This is an automated email from the git hooks/post-receive script. smcv pushed a commit to branch quake in repository game-data-packager.
commit f0cb994713499b521ca9678ec7f72d22a207837d Author: Simon McVittie <s...@debian.org> Date: Sun Dec 27 23:25:53 2015 +0000 Add a confirmation step before running binary-only executables The proprietary binaries don't really have any security support at this point, so the least we can do is to recommend that users are careful. --- Makefile | 24 +++++++++ README.binary.in | 8 +++ confirm-binary-only.sh | 134 +++++++++++++++++++++++++++++++++++++++++++++++++ debian/control | 2 + debian/etqw.install | 2 + debian/quake4.install | 2 + debian/rules | 3 ++ quake4.in | 18 ++++++- 8 files changed, 191 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 1d00d40..29828e4 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,7 @@ # Makefile - used for building icon +distro ?= $(shell lsb_release -si) + layer_sizes = 16 22 32 48 256 text = \ @@ -13,6 +15,8 @@ text = \ build/quake3-server \ build/quake4-dedicated \ build/etqw-dedicated \ + build/README.etqw-bin \ + build/README.quake4-bin \ $(NULL) obj = \ @@ -77,6 +81,7 @@ build/quake4: quake4.in Makefile install -d build sed \ -e 's!@id@!quake4!' \ + -e 's!@icon@!/usr/share/icons/hicolor/48x48/apps/quake4.png!' \ -e 's!@longname@!Quake 4!' \ -e 's!@shortname@!Quake 4!' \ -e 's!@binary@!quake4.x86!' \ @@ -89,10 +94,19 @@ build/quake4: quake4.in Makefile < $< > $@ chmod +x $@ +build/README.quake4-bin: README.binary.in Makefile + install -d build + sed \ + -e 's!@id@!quake4!' \ + -e 's!@shortname@!Quake 4!' \ + -e 's!@distro@!$(distro)!' \ + < $< > $@ + build/etqw: quake4.in Makefile install -d build sed \ -e 's!@id@!etqw!' \ + -e 's!@icon@!/usr/share/pixmaps/etqw.png!' \ -e 's!@longname@!Enemy Territory: Quake Wars!' \ -e 's!@shortname@!ETQW!' \ -e 's!@binary@!etqw.x86!' \ @@ -105,6 +119,14 @@ build/etqw: quake4.in Makefile < $< > $@ chmod +x $@ +build/README.etqw-bin: README.binary.in Makefile + install -d build + sed \ + -e 's!@id@!etqw!' \ + -e 's!@shortname@!ETQW!' \ + -e 's!@distro@!$(distro)!' \ + < $< > $@ + build/quake2-server: quake2.in install -d build sed -e 's/@self@/quake2-server/g' \ @@ -136,6 +158,7 @@ build/quake4-dedicated: quake4.in Makefile install -d build sed \ -e 's!@id@!quake4!' \ + -e 's!@icon@!/usr/share/icons/hicolor/48x48/apps/quake4.png!' \ -e 's!@longname@!Quake 4!' \ -e 's!@shortname@!Quake 4!' \ -e 's!@binary@!q4ded.x86!' \ @@ -152,6 +175,7 @@ build/etqw-dedicated: quake4.in Makefile install -d build sed \ -e 's!@id@!etqw!' \ + -e 's!@icon@!/usr/share/pixmaps/etqw.png!' \ -e 's!@longname@!Enemy Territory: Quake Wars!' \ -e 's!@shortname@!ETQW!' \ -e 's!@binary@!etqwded.x86!' \ diff --git a/README.binary.in b/README.binary.in new file mode 100644 index 0000000..2d381bb --- /dev/null +++ b/README.binary.in @@ -0,0 +1,8 @@ +@shortname@ is a binary-only game and might contain security +vulnerabilities or other bugs. If it does, @distro@ cannot fix them. + +Using this game for multiplayer on untrusted networks is not +recommended. To protect personal files, you could create a dedicated +user ID to run games. + +This message will be shown once for each user ID that runs @shortname@. diff --git a/confirm-binary-only.sh b/confirm-binary-only.sh new file mode 100755 index 0000000..c782e3a --- /dev/null +++ b/confirm-binary-only.sh @@ -0,0 +1,134 @@ +#!/bin/sh + +set -e + +icon= +dotdir= +text_file= +title= + +run () { + mkdir -p -m700 "${dotdir}" + touch "${dotdir}/confirmed-binary-only" + exec "$@" + exit 70 # EX_SOFTWARE +} + +try_zenity () { + if ! command -v zenity >/dev/null; then + return 1 + fi + + e=0 + zenity --text-info --filename="$text_file" --title="$title" \ + --checkbox="I'll be careful" --ok-label="Run" \ + --window-icon="${icon}" \ + --width=500 --height=400 || e=$? + case "$e" in + (0) + run "$@" + ;; + (*) + exit 77 # EX_NOPERM + ;; + esac +} + +try_kdialog () { + if ! command -v kdialog >/dev/null; then + return 1 + fi + + e=0 + kdialog --title "$TITLE" --warningcontinuecancel "$(cat "$text_file")" || \ + e=$? + case "$e" in + (0) + run "$@" + ;; + (*) + exit 77 # EX_NOPERM + ;; + esac +} + +try_xmessage () { + if ! command -v xmessage >/dev/null; then + return 1 + fi + + e=0 + xmessage -buttons Run:100,Cancel:101 -nearmouse -file "$text_file" || e=$? + case "$e" in + (100) + run "$@" + ;; + (*) + exit 77 # EX_NOPERM + ;; + esac +} + +while [ "$#" -gt 0 ]; do + case "$1" in + (--dotdir) + dotdir="$2" + shift 2 + ;; + + (--icon) + icon="$2" + shift 2 + ;; + + (--title) + title="$2" + shift 2 + ;; + + (--text-file) + text_file="$2" + shift 2 + ;; + + (--) + shift + ;; + + (*) + break + ;; + esac +done + +if [ -z "$icon" ] || [ -z "$dotdir" ] || [ -z "$text_file" ] || \ + [ -z "$title" ]; then + echo "$0: usage error: missing parameter" >&2 + exit 2 +fi + +if [ -e "${dotdir}/confirmed-binary-only" ]; then + run "$@" +fi + +case $(echo "$DESKTOP_SESSION" | tr A-Z a-z) in + (kde) + pref=try_kdialog + ;; + (gnome) + pref=try_zenity + ;; + # easter egg for testing + (1990slinuxuser) + pref=try_xmessage + ;; + (*) + pref=false + ;; +esac + +$pref "$@" || try_zenity "$@" || try_kdialog "$@" || try_xmessage "$@" + +exit 72 # EX_OSFILE + +# vim:set et sts=2 sw=2: diff --git a/debian/control b/debian/control index 4ee33da..18323bd 100644 --- a/debian/control +++ b/debian/control @@ -150,6 +150,7 @@ Architecture: i386 Depends: ${misc:Depends}, quake4-bin | game-data-packager (>= 43), + x11-utils | zenity | kde-baseapps-bin, Suggests: quake4-pb-bin, Description: science-fiction-themed first person shooter @@ -206,6 +207,7 @@ Architecture: i386 Depends: ${misc:Depends}, etqw-bin | game-data-packager (>= 44), + x11-utils | zenity | kde-baseapps-bin, Suggests: etqw-pb-bin, Description: science-fiction-themed multiplayer first person shooter diff --git a/debian/etqw.install b/debian/etqw.install index 6b248d9..dde2faa 100644 --- a/debian/etqw.install +++ b/debian/etqw.install @@ -1,4 +1,6 @@ build/etqw usr/games +build/README.etqw-bin usr/lib/etqw README.etqw-data usr/lib/etqw need-data.sh usr/lib/etqw +confirm-binary-only.sh usr/lib/etqw etqw.desktop usr/share/applications diff --git a/debian/quake4.install b/debian/quake4.install index 19909b3..621bd4f 100644 --- a/debian/quake4.install +++ b/debian/quake4.install @@ -6,6 +6,8 @@ build/32/quake4*.png usr/share/icons/hicolor/32x32/apps build/48/quake4*.png usr/share/icons/hicolor/48x48/apps build/quake4 usr/games build/quake4*.svg usr/share/icons/hicolor/scalable/apps +build/README.quake4-bin usr/lib/quake4 README.quake4-data usr/lib/quake4 need-data.sh usr/lib/quake4 +confirm-binary-only.sh usr/lib/quake4 quake4.desktop usr/share/applications diff --git a/debian/rules b/debian/rules index 70cc344..ade9d70 100755 --- a/debian/rules +++ b/debian/rules @@ -3,6 +3,9 @@ %: dh $@ --parallel --with=systemd +override_dh_auto_build: + dh_auto_build -- distro=$(shell dpkg-vendor --query Vendor) + override_dh_installinit: dh_installinit -pquake4-server --noscripts dh_installinit -petqw-server --noscripts diff --git a/quake4.in b/quake4.in index bad7886..6454056 100644 --- a/quake4.in +++ b/quake4.in @@ -18,7 +18,10 @@ smpbinary="@smpbinary@" basegame="@basegame@" # required packages paks="@paks@" +# absolute path to icon +icon="@icon@" +dotdir="${HOME}/.${id}" pkglibdir="/usr/lib/${id}" help() { @@ -77,7 +80,9 @@ cvars="+set com_allowconsole 1" # Quake 4 expects to run in its installation directory cd "$pkglibdir" -# The SMP binary needs a modified bundled copy of SDL. +# The SMP binary needs a modified bundled copy of SDL. We don't set this +# environment variable until after going through confirm-binary-only.sh, +# so that we can't accidentally load sourceless binaries. set \ env LD_LIBRARY_PATH="${pkglibdir}${LD_LIBRARY_PATH:+":${LD_LIBRARY_PATH}"}" \ "$@" @@ -94,6 +99,15 @@ else shift fi -exec "$@" +if [ "${role}" = "client" ]; then + exec "${pkglibdir}/confirm-binary-only.sh" \ + --icon "${icon}" \ + --dotdir "${dotdir}" \ + --text-file "${pkglibdir}/README.${id}-bin" \ + --title "${longname}" \ + -- "$@" +else + exec "$@" +fi # vim:set sw=2 sts=2 et: -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/game-data-packager.git _______________________________________________ Pkg-games-commits mailing list Pkg-games-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-commits