commit: dcd9ff588ba87099a9716ffa536fe5d1dfc8669c Author: Giuseppe Foti <foti.giuseppe <AT> gmail <DOT> com> AuthorDate: Mon Aug 7 23:48:42 2023 +0000 Commit: Florian Schmaus <flow <AT> gentoo <DOT> org> CommitDate: Wed Aug 9 13:28:23 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcd9ff58
net-analyzer/notus-scanner: fix OpenRC script, disable hash verification Hashsum verification needs the creation of a GnuPG keychain that has to be done manually by the user after installation. Signed-off-by: Giuseppe Foti <foti.giuseppe <AT> gmail.com> Closes: https://github.com/gentoo/gentoo/pull/32215 Signed-off-by: Florian Schmaus <flow <AT> gentoo.org> .../notus-scanner/files/notus-scanner.confd | 11 --------- .../notus-scanner/files/notus-scanner.initd | 21 +++++++++-------- .../notus-scanner/files/notus-scanner.toml | 2 +- ...2.5.0.ebuild => notus-scanner-22.5.0-r1.ebuild} | 26 ++++++++++++++++++---- 4 files changed, 35 insertions(+), 25 deletions(-) diff --git a/net-analyzer/notus-scanner/files/notus-scanner.confd b/net-analyzer/notus-scanner/files/notus-scanner.confd deleted file mode 100644 index 5000145abaeb..000000000000 --- a/net-analyzer/notus-scanner/files/notus-scanner.confd +++ /dev/null @@ -1,11 +0,0 @@ -# Notus Scanner command args - -NOTUS_SCANNER_OPTIONS="--log-file=/var/log/gvm/notus-scanner.log" - -NOTUS_SCANNER_MQTT_BROKER_ADDRESS="--mqtt-broker-address localhost" - -NOTUS_SCANNER_MQTT_BROKER_PORT="--mqtt-broker-port 1883" - -NOTUS_SCANNER_PRODUCTS_DIRECTORY="--products-directory /var/lib/notus/products" - -NOTUS_DISABLE_HASHSUM_VERIFICATION="--disable-hashsum-verification false" diff --git a/net-analyzer/notus-scanner/files/notus-scanner.initd b/net-analyzer/notus-scanner/files/notus-scanner.initd index e00e9118e32e..6db3422bccba 100644 --- a/net-analyzer/notus-scanner/files/notus-scanner.initd +++ b/net-analyzer/notus-scanner/files/notus-scanner.initd @@ -1,17 +1,19 @@ #!/sbin/openrc-run -# Copyright 2023Gentoo Authors +# Copyright 2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 +: ${GVM_USER:=gvm} +: ${GVM_GROUP:=$(id -ng ${GVM_USER})} +: ${NOTUS_TIMEOUT:=30} + name="Greenbone Notus Scanner" command=/usr/bin/notus-scanner +command_user="${GVM_USER}:${GVM_GROUP}" pidfile="/run/notus-scanner/${RC_SVCNAME}.pid" -command_args="${NOTUS_SCANNER_OPTIONS} \ - ${NOTUS_SCANNER_MQTT_BROKER_ADDRESS} \ - ${NOTUS_SCANNER_MQTT_BROKER_PORT} \ - ${NOTUS_SCANNER_PRODUCTS_DIRECTORY} \ - ${NOTUS_DISABLE_HASHSUM_VERIFICATION} \ - --pid-file ${pidfile} \ - --config /etc/gvm/notus-scanner.toml" +configfile="/etc/gvm/notus-scanner.toml" +command_args="--pid-file ${pidfile} \ + --config ${configfile}" +retry="${NOTUS_TIMEOUT}" depend() { after bootmisc @@ -19,5 +21,6 @@ depend() { } start_pre() { - checkpath -d /var/run/notus-scanner + checkpath -d --owner ${GVM_USER} /var/run/notus-scanner } + diff --git a/net-analyzer/notus-scanner/files/notus-scanner.toml b/net-analyzer/notus-scanner/files/notus-scanner.toml index cff33c77afc8..a266784ed163 100644 --- a/net-analyzer/notus-scanner/files/notus-scanner.toml +++ b/net-analyzer/notus-scanner/files/notus-scanner.toml @@ -5,4 +5,4 @@ products-directory = "/var/lib/notus/products" pid-file = "/run/notus-scanner/notus-scanner.pid" log-file = "/var/log/gvm/notus-scanner.log" log-level = "INFO" -disable-hashsum-verification = false +disable-hashsum-verification = true diff --git a/net-analyzer/notus-scanner/notus-scanner-22.5.0.ebuild b/net-analyzer/notus-scanner/notus-scanner-22.5.0-r1.ebuild similarity index 65% rename from net-analyzer/notus-scanner/notus-scanner-22.5.0.ebuild rename to net-analyzer/notus-scanner/notus-scanner-22.5.0-r1.ebuild index 630d765d70a5..7ebe6a06c3fb 100644 --- a/net-analyzer/notus-scanner/notus-scanner-22.5.0.ebuild +++ b/net-analyzer/notus-scanner/notus-scanner-22.5.0-r1.ebuild @@ -5,7 +5,7 @@ EAPI=8 PYTHON_COMPAT=( python3_11 ) DISTUTILS_USE_PEP517=poetry -inherit distutils-r1 systemd +inherit distutils-r1 readme.gentoo-r1 systemd DESCRIPTION="Notus is a vulnerability scanner for creating results from local security checks" HOMEPAGE="https://github.com/greenbone/notus-scanner"; @@ -32,6 +32,18 @@ RDEPEND=" ${DEPEND} app-misc/mosquitto " +FORCE_PRINT_ELOG="yes" +DOC_CONTENTS=" +For validating the feed content, a GnuPG keychain with the Greenbone Community Feed integrity key needs to be created. +Please, read here on how to create it: +https://greenbone.github.io/docs/latest/22.4/source-build/index.html#feed-validation +https://wiki.gentoo.org/wiki/Greenbone_Vulnerability_Management#Notus_Scanner + +To enable feed validation, edit /etc/gvm/${PN}.toml +and set +disable-hashsum-verification = false" + +DISABLE_AUTOFORMATTING=true distutils_enable_tests unittest @@ -41,9 +53,11 @@ python_compile() { python_install() { distutils-r1_python_install + insinto /etc/gvm - doins "${FILESDIR}/${PN}.toml" - fowners gvm:gvm "/etc/gvm/${PN}.toml" + use prefix || fowners -R gvm:gvm /etc/gvm + newins "${FILESDIR}/${PN}.toml" "${PN}.toml" + use prefix || fowners gvm:gvm "/etc/gvm/${PN}.toml" # Set proper permissions on required files/directories keepdir /var/lib/notus @@ -54,10 +68,14 @@ python_install() { fi newinitd "${FILESDIR}/${PN}.initd" "${PN}" - newconfd "${FILESDIR}/${PN}.confd" "${PN}" systemd_dounit config/${PN}.service systemd_install_serviced "${FILESDIR}/notus-scanner.service.conf" \ ${PN}.service + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog }
