Bug#835451: debian-policy: Building as root should be discouraged
On Fri, Aug 04, 2017 at 03:42:34PM -0400, Sean Whitton wrote: > On Thu, Aug 03, 2017 at 03:43:56PM +, Mike Gabriel wrote: > > I am not saying that the build target must not be empty. I can be empty but > > the build-a ... build-n dependecies have to be moved away from the binary > > target and have to be made dependencies of the build target (which can only > > have deps but no own instructions). > > > > And if that makes packages buggy, then they are actually quite buggy, > > because the build-a ... build-n get executed in a fakeroot concept by design > > of dpkg-buildpackage. And IMHO this should definitely be avoided. > > Just to be clear, I do agree with you that this situation where they are > deps of the binary target is bad. > > Interested to hear what Santiago thinks. Hi. I have to agree with everything Mike Gabriel said. The first patch you proposed seems insufficient to me. All the building stuff should be made in the build target, and we might better not allow any of the binary target to depend on any of the build targets, as the current policy seems to allow. Thanks.
Bug#835451: debian-policy: Building as root should be discouraged
On Thu, Aug 03, 2017 at 03:43:56PM +, Mike Gabriel wrote: > I am not saying that the build target must not be empty. I can be empty but > the build-a ... build-n dependecies have to be moved away from the binary > target and have to be made dependencies of the build target (which can only > have deps but no own instructions). > > And if that makes packages buggy, then they are actually quite buggy, > because the build-a ... build-n get executed in a fakeroot concept by design > of dpkg-buildpackage. And IMHO this should definitely be avoided. Just to be clear, I do agree with you that this situation where they are deps of the binary target is bad. Interested to hear what Santiago thinks. -- Sean Whitton signature.asc Description: PGP signature
Bug#835451: debian-policy: Building as root should be discouraged
Hi Sean, On Do 03 Aug 2017 17:35:59 CEST, Sean Whitton wrote: control: tag -1 +patch Hello Santiago, Mike, On Wed, Aug 02, 2017 at 07:15:28PM +0200, Santiago Vila wrote: Yes, indeed! Great, I'm happy we figured that out. I believe that my previous patch does indeed answer the concern you've raised. So once again, I'm seeking seconds for that patch. I don't think that your patch solves the actual problem: Policy saying that build sub-targets should be handled from within the binary target. This is wrong by design IMHO. Personally, that patch is to week for addressing this bug. On Wed, Aug 02, 2017 at 07:52:35PM +, Mike Gabriel wrote: [...] Since the permission to have an empty build target has been in policy for a long time, imposing this requirement would make a lot of packages buggy. Changes to policy are not meant to do this. By contrast, my patch reflects a consensus that we can be confident already exists. I am not saying that the build target must not be empty. I can be empty but the build-a ... build-n dependecies have to be moved away from the binary target and have to be made dependencies of the build target (which can only have deps but no own instructions). And if that makes packages buggy, then they are actually quite buggy, because the build-a ... build-n get executed in a fakeroot concept by design of dpkg-buildpackage. And IMHO this should definitely be avoided. ? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpFP68aF746b.pgp Description: Digitale PGP-Signatur
Bug#835451: debian-policy: Building as root should be discouraged
control: tag -1 +patch Hello Santiago, Mike, On Wed, Aug 02, 2017 at 07:15:28PM +0200, Santiago Vila wrote: > Yes, indeed! Great, I'm happy we figured that out. I believe that my previous patch does indeed answer the concern you've raised. So once again, I'm seeking seconds for that patch. On Wed, Aug 02, 2017 at 07:52:35PM +, Mike Gabriel wrote: > Then my suggestion (as discussed here in DebCamp) would be to rephrase that > paragraph rather then removing it entirely. > > What needs to be said is that if you have a package that builds the software > multiple times (e.g. once against gtk2, next against gtk3), you need to > define each of the build processes as build-a, build-b, etc. > > These build sub-targets need to be called from the build target and _must_ > _not_ be called from the binary target. This is a much bigger change than my proposal. In addition to the requirement that the build-a and build-b targets don't require root privs, it also requires that they be dependencies of the build target, or be invoked by that target. Since the permission to have an empty build target has been in policy for a long time, imposing this requirement would make a lot of packages buggy. Changes to policy are not meant to do this. By contrast, my patch reflects a consensus that we can be confident already exists. -- Sean Whitton signature.asc Description: PGP signature
Bug#835451: debian-policy: Building as root should be discouraged
Hi Santiago, On Mi 02 Aug 2017 19:15:28 CEST, Santiago Vila wrote: On Wed, Aug 02, 2017 at 10:52:59AM -0400, Sean Whitton wrote: control: tag -1 -patch Hello again Santiago, Some of us here at DebCamp have been reading your message and we're still not sure of your intention. On Thu, Aug 25, 2016 at 09:41:26PM +0200, Santiago Vila wrote: > Debian Policy 4.9 says: > > For some packages, notably ones where the same source tree is compiled > in different ways to produce two binary packages, the build target > does not make much sense. For these packages it is good enough to > provide two (or more) targets (build-a and build-b or whatever) for > each of the ways of building the package, and a build target that does > nothing. The binary target will have to build the package in each of > the possible ways and make the binary package out of each. > > Actually, no, I don't think that's "good enough". > > We should better avoid building packages as root (including fakeroot). We already have in policy both: (i) The build target must not do anything that might require root privilege. (iI) The binary targets must be invoked as root [or fakeroot]. However, in the paragraph you quoted, there is a loophole: if the build-a and build-b targets are not invoked by the build target, instead directly invoked by the binary target, then (i) does not apply, and indeed (ii) applies and they will be invoked as root. Is that why you want to delete that paragraph? Yes, indeed! There is some background in libtool Bug #806654. It was a really strange build failure and it was not self-evident that the failure was the result of building as root. In this particular case, the package had only standard build-indep and build-arch targets, but it made me to read policy again and that's when I found about the "good enough" thing. Then my suggestion (as discussed here in DebCamp) would be to rephrase that paragraph rather then removing it entirely. What needs to be said is that if you have a package that builds the software multiple times (e.g. once against gtk2, next against gtk3), you need to define each of the build processes as build-a, build-b, etc. These build sub-targets need to be called from the build target and _must_ _not_ be called from the binary target. e.g. build: build-a build-b <-->BUILD SOMETHING HERE THAT build-a AND build-b NEED ALIKE (optional) build-a: <-->BUILD SOMETHING IN THE a-WAY build-b: <-->BUILD SOMETHING IN THE b-WAY binary: binary-a binary-b <-->COMMON FILES SHARED BETWEEN binary-a AND binary-b (optional) binary-a: <-->INSTALL FILES FROM build-a INTO BIN:PACKAGE(S) binary-b: <-->INSTALL FILES FROM build-b INTO BIN:PACKAGE(S) Right? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpgIORLQACgn.pgp Description: Digitale PGP-Signatur
Bug#835451: debian-policy: Building as root should be discouraged
On Wed, Aug 02, 2017 at 10:52:59AM -0400, Sean Whitton wrote: > control: tag -1 -patch > > Hello again Santiago, > > Some of us here at DebCamp have been reading your message and we're > still not sure of your intention. > > On Thu, Aug 25, 2016 at 09:41:26PM +0200, Santiago Vila wrote: > > Debian Policy 4.9 says: > > > > For some packages, notably ones where the same source tree is compiled > > in different ways to produce two binary packages, the build target > > does not make much sense. For these packages it is good enough to > > provide two (or more) targets (build-a and build-b or whatever) for > > each of the ways of building the package, and a build target that does > > nothing. The binary target will have to build the package in each of > > the possible ways and make the binary package out of each. > > > > Actually, no, I don't think that's "good enough". > > > > We should better avoid building packages as root (including fakeroot). > > We already have in policy both: > > (i) The build target must not do anything that might require root > privilege. > > (iI) The binary targets must be invoked as root [or fakeroot]. > > However, in the paragraph you quoted, there is a loophole: if the > build-a and build-b targets are not invoked by the build target, instead > directly invoked by the binary target, then (i) does not apply, and > indeed (ii) applies and they will be invoked as root. > > Is that why you want to delete that paragraph? Yes, indeed! There is some background in libtool Bug #806654. It was a really strange build failure and it was not self-evident that the failure was the result of building as root. In this particular case, the package had only standard build-indep and build-arch targets, but it made me to read policy again and that's when I found about the "good enough" thing. Thanks.
Bug#835451: debian-policy: Building as root should be discouraged
control: tag -1 -patch Hello again Santiago, Some of us here at DebCamp have been reading your message and we're still not sure of your intention. On Thu, Aug 25, 2016 at 09:41:26PM +0200, Santiago Vila wrote: > Debian Policy 4.9 says: > > For some packages, notably ones where the same source tree is compiled > in different ways to produce two binary packages, the build target > does not make much sense. For these packages it is good enough to > provide two (or more) targets (build-a and build-b or whatever) for > each of the ways of building the package, and a build target that does > nothing. The binary target will have to build the package in each of > the possible ways and make the binary package out of each. > > Actually, no, I don't think that's "good enough". > > We should better avoid building packages as root (including fakeroot). We already have in policy both: (i) The build target must not do anything that might require root privilege. (iI) The binary targets must be invoked as root [or fakeroot]. However, in the paragraph you quoted, there is a loophole: if the build-a and build-b targets are not invoked by the build target, instead directly invoked by the binary target, then (i) does not apply, and indeed (ii) applies and they will be invoked as root. Is that why you want to delete that paragraph? -- Sean Whitton signature.asc Description: PGP signature
Bug#835451: debian-policy: Building as root should be discouraged
control: tag -1 +patch Hello Santiago, On Thu, Aug 25, 2016 at 09:41:26PM +0200, Santiago Vila wrote: > We should better avoid building packages as root (including fakeroot). > > Otherwise we will find nasty surprises like the libtool Bug #806654, > where a badly written debian/rules made the whole build to be done as > root, including the tests, which in turn made the build to fail. > > My proposal to fix this would be to remove the quoted paragraph > entirely. The next paragraph says: The build target must not do anything that might require root privilege. I think that we could respond to your concern with the following patch, which I believe reflects current project consensus, and thus for which I am seeking seconds: diff --git a/policy.xml b/policy.xml index 3daa532..829cda4 100644 --- a/policy.xml +++ b/policy.xml @@ -2059,8 +2059,11 @@ possible ways and make the binary package out of each. - The build target must not do anything - that might require root privilege. + The build target, and targets like + build-a and + build-b used per the previous + paragraph, must not do anything that might require root + privilege. The build target may need to run the -- Sean Whitton signature.asc Description: PGP signature
Bug#835451: debian-policy: Building as root should be discouraged
Package: debian-policy Version: 3.9.8 Greetings. Debian Policy 4.9 says: For some packages, notably ones where the same source tree is compiled in different ways to produce two binary packages, the build target does not make much sense. For these packages it is good enough to provide two (or more) targets (build-a and build-b or whatever) for each of the ways of building the package, and a build target that does nothing. The binary target will have to build the package in each of the possible ways and make the binary package out of each. Actually, no, I don't think that's "good enough". We should better avoid building packages as root (including fakeroot). Otherwise we will find nasty surprises like the libtool Bug #806654, where a badly written debian/rules made the whole build to be done as root, including the tests, which in turn made the build to fail. My proposal to fix this would be to remove the quoted paragraph entirely. Then the paragraph above it would prevail and it would be the only policy regarding this: The build target should perform all the configuration and compilation of the package. [...] I don't know if there are a lot of packages building things as root, but at the very minimum we should deprecate that and stop saying it is "good enough". Thanks.
