On Wed, 2019-05-15 at 14:42:53 +0200, Santiago Vila wrote: > On Wed, May 15, 2019 at 02:21:49PM +0200, Guillem Jover wrote: > > > To be precise, if I apply the patch below to hello-traditional_2.10-5 > > > and do "dpkg-buildpackage -uc -us -b" in a sid chroot, I get a .deb > > > package with all files owned by "sanvila/sanvila".
> > Ah. :) Ok let's try to see whether the current spec/doc is enough or > > whether it'd need improvements. So it would be great if you could go > > over /usr/share/doc/dpkg-dev/rootless-builds.txt.gz and see whether > > you can figure it out with just that? Also assuming you were not aware > > of that doc, where do you think it could have been referred from so > > that it would be easy to get to? > > Yes, I read the document (following a link from lintian), and no, > I was not able to figure out. BTW, I just recalled this is also documented now in policy, I'll file a bug on lintian to add a reference. > (BTW: The document speaks about "the builder", who is exactly this > mysterious character? dpkg-deb? sbuild? the person doing the build?) This is whatever or whoever is calling debian/rules. I've updated the doc. > > (Briefly checking it now again, I think it should spell out dpkg-deb's > > --root-owner-group option on the prototyping/preparation section.) > > Ok, I see it now. So, I should use Rules-Requires-Root: no and > also add --root-owner-group to the "dpkg --build" call, right? Yes. > Should I also add a versioned build-depends on dpkg-dev? You want a build-dep on dpkg >= 1.19.0 itself for the new dpkg-deb option. I guess you could also want a build-dep on dpkg-dev >= 1.19.1 for the R³ field support, but in your specific case it does not matter much, as either it will be supported and debian/rules will not be called with (fake)root, or it will not be supported and it will be called with (fake)root, which will not matter much as dpkg-deb will do the right thing anyway. I'm attaching the diff to the spec, but not sure whether that'd have been enough to make this more clear? Thanks, Guillem
diff --git i/doc/rootless-builds.txt w/doc/rootless-builds.txt index 0b6b9d849..3298768ec 100644 --- i/doc/rootless-builds.txt +++ w/doc/rootless-builds.txt @@ -48,10 +48,11 @@ The values are defined as: (See also "Implementation provided keywords".) - When "Rules-Requires-Root" is set to <implementations-keywords>, the - builder will expose an interface that is used to run a command under - (fake)root via the "Gain Root API". If the builder cannot provide such - a command, it MUST behave like "Rules-Requires-Root" was set to - "binary-targets", i.e. run "debian/rules binary" under (fake)root. + builder (i.e. whatever is executing debian/rules) will expose an + interface that is used to run a command under (fake)root via the + "Gain Root API". If the builder cannot provide such a command, it + MUST behave like "Rules-Requires-Root" was set to "binary-targets", + i.e. run "debian/rules binary" under (fake)root. When the builder supports this specification, it MUST notify this fact to the rules file via the "DEB_RULES_REQUIRES_ROOT" environment variable, with @@ -139,12 +140,12 @@ Prototyping/preparation dpkg side --------- -dpkg-deb --build must either default to resetting all owner/group values to -0:0 when not run under (fake)root OR provide an interface so dh_builddeb can -provide the owner/group value to dpkg-deb --build. +dpkg-deb --build provides the --root-owner-group option so that dh_builddeb +or direct calls can control the owner/group file values w/o requiring +(fake)root. -dpkg-buildpackage must export DEB_GAIN_ROOT_CMD (for starters, doing this -unconditionally would be fine). +dpkg-buildpackage must export DEB_GAIN_ROOT_CMD when necessary (for +prototyping, doing this unconditionally would be fine). debhelper side