On Wed, 2019-05-15 at 14:42:53 +0200, Santiago Vila wrote:
> On Wed, May 15, 2019 at 02:21:49PM +0200, Guillem Jover wrote:
> > > To be precise, if I apply the patch below to hello-traditional_2.10-5
> > > and do "dpkg-buildpackage -uc -us -b" in a sid chroot, I get a .deb
> > > package with all files owned by "sanvila/sanvila".
> > Ah. :) Ok let's try to see whether the current spec/doc is enough or
> > whether it'd need improvements. So it would be great if you could go
> > over /usr/share/doc/dpkg-dev/rootless-builds.txt.gz and see whether
> > you can figure it out with just that? Also assuming you were not aware
> > of that doc, where do you think it could have been referred from so
> > that it would be easy to get to?
>
> Yes, I read the document (following a link from lintian), and no,
> I was not able to figure out.
BTW, I just recalled this is also documented now in policy, I'll file
a bug on lintian to add a reference.
> (BTW: The document speaks about "the builder", who is exactly this
> mysterious character? dpkg-deb? sbuild? the person doing the build?)
This is whatever or whoever is calling debian/rules. I've updated the
doc.
> > (Briefly checking it now again, I think it should spell out dpkg-deb's
> > --root-owner-group option on the prototyping/preparation section.)
>
> Ok, I see it now. So, I should use Rules-Requires-Root: no and
> also add --root-owner-group to the "dpkg --build" call, right?
Yes.
> Should I also add a versioned build-depends on dpkg-dev?
You want a build-dep on dpkg >= 1.19.0 itself for the new dpkg-deb
option. I guess you could also want a build-dep on dpkg-dev >= 1.19.1
for the R³ field support, but in your specific case it does not matter
much, as either it will be supported and debian/rules will not be
called with (fake)root, or it will not be supported and it will be
called with (fake)root, which will not matter much as dpkg-deb will do
the right thing anyway.
I'm attaching the diff to the spec, but not sure whether that'd have
been enough to make this more clear?
Thanks,
Guillem
diff --git i/doc/rootless-builds.txt w/doc/rootless-builds.txt
index 0b6b9d849..3298768ec 100644
--- i/doc/rootless-builds.txt
+++ w/doc/rootless-builds.txt
@@ -48,10 +48,11 @@ The values are defined as:
(See also "Implementation provided keywords".)
- When "Rules-Requires-Root" is set to , the
- builder will expose an interface that is used to run a command under
- (fake)root via the "Gain Root API". If the builder cannot provide such
- a command, it MUST behave like "Rules-Requires-Root" was set to
- "binary-targets", i.e. run "debian/rules binary" under (fake)root.
+ builder (i.e. whatever is executing debian/rules) will expose an
+ interface that is used to run a command under (fake)root via the
+ "Gain Root API". If the builder cannot provide such a command, it
+ MUST behave like "Rules-Requires-Root" was set to "binary-targets",
+ i.e. run "debian/rules binary" under (fake)root.
When the builder supports this specification, it MUST notify this fact to
the rules file via the "DEB_RULES_REQUIRES_ROOT" environment variable, with
@@ -139,12 +140,12 @@ Prototyping/preparation
dpkg side
-
-dpkg-deb --build must either default to resetting all owner/group values to
-0:0 when not run under (fake)root OR provide an interface so dh_builddeb can
-provide the owner/group value to dpkg-deb --build.
+dpkg-deb --build provides the --root-owner-group option so that dh_builddeb
+or direct calls can control the owner/group file values w/o requiring
+(fake)root.
-dpkg-buildpackage must export DEB_GAIN_ROOT_CMD (for starters, doing this
-unconditionally would be fine).
+dpkg-buildpackage must export DEB_GAIN_ROOT_CMD when necessary (for
+prototyping, doing this unconditionally would be fine).
debhelper side
