Bug#1066112: weston: Enable support to libseat launcher in weston 10
Hi, Dylan. Sorry to bother again, but I'd like to know the status of this upload. On Sat, Mar 16, 2024 at 04:42:20PM -0300, Carlos Henrique Lima Melara wrote: > On Wed, Mar 13, 2024 at 05:42:29PM +0100, Dylan Aïssi wrote: > > Le mer. 13 mars 2024 à 16:05, Carlos Henrique Lima Melara > > a écrit : > > > > > > > I can try this week to prepare an updated package in a dedicated branch > > > > in salsa, so you can test it. Then, if everything is okay, we could fill > > > > the request to the release team. > > > > > > Sure, just let me know if you need help with anything and/or when the > > > packaging is ready for testing. > > > > Ready for testing at: > > https://salsa.debian.org/xorg-team/wayland/weston/-/tree/debian-10.0 > > I just realized the branch name is confusing... > > So, I have good and bad news, but I guess they are mostly good. > > THe bad news first, when I was checking the upstream commits, I saw some > changes in libweston.h which raised some flags about ABI incompatibilty > because they introduced some members in a publicly exposed struct. So I > set my feet on testing abi changes with abi-dumper + > abi-compliance-checker (it was my first time, that's why it took so > long). > > The actually bad new is 08979a1 (from 10.0.4) [1] makes some problematic > changes in libweston.h: > > --- a/include/libweston/libweston.h > +++ b/include/libweston/libweston.h > @@ -1289,6 +1289,7 @@ struct weston_view { > struct weston_surface *surface; > struct wl_list surface_link; > struct wl_signal destroy_signal; > + struct wl_signal unmap_signal; > > /* struct weston_paint_node::view_link */ > struct wl_list paint_node_list; > @@ -1441,6 +1442,7 @@ struct weston_pointer_constraint { > bool hint_is_pending; > > struct wl_listener pointer_destroy_listener; > + struct wl_listener view_unmap_listener; > struct wl_listener surface_commit_listener; > struct wl_listener surface_activate_listener; > }; > > This introduces an ABI incompatibility in libweston as caught by > abi-compliance-checker (report attached): > > Comparing ABIs ...¬ > Comparing APIs ...¬ > Creating compatibility report ...¬ > Binary compatibility: 77.8%¬ > Source compatibility: 100%¬ > Total binary compatibility problems: 1, warnings: 1¬ > Total source compatibility problems: 0, warnings: 1¬ > Report: compat_reports/libweston-10.so.dump/0_to_1/compat_report.html¬ > > I think this would get a solid NO from the release team (although I'm > not sure). Since the whole 10.0.4 release (the 4 commits) are related to > each other, I think we won't be able to pick it. > > That said, I started testing with the 10.0.3 release (because if we > can't get the latest, let's try to get something at least). And the > results are good, we have 100% abi and api compatibility for all DSOs, > even internal ones. > > Also, building the 10.0.3 (always with libseat launcher support > enabled), the build time tests give the same results (with 10.0.5 I was > getting slightly different results). > > I also tested the libseat launcher and normal launcher and they both > work. > > Finally, since the 10.0.5 patch release is only 1 commit, we can grab it > as a patch in the packaging side, so we would just miss the 10.0.4 patch > release. > > Well, it was a long email, but the main takeway is 10.0.4 introduces an > ABI incompatibility and would be unsuitable for a proposed-update to > bookworm. But we can use the 10.0.3 release plus the only commit in > 10.0.5 with libseat launcher support with 100% abi and api > compatibility. Would you be okay of using 10.0.3 instead of 10.0.5? Also, if you need any help, please let me know. Maybe a disclaimer I should have sent in the first email, I do work at Toradex which is an embedded systems company and we are rebuilding weston with libseat-launcher support for a while. I'm also a Debian contributor and maintainer (DM) and I suggested to our management to try to send this change to Debian as a contribution. They were very supportive about contributing back to Debian, so here we are :-) Cheers, Charles signature.asc Description: PGP signature
Processed: Re: Bug#1068378
Processing control commands: > tags -1 patch Bug #1068378 [xdm] xdm: pam_keyinit is missing from /etc/pam.d/xdm Added tag(s) patch. -- 1068378: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068378 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068378:
Control: tags -1 patch
Bug#1068378: [PATCH] Add the pam_keyinit session module to create new sessionkeyring on login
This commit replicates commits[1][2] from the openssh package. Closes [1] https://salsa.debian.org/ssh-team/openssh/-/commit/ca7f6f719ad5f168b25165caaff658f21c784c4e [2] https://salsa.debian.org/ssh-team/openssh/-/commit/dc461e571bcc56f8d95e83c731007636d8e79da5 Closes: #1068378 --- debian/rules | 10 +- debian/xdm.pam| 19 --- debian/xdm.pam.in | 20 3 files changed, 29 insertions(+), 20 deletions(-) delete mode 100644 debian/xdm.pam create mode 100644 debian/xdm.pam.in diff --git a/debian/rules b/debian/rules index 5d2dbd3..ab9f5d4 100755 --- a/debian/rules +++ b/debian/rules @@ -38,6 +38,7 @@ ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) endif DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) +DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_ARCH_OS ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) @@ -58,6 +59,13 @@ endif BUILD_DIR := build +debian/xdm.pam: debian/xdm.pam.in +ifeq ($(DEB_HOST_ARCH_OS),linux) + sed 's/^@IF_KEYINIT@//' $< > $@ +else + sed '/^@IF_KEYINIT@/d' $< > $@ +endif + stampdir_targets+=config config: $(STAMP_DIR)/config $(STAMP_DIR)/config: $(STAMP_DIR)/patch @@ -121,7 +129,7 @@ clean: xsfclean dh_clean # Build architecture-dependent files here. -binary-arch: $(STAMP_DIR)/install +binary-arch: $(STAMP_DIR)/install debian/xdm.pam dh_testdir dh_testroot diff --git a/debian/xdm.pam b/debian/xdm.pam deleted file mode 100644 index 1108a71..000 --- a/debian/xdm.pam +++ /dev/null @@ -1,19 +0,0 @@ -auth requisite pam_nologin.so -auth requiredpam_env.so -auth requiredpam_env.so envfile=/etc/default/locale - -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without this it is possible -# that a module could execute code in the wrong domain. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -session requiredpam_loginuid.so -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -sessionrequiredpam_limits.so - -@include common-auth -@include common-account -@include common-session -@include common-password diff --git a/debian/xdm.pam.in b/debian/xdm.pam.in new file mode 100644 index 000..92c46b7 --- /dev/null +++ b/debian/xdm.pam.in @@ -0,0 +1,20 @@ +auth requisite pam_nologin.so +auth requiredpam_env.so +auth requiredpam_env.so envfile=/etc/default/locale + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible +# that a module could execute code in the wrong domain. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session requiredpam_loginuid.so +@IF_KEYINIT@session optionalpam_keyinit.so force revoke +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +sessionrequiredpam_limits.so + +@include common-auth +@include common-account +@include common-session +@include common-password -- 2.39.2
Bug#1068378: xdm: pam_keyinit is missing from /etc/pam.d/xdm
Package: xdm Version: 1:1.1.11-3+b2 Severity: normal X-Debbugs-Cc: none, Łukasz Stelmach Dear Maintainer, pam_keyinit is missing from the /etc/pam.d/xdm configuration file. Therefore, it is not possible to access the session keyring from programs running in a session started by xdm. The patch will follow. PS. Below there is a modifide pam file from my system which makes it possible to access the session keyring. -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: arm64, armel Kernel: Linux 6.5.0-0.deb12.4-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages xdm depends on: ii cpp4:12.2.0-3 ii debconf [debconf-2.0] 1.5.82 ii libc6 2.36-9+deb12u4 ii libcrypt1 1:4.4.33-2 ii libpam0g 1.5.2-6+deb12u1 ii libselinux13.4-1+b6 ii libx11-6 2:1.8.4-2+deb12u2 ii libxau61:1.0.9-1 ii libxaw72:1.0.14-1 ii libxdmcp6 1:1.1.2-3 ii libxext6 2:1.3.4-1+b1 ii libxft22.3.6-1 ii libxinerama1 2:1.1.4-3 ii libxmu62:1.1.3-3 ii libxpm41:3.5.12-1.1+deb12u1 ii libxrender11:0.9.10-1.1 ii libxt6 1:1.2.1-1.1 ii lsb-base 11.6 ii procps 2:4.0.2-3 ii sysvinit-utils [lsb-base] 3.06-4 ii x11-utils 7.7+5 ii x11-xserver-utils 7.7+9+b1 xdm recommends no packages. xdm suggests no packages. -- Configuration Files: /etc/pam.d/xdm changed: authrequisite pam_nologin.so authrequiredpam_env.so authrequiredpam_env.so envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session requiredpam_loginuid.so session optionalpam_keyinit.so force revoke session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session requiredpam_limits.so @include common-auth @include common-account @include common-session @include common-password -- debconf information: * shared/default-x-display-manager: xdm xdm/daemon_name: /usr/bin/xdm xdm/stop_running_server_with_children: false -- Łukasz Stelmach Samsung R Institute Poland Samsung Electronics signature.asc Description: PGP signature