Pádraig Brady wrote:
> On 09/11/10 14:56, Mike Frysinger wrote:
>> On Sunday, November 07, 2010 08:57:22 Yaron Sheffer wrote:
>>> I still don't see the logic of not including capabilities in the
>>> "install" feature set. We could use chmod and chown separately, too. But
>>> still, setting owner/group and mode are a core functionality of this
>>> utility. Similarly, if we think that POSIX capabilities are important
>>> (see e.g. http://fedoraproject.org/wiki/Features/RemoveSETUID), we
>>> should make their use as easy and natural as possible. For me that means
>>> at the minimum support in install, tar (and derived packaging tools) and
>>> possibly ls.
>>
>> FWIW, it'd make my life easier as a distro maintainer as i wouldnt need to
>> force `setcap` on everyone ...
>> -mike
>
> Your experience in these matters certainly sways things.
> I'd like to understand fully though before proceeding.
>
> By forcing `setcap` on everyone, do you mean as a
> build time package dependency, or does gentoo &/or dpkg
> not support capabilities thus requiring it as an install time dep?
>
> If a package needs capabilities, is this dep really an issue?
>
> Could you expand on the failure modes you would expect.
> I presume if one asks for capabilities we should error if they weren't set.
> Would we need to verify like setcap -v?
I don't see any advantage to doing this via an install option.
However, there *are* good arguments for making it easy to set
capabilities via upstream Makefile.am rules.
To that end, you can define an AC_SUBST'd variable, SETCAP, to "setcap"
or say, "true" or "missing...", depending on whether a configure-time
test decides there is a capable setcap program.
Choose "true" if you want to ignore its absence.
Then use $(SETCAP) in the installation rules.
You could probably manage the existence check in the
Makefile rule itself, rather than in a configure check.
If install provided this option, you could arrange to do the same thing
via this:
install $(CAP_OPTIONS_FOR_FOO) $(other_install_options) foo
install $(CAP_OPTIONS_FOR_BAR) $(other_install_options) bar
but that isn't as clean.
