Bug#835451: debian-policy: Building as root should be discouraged
On Wed, Aug 02, 2017 at 10:52:59AM -0400, Sean Whitton wrote:
> control: tag -1 -patch
>
> Hello again Santiago,
>
> Some of us here at DebCamp have been reading your message and we're
> still not sure of your intention.
>
> On Thu, Aug 25, 2016 at 09:41:26PM +0200, Santiago Vila wrote:
> > Debian Policy 4.9 says:
> >
> > For some packages, notably ones where the same source tree is compiled
> > in different ways to produce two binary packages, the build target
> > does not make much sense. For these packages it is good enough to
> > provide two (or more) targets (build-a and build-b or whatever) for
> > each of the ways of building the package, and a build target that does
> > nothing. The binary target will have to build the package in each of
> > the possible ways and make the binary package out of each.
> >
> > Actually, no, I don't think that's "good enough".
> >
> > We should better avoid building packages as root (including fakeroot).
>
> We already have in policy both:
>
> (i) The build target must not do anything that might require root
> privilege.
>
> (iI) The binary targets must be invoked as root [or fakeroot].
>
> However, in the paragraph you quoted, there is a loophole: if the
> build-a and build-b targets are not invoked by the build target, instead
> directly invoked by the binary target, then (i) does not apply, and
> indeed (ii) applies and they will be invoked as root.
>
> Is that why you want to delete that paragraph?
Yes, indeed!
There is some background in libtool Bug #806654. It was a really
strange build failure and it was not self-evident that the failure was
the result of building as root. In this particular case, the package
had only standard build-indep and build-arch targets, but it made me
to read policy again and that's when I found about the "good enough"
thing.
Thanks.
Reply to: