[dpkg] 127/192: doc: Add new rootless builds experimental draft specification
Ximin Luo
infinity0 at debian.org
Tue Oct 17 11:04:09 UTC 2017
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch pu/reproducible_builds
in repository dpkg.
commit 11fce7c00e04a5b045ba733d574a304515f1321e
Author: Niels Thykier <niels at thykier.net>
Date: Sat Sep 16 15:54:18 2017 +0200
doc: Add new rootless builds experimental draft specification
[guillem at debian.org:
- Mark the spec as an experimental draft.
- Add new Background section.
- Rename Package-Creation-Requires-Root to Rules-Requires-Root.
- Rename dpkg/rules-requires-root to dpkg/target-subcommand.
- Add new dpkg/target/<target-name> keyword.
- Use dpkg-deb --build instead of dpkg --build.
- Fix DPKG_GAIN_ROOT_CMD invocation, and denote it as the one to use
instead of the alternative wrapper command.
- Rearrange sections and reflow text. ]
Signed-off-by: Guillem Jover <guillem at debian.org>
---
Makefile.am | 1 +
debian/changelog | 3 +
debian/dpkg-dev.docs | 1 +
doc/rootless-builds.txt | 161 ++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 166 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index c7d8f4e..5a77902 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -41,6 +41,7 @@ EXTRA_DIST = \
doc/coding-style.txt \
doc/frontend.txt \
doc/lcov-inject.pl \
+ doc/rootless-builds.txt \
doc/triggers.txt \
debian/changelog \
debian/compat \
diff --git a/debian/changelog b/debian/changelog
index c996a1c..196e239 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -91,6 +91,9 @@ dpkg (1.19.0) UNRELEASED; urgency=medium
- Clarify that sanitize options should not be used for production builds.
- Remove recommendation to use Pre-Depends for trigger directives from
deb-triggers(5). Closes: #864882
+ - Add new rootless build experimental draft specification.
+ Initial proposal by Niels Thykier <niels at thykier.net>, wording fixes
+ and spec clarifications by Guillem Jover <guillem at debian.org>.
* Code internals:
- Switch perl code to use -> operator for function variables.
- Switch perl code from split() with /\s+/ to ' '.
diff --git a/debian/dpkg-dev.docs b/debian/dpkg-dev.docs
index f432402..c141789 100644
--- a/debian/dpkg-dev.docs
+++ b/debian/dpkg-dev.docs
@@ -4,4 +4,5 @@ debian/usertags
doc/README.api
doc/README.feature-removal-schedule
doc/frontend.txt
+doc/rootless-builds.txt
doc/triggers.txt
diff --git a/doc/rootless-builds.txt b/doc/rootless-builds.txt
new file mode 100644
index 0000000..98e3877
--- /dev/null
+++ b/doc/rootless-builds.txt
@@ -0,0 +1,161 @@
+Supporting rootless builds
+==========================
+
+Status: draft, experimental
+
+Background
+----------
+
+Traditionally, Debian packages have required (fake)root privileges for some
+of the "debian/rules" targets. This has required also a split between build
+and binary targets; making the builds slower, due to the increased amount
+of invocations of "debian/rules" and the overhead of using fakeroot(1) or
+equivalent fake environments, or less secure due to the increased dangers
+of running under real root via sudo or equivalent.
+
+On this document when talking about "(fake)root" privileges, it will refer
+to any mechanism, supported by the dpkg-buildpackage "-r/--root-command"
+option, that can provide either a real or faked root user environment.
+
+Specification
+-------------
+
+We add a new field to the "Source" stanza of debian/control:
+
+ Rules-Requires-Root: no | binary-targets | <implementations-keywords>
+
+The values are defined as:
+
+ * If "no", then "debian/rules binary" will not require root at all (not even
+ fakeroot).
+ - If the "no" keyword is used, it MUST be the only keyword in that field
+ and MUST appear exactly once.
+
+ * If "binary-targets", then "debian/rules binary" (etc.) must always be run
+ under (fake)root. This is the default/status quo.
+
+ * <implementations-keywords> will be a space separated list of keywords which
+ define when root is required.
+
+ - Keywords consists of <namespace>/<cases>. The "namespace" part cannot
+ contain "/" or whitespace. The "cases" part cannot contain whitespace.
+ Furthermore, both parts MUST consist entirely of printable ASCII
+ characters.
+
+ - Each tool/package will define a namespace named after itself and provide
+ a number of cases where (fake)root is required.
+ (See also "Implementation provided keywords".)
+
+ - When "Rules-Requires-Root" is set to <implementations-keywords>, the
+ builder will expose an interface that is used to run a command under
+ (fake)root via the "Gain Root API". If the builder cannot provide such
+ a command, it MUST behave like "Rules-Requires-Root" was set to
+ "binary-targets", i.e. run "debian/rules binary" under (fake)root.
+
+It is always permissible for a builder to ignore this field and fall back to
+running the binary targets under (fake)root. This is to ensure backwards
+compatibility when builds are performed by legacy builders or older versions
+of the tooling.
+
+Tools called from the rules file MUST cope gracefully with being called under
+(fake)root even when Rules-Requires-Root is set to a value that implies they
+should not be (e.g. "no"). However, they MUST NOT attempt to run processes
+under (fake)root when run as a regular user when Rules-Requires-Root does
+not list any keywords they respond to.
+
+Tools MUST gracefully ignore valid unknown keywords outside their namespace.
+They MAY warn about unknown keywords inside their namespace.
+
+The value of this field MUST NOT change the content of the package in any
+way. Notably, packages that are bit-for-bit reproducible MUST still provide
+bit-for-bit identical results even when the field is ignored.
+
+Implementation provided keywords
+--------------------------------
+
+Keywords provided by various implementations:
+
+ * dpkg/target-subcommand: When the package needs to run a given command
+ under (fake)root within the "debian/rules" files directly, this MUST be
+ declared via this keyword.
+
+ * dpkg/target/<target-name>: When a specific "debian/rules" unofficial
+ target (none of the root-requiring "binary-indep", "binary-arch", "binary",
+ "clean", nor the non-root-requiring "build-indep", "build-arch", "build")
+ needs to be run under (fake)root, this MUST be declared via this dynamic
+ keyword, where <target-name> is the name of the "debian/rules" target.
+
+ * debhelper/upstream-make-install: The dh_auto_install command will run
+ the "install" target from the upstream's Makefile under (fake)root (for
+ the "makefile" build system or one derived from it).
+
+Gain Root API
+-------------
+
+The builder will provide a command to promote a given command to (fake)root
+by exposing it in the environment variable "DPKG_GAIN_ROOT_CMD". Tools that
+need this promotion will then use it like the following:
+
+ $DPKG_GAIN_ROOT_CMD cmd-that-needs-root ...
+
+This command is subject to the same requirements as the "gain-root-command"
+that dpkg-buildpackage accepts via its "-r/--root-command" option, which
+means that it can contain space-separated parameters. If dpkg-buildpackage is
+called with "-r/--root-command", then dpkg-buildpackage shall use that value
+as the value for DPKG_GAIN_ROOT_CMD.
+
+The variable SHOULD only be provided when there is a need for it. Notably
+when "Rules-Requires-Root" is either "no" or "binary-targets" the variable
+SHOULD NOT be defined.
+
+Common cases
+------------
+
+ * Upstream installation insists on "sudo make install"-like behaviour.
+ => Use dpkg/target-subcommand or debhelper/upstream-make-install.
+
+ * Files shipped in the package must be owned by another user than root.
+ => Not covered; use "binary-targets" for now until dpkg+debhelper
+ provides the required interface.
+
+Prototyping/preparation
+=======================
+
+dpkg side
+---------
+
+dpkg-deb --build must either default to resetting all owner/group values to
+0:0 when not run under (fake)root OR provide an interface so dh_builddeb can
+provide the owner/group value to dpkg-deb --build.
+
+dpkg-buildpackage must export DPKG_GAIN_ROOT_CMD (for starters, doing this
+unconditionally would be fine).
+
+
+debhelper side
+--------------
+
+When the field is present:
+
+ * dh_testroot will behave as usual when Rules-Requires-Root is not present
+ or set to "binary-targets".
+
+ * dh_testroot will be a no-op when Rules-Requires-Root is set to "no".
+
+ * Otherwise, dh_testroot will either verify that it is run under (fake)root
+ (as usual) OR assert that DPKG_GAIN_ROOT_CMD is defined.
+
+ * debhelper build systems will be patched to check for the
+ "debhelper/upstream-make-install" keyword and use the "Gain Root API"
+ accordingly.
+
+ * All other (src:)debhelper commands will skip their calls to chown
+ (currently they just reset them to "0:0" anyway).
+
+With the above, a default "dh $@" will no longer require (fake)root when
+built (and Rules-Requires-Root is "no").
+
+Prototyping:
+
+ * During prototyping, dh_builddeb can wrap the dpkg-deb --build call with
+ fakeroot (when not already root).
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list