Hi We would like to propose a change in default for `dpkg`, which will enable `rootless` by default (changing it from "opt-in" to "opt-out"). This would be a considerable milestone bringing us to into 90-99% territory of removing the need for root (`fakeroot` or otherwise) in the Debian packaging stack.
While my long term goal is the complete removal of `fakeroot` as a mandatory piece in our packaging stack, it is *not* the goal of this MBF. For this MBF, the focus is on removing blockers to switching the default rather than removing use of `fakeroot` in general. This is also why one the solutions we propose to the "busy maintainer" is an "opt-out" rather than "fix the root cause". # The quick summary * About 10000 packages build successfully with this change. * About 225 bugs (~2%) would be filed at severity important due to problems detected with these changes. * About 650 packages (~6.5%) had an unrelated FTBFS in sid when the test where done that could hide other failures. * Four packages could not build on the test infrastructure. * Two packages were identified to misbuild. These already have bugs filed (one misbuild without the change due to a bug in packaging; the other will misbuild with the change). # The bug template used Severity: important User: [email protected] Usertags: rrr-no-as-default-issue Dear maintainer, During a test rebuild for building packages "Rules-Requires-Root: no" as the default in `dpkg`, {{ src.name }} failed to rebuild. Log Summary: ------------------------------------------------------------------------------- [...] {{ log_snippet }} ------------------------------------------------------------------------------- The above is just how the build ends and not necessarily the mostrelevant part. If required, the full build log is available here (for the next 30
days):https://people.debian.org/~nthykier/rrr-no-as-default/logs/{{ build.log_artifact_id }}.gz
You can find common solutions at https://people.debian.org/~nthykier/rrr-no-as-default/docs/solutions.md If this is really a bug in one of the build-depends, please use reassign and affects, so that this is still visible in the BTS web page for this package. If this package is listed in https://people.debian.org/~nthykier/rrr-no-as-default/docs/static-ownership.list, then please just set `Rules-Requires-Root: binary-targets` to the source stanza of `debian/control` as a fix to this bug. If this package is listed in https://people.debian.org/~nthykier/rrr-no-as-default/docs/maybe-misbuilds.list,then the package was deemed at risk for misbuilding (having wrong ownership) but had a FTBFS problem we tested it. Please test whether the package works with `Rules-Requires-Root: no` validating that the resulting deb has the correct ownership for all paths in the deb.
Thanks,
# Affected packages
We have sorted the affected packages into the following groups:
1) Packages with static non-`root:root` ownership. These will
generally need a `Rules-Requires-Root: binary-targets` for now, and
then they are done.
2) Packages that do not have any non-`root:root` ownership. These can
often be converted to `Rules-Requires-Root: no` with a bit of
tweaking (see attached solutions.md). However, in a pinch, you can
just set `Rules-Requires-Root: binary-targets` to get off the list
of blockers and come back to it later.
3) Packages that were deemed at risk of misbuilding in a manual review,
but FTBFS for an unrelated reason when we did the test rebuild.
The "all-affected.dd-list" and "all-affected.list" contains packages
from all groups and defines the list of packages that we will file
bugs against. The "static-ownership.dd-list" (and
"static-ownership.list") only contains the packages with static
non-`root:root` ownership.
The packages in "static-ownership.list" should just be uploaded with `Rules-Requires-Root: binary-targets` added to the source stanza of `debian/control`. For all other packages, it should be possible to convert it to use `Rules-Requires-Root: no` if the maintainer has the capacity to do so. See solutions.md for common issues and how to solve them.Finally, the packages in the "maybe-builds.dd-list" and "maybe-misbuilds.list" are the packages in group 3. We are filing a bug against these packages as a precaution rather than a confirmed problem. See "Findings of manual review" below for details.
# Background, context, and other details
This section is for people that want more details on what we are doing,
why I am pushing for it, the testing method using, etc. You can skip
this if you are already convinced.
## Motivation for the change
Changing the default is a major undertaking and the change should have
long term benefits that should outweigh the short term costs. To that
effect, my motivation for removing `fakeroot` is that the tool is a
fragile liability that costs us unnecessary complexity and resources.
* Assembling debian packages should not require `root` in the first
place. What we need is to assemble some archives with correct
metadata; nothing more. This is possible to do with userspace tools
as a normal user and for over 99% of the archive, `dpkg-deb` can
now this without needing `fakeroot`.
- Reminder: While my argument is for the 100% case, this MBF is
aimed at optimizing for the common case rather than the 1% case.
* Like many other `LD_PRELOAD` hacks, `fakeroot` plays a game of
whack-a-mole to intercept all the library calls relevant for its
task. When it loses the whack-a-mole game, we end up with silent
misbuilds, where installing the deb package potentially becomes
a security issue since "random" paths on the system is now owned
by a non-root user. The wrong file/dir with incorrect ownership
is a freebie "local-user to root" security bug.
A recent example being #1023286 which caused -dbgsym packages to
have a directory owned by a non-root user. The `fakeroot` fix
was then blocked for months due to FTBFS on mipsel (#1024544).
The primary reason why this was such a small issue where:
1) Wide-spread use of `Rules-Requires-Root: no` to limit which
packages could be affected (about 50% of the archive had
migrated away from `fakeroot`).
2) A quick fix to `debhelper` to remove the reliance on
`fakeroot` when assembling `-dbgsym` packages.
* The use of the `fakeroot` tool is not transparent even when
it fails to intercept critical library calls:
- #534879 (chmod race with tcp engine from 2009; unfixed)
- #606064 (segfault in i386 chroot on amd64 host)
- #948522 (`file` with sandbox enabled broke under `fakeroot`)
- #239057 (setgid directories are not correctly emulated)
- #799858 (SELinux labels are not initialized properly)
- #802612 (fakeroot fails in user namespaces)
This a small curated list of some of the open issues we have had
with fakeroot in the Debian bug tracker. These are basically
technical debt plus upkeep to have `fakeroot` match the changing
Linux landscape.
These are my primary arguments for us moving away from `fakeroot` in
general. With this MBF, we would change the default to "no fakeroot"
rather than "with fakeroot".
Note, despite my arguments against `fakeroot`, its maintainers
have my respect and sympathy. The tool has been instrumental
to Debian being where it is today (this is our version of the
Python's GIL problem), and `fakeroot` cannot have been easy
to maintain.
## Cost of the change / Key results
217 packages will FTBFS with the change. 2 will misbuild (bugs already
filed for these) and 10078 will "just work(tm)".
645 packages failed during the build testing for unrelated reasons
(including OOM on the build host).
Note that `debftbfs` (devscripts) identified existing FTBFS bugs for
422 packages in the "to be tested set".
## What happens after the bugs are fixed and the default is changed?
The endgame (from the Motivation part) is migrating all packages away
from `Rules-Requires-Root: binary-targets`. There will be two fronts
to work on:
* Packages with all `root/root` ownerships in their debs that would
need its root cause fixed, so they can build without `fakeroot`
(this is usually removing unnecessary chown'ing).
* Packages with static non-`root/root` ownerships in their debs.
There is no rootless workflow for these with `dpkg-deb` supported
features.
Note: Packages will still be able to Build-Depends on `fakeroot`,
which might be relevant for running some testsuites (etc.). This
targeted use of `fakeroot` is a lot more palatable, since it
reduces the scope for problems and makes us immune to wrong
ownership problems.
## Method and failure modes
This section is only relevant if you are curious about how we found
these packages, or you are concerned we missed something. If you agree
with the premise and just want to fix your packages, feel free to skip
this section.
While planning this default change, Guillem and I considered different
possible failure scenarios for how changing the default could
break. Based on our thoughts on this topic, we devised a testing plan
to identify these potential problems and how to resolve them.
### Failure modes
We identified the following likely outcomes of building a package
without root despite it not opting into `Rules-Requires-Root: no`:
1) Successful build. This is the most common case due to widespread
use of `dh` and its ability to enable rootless builds
automatically when available.
2) FTBFS. Any manual `chown`'ing (or `install -o/-g`) will generally
cause the build to fail, since both requires root user privileges.
Any legacy `checkroot` targets will also fall into this, since
they check the current user is root and abort otherwise. Though,
it is important to note here that `dh_testroot` does not fail here
(since it expects the `debhelper` stack to react accordingly).
3) Silent misbuild. Basically, anything in group 2) where the error
code of the command/systemcall is ignored leading to a
"successful" build as far as exit code goes, but incorrect content
in the package.
This comes in two subgroups:
a) Non-root owned paths in the package.
b) All `root:root` owned paths in the package, when at least
one path should have been non-`root:root` (like `root:bin`)
The primary concern here was the "Silent misbuild", since they would
go unnoticed in a mass-rebuild and likely hide among successful
builds.
### Risky packages
Secondly, we looked at which kind of packages were most likely to have
this kind of failure. These are grouped:
pg1) Packages with no standardized build system (The `other` on
trends.d.n). We considered this group to be very likely to have
problems with misbuilds if that would occur at all.
pg2) Packages with non-`root:root` static ownership.
We considered this group to be possible to have problems, since
one way of implementing static ownership is letting upstream's
build system do the `chown`'ing and then doing `dh_fixperms -X` to
keep the special ownership/mode. If the upstream build system
ignores errors, this style could cause a problem.
pg3) Packages using `classic debhelper`. These were originally
classified as unlikely. However, a codesearch.d.n on `dpkg(-deb)`
in `debian/rules` usage was done in the end just to be safe.
pg4) Packages using `cdbs` or `dh`. These have been assumed to be fine.
In theory, they can be made unsafe, but the maintainer would have
to go out of their way to replace the `dh_builddeb` with
`dpkg-deb --build`. Though, obvious uses of that command would
have been caught be the codesearch done as part of `pg3)`.
All the packages in `pg1)` plus `pg2)` plus the packages matched by the
codesearch listed in `pg3)` were manually reviewed for failure modes.
Note that the codesearch is not flawless, since packages can include
their packaging from other files in the `debian` directory. When the
included file does not start with `debian/rules` (such as
`include debian/implicit`), then the codesearch will have missed its
contents.
### Findings of manual review
Two cases of "successful misbuilds" have been identified:
* libjama (#1086841). This is from the `other` build system list.
* binutils-mipsen (#1082298). This was mentioned by (I think) Helmut
during our analysis discussions in #dpkg-devel and not found
directly. Note this one is technically a "false-positive", since
the package already has `Rules-Requires-Root: no` (that is, this
is bug is not about the default changing, but an uploader applying
`Rules-Requires-Root: no` without confirming it worked correctly)
Additionally, the following packages were found to be suspected of
silent misbuilds, but failed for unrelated reasons in our build
testing:
* cross-toolchain-base{,-mipsen,-ports}
* gcc-*-cross{,-mipsen,-ports}
Their packaging is non-trivial and was not fully analyzed, so they may
be safe. One of these groups chains into a `dpkg-buildpackage` (as in
`debian/rules` calls `dpkg-buildpackage` and the other group seems to
manually pack or repack debs via `dpkg-deb`. This was deemed too unusual
to spend the non-trivial effort to analyze fully given they could not be
build in the test infrastructure for unrelated reasons.
### What was rebuild on debusine.d.n
When we did the rebuild, the following packages were rebuild:
1) All packages from pg1
2) All packages from pg2
3) All packages tagged by `lintian` with
`silent-on-rules-requiring-root`
The first two groups were rebuilt mostly confirm the manual review and
to validate the rebuild setup. This also weeded out a few
false-positives in the manual review.
All the builds was done on arm64 (it had more capacity available).
### The modified dpkg
The rebuild was done with `dpkg` from this branch
https://git.hadrons.org/cgit/debian/dpkg/dpkg.git/commit/?h=next/rrr-default-no
(HEAD being 82cafddd936946b88f67b1e76601b04ca8a81586 with a `gbp dch -S`
on top)
### Full build results
A total of 10940 source packages were rebuild.
* 10078 build successful.
- Of these, 2 misbuild successfully (both noted above)
* 862 failures
- Of these 217 failed with an error related to this change
- The remaining failed for other reasons (including running
out of memory on the host, etc.)
The `check-logs` script (attached) has the regexes used for classifying
the logs for the curious.
# Thanks
Thanks to the Debusine team for providing the test infrastructure.
Thanks to Stefano for his rebuild tooling stack, which easily saved me a
week of work.
Thanks to Helmut for making us aware of Debusine being able to help with this purpose and helping with discussions in #dpkg-devel.
Best regards, Guillem and Niels
Cross Toolchain Base Team <[email protected]> cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports Debian GCC Maintainers <[email protected]> gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports Dimitri John Ledkov <[email protected]> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) Matthias Klose <[email protected]> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) gcc-11-cross (U) gcc-11-cross-mipsen (U) gcc-11-cross-ports (U) gcc-12-cross (U) gcc-12-cross-ports (U) gcc-13-cross (U) gcc-13-cross-ports (U) gcc-14-cross (U) gcc-14-cross-ports (U) YunQiang Su <[email protected]> cross-toolchain-base-mipsen (U) gcc-11-cross-mipsen (U) gcc-12-cross-mipsen (U) gcc-13-cross-mipsen (U) gcc-14-cross-mipsen (U)
cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports
A Mennucc1 <[email protected]> debdelta Adam Majer <[email protected]> lpr Alberto Fuentes <[email protected]> animals Alberto Gonzalez Iniesta <[email protected]> modsecurity-apache tripwire Alen Zekulic <[email protected]> the Alex Myczko <[email protected]> bchunk (U) Alexander Zangerl <[email protected]> exmh glimpse intel2gas nmh Alexandre Dantas <[email protected]> snake4 xbomb Alexandre Detiste <[email protected]> angband (U) Alexandre Raymond <[email protected]> restartd Andre Noll <[email protected]> liblopsub Andreas Barth <[email protected]> mgetty Andreas Franzen <[email protected]> wzip Andree Leidenfrost <[email protected]> petris Andrej Shadura <[email protected]> 9mount Andrius Merkys <[email protected]> epics-base (U) Anibal Monsalve Salazar <[email protected]> liblockfile (U) nfs4-acl-tools xfsdump (U) Ansgar Burchardt <[email protected]> freesweep (U) Antoine Le Gonidec <[email protected]> mono Anton Gladky <[email protected]> freeimage (U) Anton Zinoviev <[email protected]> fortunes-bg Arne Wichmann <[email protected]> xpat2 Axel Beckert <[email protected]> blosxom (U) Barry deFreese <[email protected]> ketm (U) Ben Armstrong <[email protected]> xletters (U) Benda Xu <[email protected]> quickml Benjamin Mako Hill <[email protected]> most Boyuan Yang <[email protected]> taglib (U) Bradley A. Bosch <[email protected]> id-utils Brandon Barnes <[email protected]> komi Brian Pellin <[email protected]> genders Charles Plessy <[email protected]> umegaya Chris Carr <[email protected]> angband (U) Chris Taylor <[email protected]> iptstate Christian T. Steigies <[email protected]> bugsquish gemdropx madbomber Christoph Biedl <[email protected]> pptp-linux schroot Christoph Haas <[email protected]> oggfwd (U) Christoph Martin <[email protected]> postfixadmin (U) ClamAV Team <[email protected]> tomsfastmath Clint Byrum <[email protected]> mysql-8.0 (U) Craig Small <[email protected]> wordpress Cross Toolchain Base Team <[email protected]> cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports Cédric Boutillier <[email protected]> ruby-soap4r (U) David Bremner <[email protected]> gitolite3 nullmailer Davide G. M. Salvetti <[email protected]> statnews witalian Debian EFI team <[email protected]> shim shim-helpers-arm64-signed Debian Electronics Packaging Team <[email protected]> sdcc Debian FreeIPA Team <[email protected]> freeipa libmozilla-ldap-perl Debian Games Team <[email protected]> angband freesweep ketm slashem supertransball2 xletters Debian GCC Maintainers <[email protected]> gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports Debian HA Maintainers <[email protected]> heartbeat Debian Hamradio Maintainers <[email protected]> z8530-utils2 Debian HPC Team <[email protected]> slurm-wlm Debian Multimedia Maintainers <[email protected]> taglib Debian MySQL Maintainers <[email protected]> mysql-8.0 Debian Perl Group <[email protected]> libdevel-callparser-perl libinline-java-perl libmarpa-r2-perl libperlx-maybe-xs-perl libtrycatch-perl libuniversal-ref-perl Debian QA Group <[email protected]> dbview gcpegg ipsvd libdigest-whirlpool-perl libranlip ns2 nslint omega-rpg pppconfig sendmail ssmtp stfl suck sup swedish tetrinetx Debian rsbackup maintainers <[email protected]> rsbackup Debian Ruby Team <[email protected]> ruby-soap4r Debian Science Maintainers <[email protected]> auto-07p epics-base freeimage Debian Security Tools <[email protected]> samdump2 Debian Tcl/Tk Packagers <[email protected]> itcl3 Debian VoIP Team <[email protected]> homer-api Debian X Strike Force <[email protected]> xorg xserver-xorg-video-qxl Dimitri John Ledkov <[email protected]> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) Dmitry E. Oboukhov <[email protected]> libdata-streamdeserializer-perl libdata-streamserializer-perl Dominic Hargreaves <[email protected]> ircd-hybrid openguides Drew Parsons <[email protected]> mirrormagic Eduard Bloch <[email protected]> durep Emil Mikulic <[email protected]> darkstat (U) Erik Schanze <[email protected]> mpgtx Erinn Clark <[email protected]> icheck Ervin Hegedus <[email protected]> modsecurity-apache (U) Florian Roscher <[email protected]> dlint Francisco Manuel Garcia Claramonte <[email protected]> tiger (U) Frederic Peters <[email protected]> lasso Fredrik Hallenberg <[email protected]> xcolors Gaudenz Steinlin <[email protected]> postfixadmin (U) Gennaro Oliva <[email protected]> slurm-wlm (U) Ghislain Antony Vaillant <[email protected]> freeimage (U) Gilmar dos Reis Queiroz <[email protected]> phpwebcounter Giuseppe Sacco <[email protected]> hylafax Gleydson Mazioli da Silva <[email protected]> focalinux Gudjon I. Gudjonsson <[email protected]> sdcc (U) Guido Günther <[email protected]> libpam-ccreds wmwave Hakan Ardo <[email protected]> ftpwatch libcompface xfaces Hector Romojaro <[email protected]> tdom (U) Holger Levsen <[email protected]> tuxtype Håkon Nessjøen <[email protected]> mactelnet Ian Jackson <[email protected]> chiark-utils sauce vm xfonts-traditional Jaime Robles <[email protected]> z8530-utils2 (U) Jakob Haufe <[email protected]> schroot (U) James Bromberger <[email protected]> i810switch James Damour (Suvarov454) <[email protected]> filler James Page <[email protected]> mysql-8.0 (U) Jan Dittberner <[email protected]> sniproxy Javier Fernandez-Sanguino Pen~a <[email protected]> libpam-chroot Javier Fernandez-Sanguino Peña <[email protected]> compartment Javier Fernández-Sanguino Peña <[email protected]> checksecurity Javier Fernández-Sanguino Peña <[email protected]> netselect openuniverse tiger Jeff Epler <[email protected]> mesaflash (U) Jeremy Bicha <[email protected]> murrine-themes (U) Joachim Wiedorn <[email protected]> hylafax (U) Joachim Zobel <[email protected]> gap-nq John Goerzen <[email protected]> netmaze John Paul Adrian Glaubitz <[email protected]> gkrellm2-cpufreq Jonas Smedegaard <[email protected]> libdevel-callparser-perl (U) libinline-java-perl (U) libmarpa-r2-perl (U) libperlx-maybe-xs-perl (U) libtrycatch-perl (U) libuniversal-ref-perl (U) poppass-cgi rmagic Jonathan McDowell <[email protected]> sdcc (U) Jose G. López <[email protected]> phalanx scid Jose M Calhariz <[email protected]> amanda Josip Rodin <[email protected]> joe Juan Cespedes <[email protected]> linux86 Junichi Uekawa <[email protected]> binfmtc dsh Jörg Frings-Fürst <[email protected]> cil Kari Pahula <[email protected]> crossfire Ken McDonell <[email protected]> pcp (U) Kevin Zambrano <[email protected]> falselogin Kilian Krause <[email protected]> ircd-irc2 (U) Konstantin S. Vishnivetsky <[email protected]> homer-api (U) Kumar Appaiah <[email protected]> logapp taggrepper Kurt Roeckx <[email protected]> ircd-irc2 Lars Tangvald <[email protected]> mysql-8.0 (U) Laszlo Boszormenyi (GCS) <[email protected]> sidplay-libs Lena Voytek <[email protected]> mysql-8.0 (U) Linaro Packagers <[email protected]> rt-app LinuxCNC Developers <[email protected]> mesaflash Ludovic Drolez <[email protected]> swish-e Magnus Holmgren <[email protected]> libspf2 uw-imap Manoj Srivastava <[email protected]> dist mailagent ucf wm-icons Marcin Owsiany <[email protected]> bambam Marcio de Souza Oliveira <[email protected]> ethstatus Marcos Fouces <[email protected]> ganglia-web Mark Brown <[email protected]> clc-intercal ftnchek tua xemacs21 Markus Koschany <[email protected]> supertransball2 (U) Martin A. Godisch <[email protected]> lrzsz pachi rockdodger Martin Quinson <[email protected]> flexml Martin Zobel-Helas <[email protected]> tcptraceroute Mateusz Łukasik <[email protected]> udevil Mats Erik Andersson <[email protected]> durep (U) Matthew Vernon <[email protected]> bible-kjv rsbackup (U) Matthias Klose <[email protected]> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) gcc-11-cross (U) gcc-11-cross-mipsen (U) gcc-11-cross-ports (U) gcc-12-cross (U) gcc-12-cross-ports (U) gcc-13-cross (U) gcc-13-cross-ports (U) gcc-14-cross (U) gcc-14-cross-ports (U) pillow Mattias Ellert <[email protected]> gridsite Maximiliano Curia <[email protected]> backup-manager Mehdi Dogguy <[email protected]> slurm-wlm (U) Michael Grünewald <[email protected]> bsdowl Michael Meskes <[email protected]> memstat Michael Prokop <[email protected]> physlock Michael Stone <[email protected]> argus Miquel van Smoorenburg <[email protected]> liblockfile Miriam Ruiz <[email protected]> xmlindent Moritz Muehlenhoff <[email protected]> leafnode slrn Nathan Scott <[email protected]> pcp (U) xfsdump Neil Roeth <[email protected]> openjade Neutron Soutmun <[email protected]> xiterm+thai Nicolas Schier <[email protected]> sleepenh Nobuhiro Iwamatsu <[email protected]> dv4l Norbert Tretkowski <[email protected]> mysql-8.0 (U) Norbert Veber <[email protected]> rig Norman Messtorff <[email protected]> postfixadmin Patrick Ouellette <[email protected]> z8530-utils2 (U) PCP Development Team <[email protected]> pcp Peter S Galbraith <[email protected]> xcolmix xplot xwatch Petr Čech <[email protected]> ispell-czech Petter Reinholdtsen <[email protected]> wp2x Phil Brooke <[email protected]> moria searchandrescue searchandrescue-data Picca Frédéric-Emmanuel <[email protected]> epics-base (U) Praveen Arimbrathodiyil <[email protected]> bchunk Raphaël Hertzog <[email protected]> samdump2 (U) Rene Mayorga <[email protected]> darkstat Rhonda D'Vine <[email protected]> blosxom gitolite3 (U) rungetty RISKO Gergely <[email protected]> bombardier Ritesh Raj Sarraf <[email protected]> dict-gcide mergerfs Rob Browning <[email protected]> lockfile-progs Robie Basak <[email protected]> mysql-8.0 (U) Rodrigo Carvalho <[email protected]> vtun Roger Shimizu <[email protected]> wide-dhcpv6 Roland Mas <[email protected]> epics-base (U) Ryan Kavanagh <[email protected]> opensmtpd-filter-dkimsign Rémi Palancher <[email protected]> slurm-wlm (U) Sam Hocevar (Debian packages) <[email protected]> beav Santiago García Mantiñán <[email protected]> bridge-utils Sebastian Andrzej Siewior <[email protected]> tomsfastmath (U) Sebastian Kuzminsky <[email protected]> mesaflash (U) Sergei Golovan <[email protected]> itcl3 (U) Sergey B Kirpichev <[email protected]> auto-07p (U) Simon Kelley <[email protected]> dhcp-helper Stefan Sobernig <[email protected]> tdom (U) xotcl (U) Stefan Völkel <[email protected]> dtach Steinar H. Gunderson <[email protected]> bmusb cubemap Stephen Gelman <[email protected]> checkinstall Steve Kowalik <[email protected]> xringd Steve Langasek <[email protected]> shim (U) Steve McIntyre <[email protected]> shim (U) Steve Meliza <[email protected]> avr-libc Takuo Kitame <[email protected]> stone TANIGUCHI Takaki <[email protected]> haci Tcl/Tk Debian Packagers <[email protected]> tdom xotcl Thorsten Alteholz <[email protected]> astronomical-almanac setserial texify Timo Aaltonen <[email protected]> freeipa (U) libmozilla-ldap-perl (U) Tollef Fog Heen <[email protected]> pam-tmpdir Tomas Pospisek <[email protected]> mailsync tony mancill <[email protected]> genders (U) Valentin Vidic <[email protected]> heartbeat (U) Victor Seva <[email protected]> homer-api (U) Vincent Cheng <[email protected]> slashem (U) Wookey <[email protected]> rt-app (U) Wouter Verhelst <[email protected]> extrepo logtool sreview Ying-Chun Liu (PaulLiu) <[email protected]> oggfwd YunQiang Su <[email protected]> binutils-mipsen cross-toolchain-base-mipsen (U) gcc-11-cross-mipsen (U) gcc-12-cross-mipsen (U) gcc-13-cross-mipsen (U) gcc-14-cross-mipsen (U) Yves-Alexis Perez <[email protected]> murrine-themes
9mount amanda angband animals argus astronomical-almanac auto-07p avr-libc backup-manager bambam bchunk beav bible-kjv binfmtc binutils-mipsen blosxom bmusb bombardier bridge-utils bsdowl bugsquish checkinstall checksecurity chiark-utils cil clc-intercal compartment crossfire cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports cubemap darkstat dbview debdelta dhcp-helper dict-gcide dist dlint dsh dtach durep dv4l epics-base ethstatus exmh extrepo falselogin filler flexml focalinux fortunes-bg freeimage freeipa freesweep ftnchek ftpwatch ganglia-web gap-nq gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports gcpegg gemdropx genders gitolite3 gkrellm2-cpufreq glimpse gridsite haci heartbeat homer-api hylafax i810switch icheck id-utils intel2gas ipsvd iptstate ircd-hybrid ircd-irc2 ispell-czech itcl3 joe ketm komi lasso leafnode libcompface libdata-streamdeserializer-perl libdata-streamserializer-perl libdevel-callparser-perl libdigest-whirlpool-perl libinline-java-perl liblockfile liblopsub libmarpa-r2-perl libmozilla-ldap-perl libpam-ccreds libpam-chroot libperlx-maybe-xs-perl libranlip libspf2 libtrycatch-perl libuniversal-ref-perl linux86 lockfile-progs logapp logtool lpr lrzsz mactelnet madbomber mailagent mailsync memstat mergerfs mesaflash mgetty mirrormagic modsecurity-apache mono moria most mpgtx murrine-themes mysql-8.0 netmaze netselect nfs4-acl-tools nmh ns2 nslint nullmailer oggfwd omega-rpg openguides openjade opensmtpd-filter-dkimsign openuniverse pachi pam-tmpdir pcp petris phalanx phpwebcounter physlock pillow poppass-cgi postfixadmin pppconfig pptp-linux quickml restartd rig rmagic rockdodger rsbackup rt-app ruby-soap4r rungetty samdump2 sauce schroot scid sdcc searchandrescue searchandrescue-data sendmail setserial shim shim-helpers-arm64-signed sidplay-libs slashem sleepenh slrn slurm-wlm snake4 sniproxy sreview ssmtp statnews stfl stone suck sup supertransball2 swedish swish-e taggrepper taglib tcptraceroute tdom tetrinetx texify the tiger tomsfastmath tripwire tua tuxtype ucf udevil umegaya uw-imap vm vtun wide-dhcpv6 witalian wm-icons wmwave wordpress wp2x wzip xbomb xcolmix xcolors xemacs21 xfaces xfonts-traditional xfsdump xiterm+thai xletters xmlindent xorg xotcl xpat2 xplot xringd xserver-xorg-video-qxl xwatch z8530-utils2
Adam Majer <[email protected]> lpr Alberto Fuentes <[email protected]> animals Alberto Gonzalez Iniesta <[email protected]> modsecurity-apache Alexandre Dantas <[email protected]> snake4 xbomb Andree Leidenfrost <[email protected]> petris Anibal Monsalve Salazar <[email protected]> liblockfile (U) Ansgar Burchardt <[email protected]> freesweep (U) Arne Wichmann <[email protected]> xpat2 Ben Armstrong <[email protected]> xletters (U) Benda Xu <[email protected]> quickml Charles Plessy <[email protected]> umegaya Christoph Martin <[email protected]> postfixadmin (U) Craig Small <[email protected]> wordpress David Bremner <[email protected]> nullmailer Debian Games Team <[email protected]> freesweep slashem xletters Debian QA Group <[email protected]> omega-rpg sendmail ssmtp suck tetrinetx Debian VoIP Team <[email protected]> homer-api Dominic Hargreaves <[email protected]> ircd-hybrid openguides Drew Parsons <[email protected]> mirrormagic Ervin Hegedus <[email protected]> modsecurity-apache (U) Gaudenz Steinlin <[email protected]> postfixadmin (U) Gilmar dos Reis Queiroz <[email protected]> phpwebcounter Giuseppe Sacco <[email protected]> hylafax Ian Jackson <[email protected]> sauce James Bromberger <[email protected]> i810switch Javier Fernández-Sanguino Peña <[email protected]> openuniverse Joachim Wiedorn <[email protected]> hylafax (U) Jose G. López <[email protected]> phalanx Jose M Calhariz <[email protected]> amanda Kari Pahula <[email protected]> crossfire Kilian Krause <[email protected]> ircd-irc2 (U) Konstantin S. Vishnivetsky <[email protected]> homer-api (U) Kurt Roeckx <[email protected]> ircd-irc2 Magnus Holmgren <[email protected]> uw-imap Mark Brown <[email protected]> xemacs21 Martin A. Godisch <[email protected]> pachi rockdodger Mattias Ellert <[email protected]> gridsite Michael Stone <[email protected]> argus Miquel van Smoorenburg <[email protected]> liblockfile Neutron Soutmun <[email protected]> xiterm+thai Norman Messtorff <[email protected]> postfixadmin Phil Brooke <[email protected]> moria RISKO Gergely <[email protected]> bombardier Rob Browning <[email protected]> lockfile-progs TANIGUCHI Takaki <[email protected]> haci Victor Seva <[email protected]> homer-api (U) Vincent Cheng <[email protected]> slashem (U) YunQiang Su <[email protected]> binutils-mipsen
amanda animals argus binutils-mipsen bombardier crossfire freesweep gridsite haci homer-api hylafax i810switch ircd-hybrid ircd-irc2 liblockfile lockfile-progs lpr mirrormagic modsecurity-apache moria nullmailer omega-rpg openguides openuniverse pachi petris phalanx phpwebcounter postfixadmin quickml rockdodger sauce sendmail slashem snake4 ssmtp suck tetrinetx umegaya uw-imap wordpress xbomb xemacs21 xiterm+thai xletters xpat2
# How to handle my package when ...
## Package uses static ownership
Example:
chown root:www-data /some/path
chgrp bin debian/tmp/usr/bin/binary
install -o root -g bin build/some/binary debian/pkg/usr/bin/binary
Note: The deciding factor is whether any of the debs has a
non-`root/root` path in the data.tar. If all the paths are normalized
to `root/root` before the `.deb` is assembled, you can choose the
"Package explicit chown things as root (and does not use
non-`root/root` static ownership)" option below
This case only applies to users and groups provided by `base-passwd`,
as these are the only users and groups that can be used reliably with
static ownership. For dynamically created users (such as, `adduser` or
`systemd-sysusers`), the paths should be `root/root` with the relevant
chown'ing is done after the installation (either in `postinst` or via
`systemd-tmpfiles`).
The solution:
* Set `Rules-Requires-Root: binary-targets` in the source stanza
## I do not have time to fix the root problem and just want to get off the list
Example:
You have 5 minutes to work on Debian, and this is not the problem you
had planned to work on.
Solution (work around):
* Set `Rules-Requires-Root: binary-targets` in the source stanza, upload
to close the bug and move on for now.
## Package has explicit check for running as root, but it only ships `root/root` paths in the deb
Example:
test x`whoami` = xroot
if [ $(id -u) != 0 ]; then echo "Must be run as root" >&2; exit 1 ; fi
Solution (dh):
1) Remove the check. The `dh` tool handle everything from there.
2) Optionally, set `Rules-Requires-Root: no` in the source stanza
Solution (classic debhelper):
1) Ensure dh_builddeb is being used to assemble the deb.
2) Either remove the check for running as root *or* replace it with `dh_testroot`.
3) Remove all chown/chgrp and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
4) Ensure `dh_fixperms` is invoked before `dh_builddeb`.
5) Optionally, set `Rules-Requires-Root: no` in the source stanza
Solution (non-debhelper):
1) Ensure `dpkg-deb --root-owner-group --build` is used for assembling the deb.
2) Either remove the check for running as root *or* replace it with `dh_testroot`.
3) Remove all chown/chgrp and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
4) Optionally, set `Rules-Requires-Root: no` in the source stanza
## Package explicit chown things as root to `root:root`
Example:
chown -R root:root debian/pkg
install -d -o root -g root -m 755 debian/tmp/usr/bin
install -o root -g root -m 644 binary debian/tmp/usr/bin/binary
Bug#1087626 (debian-policy; package was using `dh`)
Solution (dh):
1) Remove all the chown code (incl. `-o/-g` passed to `install`). Since all paths end up
being `root/root`, the `chown` is redundant when `dh_fixperms` + `dh_builddeb` is used.
2) Optionally, set `Rules-Requires-Root: no` in the source stanza
Example of this solution: Bug#1087626 (debian-policy)
Solution (classic debhelper):
1) Ensure `dh_builddeb` is being used to assemble the deb.
2) Remove all the chown checks. Since they are `root/root` they are redundant
with `dh`.
3) Remove all `chown`/`chgrp` and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
4) Ensure `dh_fixperms` is invoked before `dh_builddeb`.
5) Optionally, set `Rules-Requires-Root: no` in the source stanza
Solution (non-debhelper):
1) Ensure `dpkg-deb --root-owner-group --build` is used for assembling the deb.
2) Remove all chown/chgrp and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
3) Optionally, set `Rules-Requires-Root: no` in the source stanza
## Package provides setuid/setgid `root:root` binaries
Example:
chmod u+s usr/sbin/sudo
Normally, chmod +s is undone when the binary is chown'ed. However,
when the deb is assembled with the `dpkg-deb --root-owner-group`
option, no `chown`'ing is done. Instead, the ownership is overwritten
with no regards to the mode. This happens to work out
perfectly. Accordingly, the `sudo` and other setuid/setgid providing
packages are already `Rules-Requires-Root: no`.
The only counter example here is when the setuid or setgid is for a
non-root user or group. However, this case is covered by the "Package
uses static ownership" scenario above.
## Package FTBFS with a weird "permission denied"
Example:
```
chrpath -d .../perl5/5.40/auto/Lasso/Lasso.s
open: Permssion denied
elf_open: Invalid argument
```
(this three-line example is taken from `lasso`)
What happens here is that upstream's install routine installs that
file *without* minimal permissions (usually u+rw). Under `fakeroot`
emulating "true root", this permission problem is ignored and the
operation continues anyway (not sure exactly how `fakeroot` emulates
it).
Solution (quick fix):
* Apply `chmod u+rwX -R debian/tmp` after running the upstream
installation step, but before the command that fails.
* Undo the `u+wX` bit later **if relevant** (in most cases, it will
not be relevant).
I am considering fixing this in `dh_auto_install` for `debhelper` in a
later compat level. But it cannot be done retroactively since it might
break the intended mode. There are cases where paths must not have
`u+w`, such as `etc/sudoers.d` and `*.ali` files. This can be implemented
by a `dh_fixperms -X <path>`, which means it would be unsafe to ad-hoc
throw into an existing compat level.
## Package provides paths to be owned by dynamic created users or groups
Examples:
Use of `adduser` in maintscripts
Use of `systemd-sysusers` in maintscripts (or `debian/package.sysusers`)
The package should already be using `root/root` for the paths in the
`deb`, since the dynamic user/group does not have a static
uid/gid. Accordingly, this case works the same as a regular
`root/root` deb as far as this MBF is concerned.
Should your package use the dynamic user information in the deb, then
that is a bug on its own that should be fixed as well. This is because
the uid/gid for the dynamic users/groups are not stable. Consider using
`systemd-tmpfiles` for setting up ownership as needed.
# General remarks on the solutions
* All `dh` based solutions described here assumes `dh_fixperms` and `dh_builddeb` are
active for the package. If your package overrides either to replace them with a
different tool, then you may need to mix and match with the "classic debhelper"
or "non-debhelper" solution (or tag the bug with help).
* The "non-debhelper" solution relies on `--root-owner-group` from `dpkg` 1.19.0.
This is satisfied in "oldoldstable", so it should be a non-issue. Though if you
are backporting to older releases for some reason (such as various Ubuntu LTS
releases) and you want 1:1 packaging, then you would need to make the
`--root-owner-group` conditional. See /usr/share/doc/dpkg/spec/rootless-builds.txt
from `dpkg-dev` for details.
For `debhelper` (and `dh`), the feature is basically "feature negotiated"
transparently for you, and you do not have to think about this problem.
#!/usr/bin/sh
set -xe
# NOTE: Order is important; first match wins by default.
# Error patterns caused by the transition or seem related to the transition.
python3 -m rebuilds --silent log-search select '(?:ch(?:own|grp)|install): .*:
Operation not permitted'
python3 -m rebuilds --silent log-search select ': unable to copy file .*
Permission denied'
python3 -m rebuilds --silent log-search select ': cannot (create|access) .*
Permission denied'
python3 -m rebuilds --silent log-search select 'test (?:[$][(]|[`])id -u[`)] =
0'
python3 -m rebuilds --silent log-search select '\[\s+(?:[$][(]|[`])id
-u[`)]\s*[!=]?=\s*0\s+\]'
python3 -m rebuilds --silent log-search select 'test root =
"([$][(]|[`])whoami[`)]"'
python3 -m rebuilds --silent log-search select 'test x`whoami` = xroot'
python3 -m rebuilds --silent log-search select 'make(\[.*\])?: [*][*][*]
\[debian/rules:\d+: checkroot\] Error \d+'
python3 -m rebuilds --silent log-search select 'install
(.*\s)?-o\s+root\s+-g\s+root'
python3 -m rebuilds --silent log-search select 'Password: su: Authentication
failure'
python3 -m rebuilds --silent log-search select 'need root privileges'
python3 -m rebuilds --silent log-search select 'Error: not super-user'
python3 -m rebuilds --silent log-search select 'dh_\S+: error: .*: Permission
denied'
# THis is chrpath, but the error is awkwardly multi-line
python3 -m rebuilds --silent log-search select 'elf_open: Invalid argument'
# Error patterns that seem unrelated to the transition.
python3 -m rebuilds --silent log-search ignore ' error: .* \[-W\S+\]'
python3 -m rebuilds --silent log-search ignore 'make(\[.*\])?: [*][*][*]
\[debian/rules:\d+: override_dh_auto_(?:configure|build|test)\] Error \d+'
python3 -m rebuilds --silent log-search ignore 'make(\[.*\])?: [*][*][*] No
rule to make target .*[.]\s+Stop[.]'
python3 -m rebuilds --silent log-search ignore
'(configure|dh_auto_build|dh_auto_configure|dh_auto_test): error: .*'
python3 -m rebuilds --silent log-search ignore '==> CMakeCache.txt <=='
python3 -m rebuilds --silent log-search ignore '/bin/\S+: \d+: .+: not found'
python3 -m rebuilds --silent log-search ignore '(?:cp|mv|install|cat|touch):
.*: No such file or directory'
python3 -m rebuilds --silent log-search ignore 'cannot find package ".*" in any
of:'
python3 -m rebuilds --silent log-search ignore 'collect2: error: ld returned
\d+ exit status'
python3 -m rebuilds --silent log-search ignore
'(?:Import|Attribute|Assertion|ModuleNotFound|Type)Error:'
python3 -m rebuilds --silent log-search ignore 'cc1plus: all warnings being
treated as errors'
python3 -m rebuilds --silent log-search ignore ' invalid suffix .* on
.*constant'
python3 -m rebuilds --silent log-search ignore ' error: impossible constraint
in'
python3 -m rebuilds --silent log-search ignore ' error: assignment .* read-only
object'
python3 -m rebuilds --silent log-search ignore 'Errors while running CTest'
python3 -m rebuilds --silent log-search ignore 'error: Multiple top-level
packages discovered in a flat-layout: '
python3 -m rebuilds --silent log-search ignore 'E: Package build dependencies
not satisfied; skipping'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: missing
files, aborting'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: .* is missing'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: .*: No such
file or directory'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: Cannot find
[(]any matches for[)] .*'
python3 -m rebuilds --silent log-search ignore '^dh_elpa_test: error: .*
returned exit code'
python3 -m rebuilds --silent log-search ignore 'error: unrecognized
command-line option .*'
python3 -m rebuilds --silent log-search ignore '(?:dpkg-|dh_)gencontrol: error:'
python3 -m rebuilds --silent log-search ignore 'E: Build killed with signal
TERM after 150 minutes of inactivity'
python3 -m rebuilds --silent log-search ignore 'jh_build: error: find .*
returned exit code 123'
python3 -m rebuilds --silent log-search ignore 'texi2dvi: Your TeX installation
appears to be broken - texi2dvi'
python3 -m rebuilds --silent log-search ignore 'Error: .*: Encountered missing
or private dependencies:'
python3 -m rebuilds --silent log-search ignore '[Ss]egmentation fault'
python3 -m rebuilds --silent log-search ignore '/dists/\S+/Release.gpg: Scheme
missing.'
python3 -m rebuilds --silent log-search ignore 'dpkg-deb: error: parsing file'
python3 -m rebuilds --silent log-search ignore 'E: Minimal version requirement
not satisfied for'
python3 -m rebuilds --silent log-search ignore 'error: \[GHC-\d+\]'
python3 -m rebuilds --silent log-search ignore 'error: (?:.*/)?hlibrary.setup
build .+ returned exit code \d+'
python3 -m rebuilds --silent log-search ignore 'Error: build of pdf failed with
error code \d+'
python3 -m rebuilds --silent log-search ignore '[.]rb:\d+:in `.*'\'': .*:\d+:
.* [(]SyntaxError[)]'
python3 -m rebuilds --silent log-search ignore 'Extension error
[(]pydata_sphinx_theme[)]:'
python3 -m rebuilds --silent log-search ignore 'E: py3versions failed at
/usr/share/perl5/Debian/Debhelper/Buildsystem/pybuild[.]pm line \d+[.]'
python3 -m rebuilds --silent log-search ignore 'make(\[.*\])?: [*][*][*]
\[Makefile:\d+: (readme|html)\] Error \d+'
python3 -m rebuilds --silent log-search ignore 'ERROR: Test ".*" failed.
Exiting.'
python3 -m rebuilds --silent log-search ignore 'error: no match for .*'
# This is just a( non-obvious) way to finding all unmatched logs.
python3 -m rebuilds --silent log-search select '(?:(?:ch(?:own|grp)|install):
.*: Operation not permitted)|(?:mkdir.*Permission denied)' --dry-run -L >
logs-to-check
set +x
LINES="$(wc -l logs-to-check)"
echo "There are ${LINES} logs to check"
OpenPGP_signature.asc
Description: OpenPGP digital signature

