Simon McVittie:
On Fri, 10 Feb 2023 at 03:18:16 +0100, Johannes Schauer Marin Rodrigues wrote:Quoting Santiago Vila (2023-02-09 17:32:08)- No intervention from individual maintainers is required for fixing this, as we already have a binNMU mechanism which we already use for transitions.Once fakeroot is fixed, binNMUs can be used to fix packages, yes. Without the fakeroot fix in place, individual maintainers could do things to fix their packages on the affected architectures but I do not think doing so is a good idea.There is one thing that maintainers can do to fix their packages on the affected architectures that I think *might* be a good idea: if their package builds correctly with Rules-Require-Root: no, they could add that field, resulting in fakeroot not being used. [...] smcv
Packages that need static non-root ownership cannot do that at the moment using debhelper / dpkg. These are in turn the most likely packages to exhibit this problem that triggered this discussion.
For everything else, you can pretty much always migrate to "Rules-Requires-Root: no". It is "just" a question of:
1) Stop the accidental root usage in d/rules. E.g., remove -o root
-g root passed to install and left over chown calls.
2) Convince the upstream build system to stop using root during
installation in the rare cases they do that.
Example from sudo:
https://salsa.debian.org/sudo-team/sudo/-/merge_requests/13/diffs?commit_id=fa2a3a3ce37eb356b79ce31838e8b415a7dc31d2
It is not very difficult to do. However, it does take human time and effort, which is a scares resource.
But the moment you see a non "root/root" line in the data.tar listing, it is checkmate and game-over. I think we may be able to provide better debian package tooling for the next release that can solve the static ownership problem, but not the human time/effort part.
Thanks, ~Niels