Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package brltty for openSUSE:Factory checked
in at 2023-12-14 22:02:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/brltty (Old)
and /work/SRC/openSUSE:Factory/.brltty.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "brltty"
Thu Dec 14 22:02:34 2023 rev:64 rq:1132864 version:6.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/brltty/brltty.changes 2023-12-01
21:25:08.069362863 +0100
+++ /work/SRC/openSUSE:Factory/.brltty.new.25432/brltty.changes 2023-12-14
22:02:36.822927176 +0100
@@ -1,0 +2,12 @@
+Wed Dec 13 11:10:22 UTC 2023 - Matthias Gerstner <matthias.gerst...@suse.com>
+
+- README.SUSE: add documentation about the state of security of the brltty
+ daemon (bsc#1214158).
+
+-------------------------------------------------------------------
+Tue Dec 12 12:12:12 UTC 2023 - oher...@suse.de
+
+- Use ocaml-rpm-macros to track OCaml ABI
+- Reduce amount of rpmlint warnings with brltty.rpmlintrc
+
+-------------------------------------------------------------------
New:
----
brltty.rpmlintrc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ brltty.spec ++++++
--- /var/tmp/diff_new_pack.9wmC8e/_old 2023-12-14 22:02:37.394947808 +0100
+++ /var/tmp/diff_new_pack.9wmC8e/_new 2023-12-14 22:02:37.394947808 +0100
@@ -16,6 +16,7 @@
#
+%global _lto_cflags %_lto_cflags -ffat-lto-objects
%define api_version 0.8.5
%define sover 0_8
%define soname libbrlapi%{sover}
@@ -30,6 +31,7 @@
Source0: https://brltty.app/archive/%name-%version.tar.xz
Source1: README.SUSE
+Source2: %name.rpmlintrc
Patch0: brltty-udev-dir.patch
Patch1: https://github.com/brltty/brltty/commit/e6707d5e.patch
@@ -46,6 +48,7 @@
BuildRequires: libbraille-devel
BuildRequires: ncurses-devel
BuildRequires: ocaml
+BuildRequires: ocaml-rpm-macros >= 20231101
BuildRequires: pkg-config
BuildRequires: python-rpm-macros
BuildRequires: python3
@@ -160,7 +163,7 @@
This package contains the XWindow braille driver.
%package udev-generic
-Summary: BRLTTY Udev rules for braille devices that use a generic USB
to serial adapter.
+Summary: BRLTTY Udev rules for braille devices that use a generic USB
to serial adapter
Group: System/Daemons
Requires: %name = %version-%release
@@ -333,24 +336,28 @@
done
export PYTHON=/usr/bin/python3
%configure CPPFLAGS="$java_inc" \
- --with-install-root="%buildroot" \
--with-tables-directory=%_datadir/%name \
- --libexecdir=%_libexecdir \
--disable-stripping
make
%install
sed -i
"s=/usr/libexec/brltty-systemd-wrapper=%_libexecdir/brltty-systemd-wrapper="
Autostart/Systemd/brltty@.service
-%make_install install-systemd install-udev install-polkit DESTDIR="%buildroot"
+%make_install install-systemd install-udev install-polkit
INSTALL_ROOT="%buildroot"
+for exe in %buildroot%_bindir/*
+do
+ sed -i~ '1{s@%_bindir/env[[:blank:]]\+@%_bindir/@}' "${exe}"
+ diff -u "$_"~ "$_" || :
+ rm -f "${exe}~"
+done
%find_lang %name
sed -i "s/#api-parameters Auth=polkit/api-parameters Auth=polkit/"
Documents/brltty.conf
install -D -m644 Documents/brltty.conf %buildroot%_sysconfdir/brltty.conf
# ghost brlapi.key
touch %buildroot%_sysconfdir/brlapi.key
-# Don't include source files in binary package
-rm -f %buildroot%_libdir/ocaml/brlapi/brlapi.{mli,cmxa}
+# OCaml
+%ocaml_create_file_list
+#
rm %buildroot%_libdir/libbrlapi.a
-rm %buildroot%_libdir/ocaml/brlapi/libbrlapi_stubs.a
rm %buildroot/etc/X11/Xsession.d/90xbrlapi # TODO: install this somewhere?
# fix missing executable bits
test ! -x %buildroot%_bindir/brltty-config.sh
@@ -526,9 +533,7 @@
%{_jnidir}/libbrlapi_java.so
%{_javadir}/brlapi.jar
-%files -n ocaml-brlapi
-%_libdir/ocaml/brlapi/
-%_libdir/ocaml/stublibs/dllbrlapi_stubs.so*
+%files -n ocaml-brlapi -f %name.files.devel
%files -n python3-brlapi
%{python3_sitearch}/brlapi.cpython*.so
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.9wmC8e/_old 2023-12-14 22:02:37.422948818 +0100
+++ /var/tmp/diff_new_pack.9wmC8e/_new 2023-12-14 22:02:37.426948963 +0100
@@ -25,3 +25,16 @@
like to change this behavior, then you can edit the api-parameters
directive in /etc/brltty.conf.
+Notes on Security
+========================================================================
+
+The brltty daemon runs as a dedicated service user and group account named
+"brltty". While this looks got from afar, the daemon actually keeps a lot of
+privileges, most notably among them:
+
+- root group membership.
+- Linux capabilities CAP_SYS_ADMIN and CAP_MKNOD.
+
+Therefore the SUSE security team currently considers the brltty service to be
+equivalent to root.
+
++++++ brltty.rpmlintrc ++++++
addFilter("devel-file-in-non-devel-package")
addFilter("static-library-without-debuginfo")
