[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 32bit arch packages are built with wrong ownership due to fakeroot bug

Simon McVittie:
On Fri, 10 Feb 2023 at 03:18:16 +0100, Johannes Schauer Marin Rodrigues wrote:
Quoting Santiago Vila (2023-02-09 17:32:08)
- No intervention from individual maintainers is required for fixing this, as
we already have a binNMU mechanism which we already use for transitions.

Once fakeroot is fixed, binNMUs can be used to fix packages, yes. Without the
fakeroot fix in place, individual maintainers could do things to fix their
packages on the affected architectures but I do not think doing so is a good

There is one thing that maintainers can do to fix their packages on the
affected architectures that I think *might* be a good idea: if their
package builds correctly with Rules-Require-Root: no, they could add that
field, resulting in fakeroot not being used.



Packages that need static non-root ownership cannot do that at the moment using debhelper / dpkg. These are in turn the most likely packages to exhibit this problem that triggered this discussion.

For everything else, you can pretty much always migrate to "Rules-Requires-Root: no". It is "just" a question of:

 1) Stop the accidental root usage in d/rules. E.g., remove -o root
    -g root passed to install and left over chown calls.
 2) Convince the upstream build system to stop using root during
    installation in the rare cases they do that.

Example from sudo: https://salsa.debian.org/sudo-team/sudo/-/merge_requests/13/diffs?commit_id=fa2a3a3ce37eb356b79ce31838e8b415a7dc31d2

It is not very difficult to do. However, it does take human time and effort, which is a scares resource.

But the moment you see a non "root/root" line in the data.tar listing, it is checkmate and game-over. I think we may be able to provide better debian package tooling for the next release that can solve the static ownership problem, but not the human time/effort part.


Reply to: