profile is rather bad and it should be possible to
+ keep it out.
+
+-------------------------------------------------------------------
+Mon Mar 10 03:15:51 UTC 2025 - Marcus Rueckert <mrueck...@suse.de>
+
+- user should actually use /var/lib/forgejo/data/home
+
+-------------------------------------------------------------------
New:
----
forgejo-abstraction.apparmor
forgejo-hooks-abstraction.apparmor
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ forgejo.spec ++++++
--- /var/tmp/diff_new_pack.PM72ll/_old 2025-03-11 20:47:41.764158264 +0100
+++ /var/tmp/diff_new_pack.PM72ll/_new 2025-03-11 20:47:41.764158264 +0100
@@ -50,6 +50,8 @@
Source9: %{name}.te
Source10: %{name}.apparmor
Source11: %{name}.firewalld
+Source13: forgejo-hooks-abstraction.apparmor
+Source12: forgejo-abstraction.apparmor
Source99: get-sources.sh
Patch0: custom-app.ini.patch
Patch1: dont-strip.patch
@@ -70,7 +72,7 @@
BuildRequires: sysuser-tools
Requires: git-core
Requires: git-lfs
-Requires: (%{name}-apparmor if apparmor-abstractions)
+Recommends: (%{name}-apparmor if apparmor-abstractions)
Requires: (%{name}-firewalld if firewalld)
Requires: (%{name}-selinux if selinux-policy-targeted)
%if %{with apparmor}
@@ -134,7 +136,7 @@
%prep
%autosetup -p1 -n %{name}-src-%{version}
-local-npm-registry %{_sourcedir} install --also=dev
+local-npm-registry %{_sourcedir} install --also=dev --legacy-peer-deps
%build
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
@@ -144,22 +146,40 @@
go build ${EXTRA_GOFLAGS} -o contrib/environment-to-ini/environment-to-ini
contrib/environment-to-ini/environment-to-ini.go
%install
-install -d %{buildroot}%{_bindir}
-install -d %{buildroot}%{_datadir}/%{name}
-install -d %{buildroot}%{_datadir}/%{name}/{conf,https,mailer}
-install -Dm0755 contrib/environment-to-ini/environment-to-ini
%{buildroot}%{_bindir}
-ln -s %{name} %{buildroot}%{_bindir}/gitea
-install -d
%{buildroot}%{_sharedstatedir}/%{name}/{data,https,indexers,queues,repositories}
-install -d %{buildroot}%{_sysconfdir}/%{name}
-install -d %{buildroot}%{_localstatedir}/log/%{name}
-install -D -m 0644
%{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini
%{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
+install -d -D \
+ %{buildroot}%{_bindir} %{buildroot}%{_datadir}/%{name}/{conf,https,mailer}
+
+install -d -m 0750 \
+
%{buildroot}%{_sharedstatedir}/%{name}/{data,https,indexers,queues,repositories}
\
+ %{buildroot}%{_sharedstatedir}/%{name}/data/home/.ssh \
+ %{buildroot}%{_sysconfdir}/%{name} \
+ %{buildroot}%{_localstatedir}/log/%{name}
+
+install -D -m 0755 contrib/environment-to-ini/environment-to-ini
%{buildroot}%{_bindir}
install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea
%{buildroot}%{_bindir}/%{name}
+ln -s %{name} %{buildroot}%{_bindir}/gitea
+
+install -D -m 0640
%{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini
%{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
+
install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service
install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with apparmor}
-install -d %{buildroot}%{_sysconfdir}/apparmor.d
-install -Dm0644 %{SOURCE10}
%{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
+install -D -d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/abstractions \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/forgejo-session-exec.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/forgejo-hooks.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/git.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-pre-receive.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-post-receive.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-proc-receive.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-update.d \
+ %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/forgejo.d
+
+install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/%{name}
+install -Dm0644 %{SOURCE12}
%{buildroot}%{_sysconfdir}/apparmor.d/abstractions/%{name}
+install -Dm0644 %{SOURCE13}
%{buildroot}%{_sysconfdir}/apparmor.d/abstractions/%{name}-hooks
%endif
%if %{with selinux}
@@ -176,6 +196,9 @@
%service_add_pre %{name}.service
%post
+if [ -e %{_datadir}/%{name}/.ssh/authorized_keys ] ; then
+ mv %{_datadir}/%{name}/.ssh/authorized_keys
%{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys
+fi
%service_add_post %{name}.service
%post firewalld
@@ -206,19 +229,29 @@
%{_unitdir}/%{name}.service
%{_bindir}/%{name}
%{_bindir}/gitea
-%defattr(0660,root,forgejo,770)
-%{_localstatedir}/log/%{name}
-%defattr(0660,forgejo,forgejo,750)
-%config(noreplace) %{_sysconfdir}/%{name}/conf/app.ini
-%{_sysconfdir}/%{name}
+%{_sysusersdir}/%{name}.conf
%{_datadir}/%{name}
+%defattr(0640,root,forgejo,750)
+%{_sysconfdir}/%{name}
+%config(noreplace) %{_sysconfdir}/%{name}/conf/app.ini
+%defattr(0640,forgejo,forgejo,750)
+%{_localstatedir}/log/%{name}
%{_sharedstatedir}/%{name}
-%{_sysusersdir}/%{name}.conf
%if %{with apparmor}
%files apparmor
%dir %{_sysconfdir}/apparmor.d
-%config %{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%config %{_sysconfdir}/apparmor.d/%{name}
+%config %{_sysconfdir}/apparmor.d/abstractions/%{name}*
+%dir %{_sysconfdir}/apparmor.d/forgejo.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/forgejo.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/forgejo-session-exec.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/forgejo-hooks.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/git.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-pre-receive.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-post-receive.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-proc-receive.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-update.d
%endif
%if %{with selinux}
++++++ forgejo-abstraction.apparmor ++++++
include <abstractions/base>
include <abstractions/mysql>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/user-tmp>
/usr/bin/forgejo rm,
/etc/machine-id r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{PROC}/sys/net/core/somaxconn r,
/etc/forgejo/ r,
/etc/forgejo/conf/app.ini r,
/etc/forgejo/public/ r,
/etc/forgejo/public/** r,
/etc/forgejo/{conf,https,mailer}/ r,
/usr/lib{,exec}/git/git Px -> forgejo//git,
/usr/lib{,exec}/git/git-write-tree Px -> forgejo//git,
/usr/share/mime/globs2 r,
/etc/mime.types r,
include if exists <forgejo.d/forgejo.d>
include if exists <locatl/usr.bin.forgejo>
include if exists <local/forgejo>
++++++ forgejo-hooks-abstraction.apparmor ++++++
include <abstractions/base>
include <abstractions/bash>
include <abstractions/consoles>
/usr/bin/bash ix,
/usr/bin/env rPx -> forgejo//simple_tool,
/usr/bin/cat rPx -> forgejo//simple_tool,
/usr/bin/basename rPx -> forgejo//simple_tool,
++++++ forgejo.apparmor ++++++
--- /var/tmp/diff_new_pack.PM72ll/_old 2025-03-11 20:47:41.856162116 +0100
+++ /var/tmp/diff_new_pack.PM72ll/_new 2025-03-11 20:47:41.856162116 +0100
@@ -2,64 +2,140 @@
include <tunables/global>
+@{APP_DATADIR} = /var/lib/forgejo
+@{APP_REPOSITORY_DIRS} = @{APP_DATADIR}/data/forgejo-repositories
@{APP_DATADIR}/repositories
+
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
- include <abstractions/base>
- include <abstractions/mysql>
- include <abstractions/nameservice>
- include <abstractions/opencl-pocl>
- include <abstractions/openssl>
- include <abstractions/user-tmp>
- include if exists <local/usr.bin.forgejo>
+ include <abstractions/forgejo>
- network inet stream,
+ network inet stream,
network inet6 stream,
- /etc/forgejo/ r,
- /etc/forgejo/conf/app.ini r,
- /etc/forgejo/public/ r,
- /etc/forgejo/public/** r,
- /etc/forgejo/{conf,https,mailer}/ r,
- /etc/gitconfig r,
- /etc/mime.types r,
- /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
- /usr/bin/forgejo mr,
- /usr/bin/git mr,
- /usr/bin/gzip mr,
- /usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
- /usr/libexec/git/git-write-tree mrix,
- /usr/share/forgejo/** r,
- /usr/share/forgejo/.gitconfig rw,
- /usr/share/forgejo/.gitconfig.lock rw,
- /usr/share/git-core/templates/ r,
- /usr/share/git-core/templates/** r,
- /usr/share/mime/globs2 r,
- /usr/{lib,libexec}/git/git ix,
- /usr/{lib,libexec}/git/git-remote-http ix,
- /var/ r,
- /var/lib/ r,
- /var/lib/forgejo/ r,
- /var/lib/forgejo/.local/** rw,
- /var/lib/forgejo/.ssh/ rw,
- /var/lib/forgejo/.ssh/* rw,
- /var/log/forgejo/ rw,
- /var/log/forgejo/access.log rw,
- /var/log/forgejo/access.log.* w,
- /var/log/forgejo/doctors-* rw,
- @{PROC}/sys/net/core/somaxconn r,
- owner /etc/forgejo/conf/app.ini w,
- owner /tmp/forgejo** rwl,
- owner /tmp/index* rw,
- owner /tmp/patch* rw,
- owner /usr/share/forgejo/** rw,
- owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
- owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
- owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
- owner /var/lib/forgejo/https/** rwlk,
- owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
- owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
- owner /var/log/forgejo/gitea.log w,
- owner @{PROC}/@{pid}/fd/ r,
- owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
+ /usr/bin/forgejo Cx -> forgejo-session-exec,
+
+ signal (send) peer=forgejo//*,
+
+ profile forgejo-session-exec {
+ include <abstractions/forgejo>
+
+ include if exists <forgejo.d/forgejo-session-exec.d>
+ include if exists <local/forgejo-session-exec>
+ }
+
+ profile forgejo-hooks {
+ include <abstractions/forgejo>
+
+ include if exists <forgejo.d/forgejo-hooks.d>
+ include if exists <local/forgejo-hooks>
+ }
+
+ profile git {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/ssl_certs>
+
+ signal (receive) peer=forgejo,
+
+ /etc/gitconfig r,
+ /usr/lib{,exec}/git/* rmix,
+ /usr/share/git-core/** r,
+
+ owner @{APP_DATADIR}/data/home/.gitconfig r,
+ owner @{APP_DATADIR}/data/home/.gitconfig.lock rwlk,
+
+ owner @{APP_REPOSITORY_DIRS}/ r,
+ owner @{APP_REPOSITORY_DIRS}/** rwlk,
+
+ owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/pre-receive Px ->
forgejo//hooks-pre-receive,
+ owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/post-receive Px ->
forgejo//hooks-post-receive,
+ owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/proc-receive Px ->
forgejo//hooks-proc-receive,
+
+ owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/update Px ->
forgejo//hooks-update,
+
+ owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/** rwlk,
+
+ include if exists <forgejo.d/git.d>
+ include if exists <local/forgejo-git>
+ }
+
+ profile hooks-pre-receive {
+ include <abstractions/forgejo-hooks>
+
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/ r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/gitea Px ->
forgejo//hooks-gitea,
+
+ include if exists <forgejo.d/hooks-pre-receive.d>
+ include if exists <local/forgejo-hooks-pre-receive>
+ }
+
+ profile hooks-post-receive {
+ include <abstractions/forgejo-hooks>
+
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/ r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/gitea Px ->
forgejo//hooks-gitea,
+
+ include if exists <forgejo.d/hooks-post-receive.d>
+ include if exists <local/forgejo-hooks-post-receive>
+ }
+
+ profile hooks-proc-receive {
+ include <abstractions/forgejo-hooks>
+
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/ r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/gitea Px ->
forgejo//hooks-gitea,
+
+ include if exists <forgejo.d/hooks-proc-receive.d>
+ include if exists <local/forgejo-hooks-proc-receive>
+ }
+
+ profile hooks-update {
+ include <abstractions/forgejo-hooks>
+
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/ r,
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/gitea Px ->
forgejo//hooks-gitea,
+
+ include if exists <forgejo.d/hooks-update.d>
+ include if exists <local/forgejo-hooks-update>
+ }
+
+ profile hooks-gitea {
+ include <abstractions/forgejo-hooks>
+
+ owner @{APP_REPOSITORY_DIRS}/*/*/hooks/*.d/gitea r,
+ /usr/bin/forgejo Px -> forgejo//forgejo-hooks,
+ }
+
+ profile simple_tool {
+ include <abstractions/base>
+
+ /usr/bin/env rm,
+ /usr/bin/cat rm,
+ /usr/bin/basename rm,
+ }
+
+ owner @{APP_DATADIR}/ r,
+
+ owner @{APP_DATADIR}/data/ r,
+ owner @{APP_DATADIR}/data/** rwlk,
+
+ owner @{APP_DATADIR}/https/ r,
+ owner @{APP_DATADIR}/https/** rwlk,
+
+ owner @{APP_DATADIR}/indexers/ r,
+ owner @{APP_DATADIR}/indexers/** rwlk,
+
+ owner @{APP_DATADIR}/queues/ r,
+ owner @{APP_DATADIR}/queues/** rwlk,
+
+ owner @{APP_REPOSITORY_DIRS}/ r,
+ owner @{APP_REPOSITORY_DIRS}/** rwlk,
+ owner /var/log/forgejo/ r,
+ owner /var/log/forgejo/gitea.log rwlk,
}
++++++ forgejo.service ++++++
--- /var/tmp/diff_new_pack.PM72ll/_old 2025-03-11 20:47:41.908164293 +0100
+++ /var/tmp/diff_new_pack.PM72ll/_new 2025-03-11 20:47:41.912164461 +0100
@@ -13,7 +13,7 @@
ExecStart=/usr/bin/forgejo web --config /etc/forgejo/conf/app.ini
Restart=always
Environment=USER=forgejo
-Environment=HOME=/usr/share/forgejo
+Environment=HOME=/var/lib/forgejo/data/home
Environment=GITEA_WORK_DIR=/var/lib/forgejo
Environment=GITEA_CUSTOM=/etc/forgejo
# added automatically, for details please see
++++++ forgejo.sysusers ++++++
--- /var/tmp/diff_new_pack.PM72ll/_old 2025-03-11 20:47:41.928165130 +0100
+++ /var/tmp/diff_new_pack.PM72ll/_new 2025-03-11 20:47:41.932165298 +0100
@@ -1,4 +1,4 @@
# Type Name ID GECOS [HOME] Shell
g forgejo - - -
-u forgejo - "Forgejo" /var/lib/forgejo /usr/bin/bash
+u forgejo - "Forgejo" /var/lib/forgejo/data/home /usr/bin/bash
