[gentoo-dev] RFC: Namespace for users created for packages
Hi all, interesting discussion started in openSUSE mailing list[1][2] and I would like to open up the same question on this mailing list. Basically it is about the following problem. Citing parts of proposal: Many packages need to add user and group names for their unprivileged daemons. Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since there is no separate name space for system users those names may collide with names of real persons. Sharing a user name between a system user and a normal user leads to surprising or even security relevant misbehavior as the daemon user may write to files in the real user's home or vice versa. Conclusion, in short, is to prefix system users (with some exceptions like root or nobody) with underscore '_'. So you would get users like '_pop', '_vdr', '_tor' or '_znc'. OpenBSD already does that[3]. openSUSE proposal with more details can be seen on GitHub[4]. So the question is, what would you think about such a policy in Gentoo? [1] http://lists.opensuse.org/opensuse-factory/2014-03/msg00333.html [2] http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html [3] http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain [4] https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_usernames.txt -- Michal Hrusecky
Re: [gentoo-dev] RFC patch for obs-service.eclass
Michal Hrusecky - 11:18 21.02.12 wrote:
> Hi,
>
> any objections against following patch? I guess I'm the only one using
> this eclass anyway. So what the patch does. In gentoo we have build
> renamed to avoid clashes and moved to the different directory. More and
> more services are using parts of the build, so instead of patching all
> services, I think it would be better to do it in eclass.
During last checks before commiting I found an error I overlooked
previously due to some changes elsewhere, so here is the latest patch I
want to commit (also incorporates the feedback I received).
--
Michal Hrusecky
? obs-service.eclass.patch
Index: obs-service.eclass
===
RCS file: /var/cvsroot/gentoo-x86/eclass/obs-service.eclass,v
retrieving revision 1.1
diff -u -B -r1.1 obs-service.eclass
--- obs-service.eclass 16 Sep 2011 15:49:19 - 1.1
+++ obs-service.eclass 24 Feb 2012 10:19:00 -
@@ -65,13 +65,25 @@
SRC_URI+=" ${OBS_URI}/${i}"
done
-S="${WORKDIR}"
-
-# @FUNCTION: obs-service_src_configure
+# @FUNCTION: obs-service_src_unpack
# @DESCRIPTION:
# Does nothing. Files are not compressed.
obs-service_src_unpack() {
debug-print-function ${FUNCNAME} "$@"
+ cd "${DISTDIR}"
+ mkdir -p "${S}"
+ cp ${A} "${S}"
+}
+
+# @FUNCTION: obs-service_src_prepare
+# @DESCRIPTION:
+# Replaces all /usr/lib/build directories with /usr/share/suse-build to reflect
+# where suse-build is installed in Gentoo.
+obs-service_src_prepare() {
+ debug-print-function ${FUNCNAME} "$@"
+ debug-print "Replacing all paths to find suse-build in Gentoo"
+ find "${S}" -type f -exec \
+ sed -i 's|/usr/lib/build|/usr/share/suse-build|g' {} +
}
# @FUNCTION: obs-service_src_install
@@ -81,17 +93,17 @@
debug-print-function ${FUNCNAME} "$@"
debug-print "Installing service \"${OBS_SERVICE_NAME}\""
exeinto /usr/lib/obs/service
- doexe "${DISTDIR}"/${OBS_SERVICE_NAME}
+ doexe "${S}"/${OBS_SERVICE_NAME}
insinto /usr/lib/obs/service
- doins "${DISTDIR}"/${OBS_SERVICE_NAME}.service
+ doins "${S}"/${OBS_SERVICE_NAME}.service
if [[ -n ${ADDITIONAL_FILES} ]]; then
debug-print "Installing following additional files:"
debug-print " ${ADDITIONAL_FILES}"
exeinto /usr/lib/obs/service/${OBS_SERVICE_NAME}.files
for i in ${ADDITIONAL_FILES}; do
- doexe "${DISTDIR}"/${i}
+ doexe "${S}"/${i}
done
fi
}
-EXPORT_FUNCTIONS src_install src_unpack
+EXPORT_FUNCTIONS src_install src_prepare src_unpack
signature.asc
Description: Digital signature
[gentoo-dev] RFC patch for obs-service.eclass
Hi,
any objections against following patch? I guess I'm the only one using
this eclass anyway. So what the patch does. In gentoo we have build
renamed to avoid clashes and moved to the different directory. More and
more services are using parts of the build, so instead of patching all
services, I think it would be better to do it in eclass.
--- obs-service.eclass 16 Sep 2011 15:49:19 - 1.1
+++ obs-service.eclass 21 Feb 2012 10:03:43 -
@@ -74,6 +74,18 @@
debug-print-function ${FUNCNAME} "$@"
}
+# @FUNCTION: obs-service_src_prepare
+# @DESCRIPTION:
+# Replaces all /usr/lib/build directories with /usr/share/suse-build to reflect
+# where suse-build is installed in Gentoo.
+obs-service_src_prepare() {
+ debug-print-function ${FUNCNAME} "$@"
+ debug-print "Replacing all paths to find suse-build in Gentoo"
+ find . -exec grep -l /usr/lib/build \{\} \; | while read i; do
+ sed -i 's|/usr/lib/build|/usr/share/suse-build|g' "${i}"
+ done
+}
+
# @FUNCTION: obs-service_src_install
# @DESCRIPTION:
# Does the installation of the downloaded files.
@@ -94,4 +106,4 @@
fi
}
-EXPORT_FUNCTIONS src_install src_unpack
+EXPORT_FUNCTIONS src_install src_prepare src_unpack
--
Michal Hrusecky
signature.asc
Description: Digital signature
Re: [gentoo-dev] [RFC] obs eclasses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Marijn - 9:35 15.09.11 wrote: > Hi Michal, > > On 09/14/11 10:56, Michal Hrusecky wrote: > > Hi, > > > > new versions of eclasses after hopefully fixing most of the > > comments. > > > > The download eclass speaks about ``openSUSE Build Service'' while the > other calls it the ``Open Build Service''. I note that the command > line tool dev-util/osc also speaks about ``Open Build Service''. Things are a little bit complicated. Once upon a time, there were some people unhappy with the process of building packages for SUSE/openSUSE and they created server application and called it "openSUSE Build Service". As "openSUSE Build Service" is quite a long name, everybody started calling it just 'obs'. Even developers themselves. As obs supported building packages for many distributions and was open source, some other companies and organizations started using it (for example Meego). Some didn't even know what 'obs' stands for and assumed, that 'o' is for 'Open'. But some other knew and was reluctant to use it because of openSUSE in it's name. So it got renamed to 'Open Build Service' (so the 'obs' abbreviation will still work). But the original first running publicly available instance is still called 'openSUSE Build Service'. So we've got a software, which is called "Open Build Service" and tools like dev-util/osc and it's plugins (obs services - what is second eclass intended for) that works with any instance. And we've got "openSUSE Build Service" which is basically build.opensuse.org server running Open Build Service :-D And as some SUSE guys are lazy to be a good upstream, they publish some source code and packages just through the openSUSE Build Service (that's what is the first eclass good for). > Others have remarked on this, but could you please explain why there > are (going to be) ebuilds that don't/cannot use the full eclass? What > numbers are we talking about? Currently, there are two more ebuilds that can make a use of obs-download.eclass: 'dev-util/osc' and 'dev-util/suse-build'. It is not that much of code duplication, but I think it could make ebuilds more readable. > How about using open-build-service in the name of the eclass(es)? I personally dislike long file names and obs is well known abbreviation (in my google search, second link is http://guild.opensuse.org and first http://en.wikipedia.org/wiki/OBS which also list OBS as Open Build Service), although a little bit ambiguous. If it would be hard requirement for getting them in, I would consider expanding the 'obs', but personally I would prefer not to. > Finally, has this seen any testing in an overlay? Only locally - on my computer. Currently I have 3 services (osc plugins) that I needed to commit stuff with osc from git. - -- Michal Hrusecky -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) iF4EAREIAAYFAk5xtNwACgkQpMQOFjUY7FXlQwEAqyoRWVzPxdq7Bf43wnPaeCXr o/jw7aKw8bCYokTEDlgA/306yyqBmePvSast4nOJJSg6KPi6QcLusC81QJJlKu9K =I8KK -END PGP SIGNATURE-
Re: [gentoo-dev] [RFC] obs eclasses
Ulrich Mueller - 11:56 14.09.11 wrote: > >>>>> On Wed, 14 Sep 2011, Michal Hrusecky wrote: > > new versions of eclasses after hopefully fixing most of the comments. > > > # @ECLASS-VARIABLE: OPENSUSE_RELEASE > > # @ECLASS-VARIABLE: OBS_PROJECT > > # @ECLASS-VARIABLE: OPENSUSE_PACKAGE > > Can't this use a single namespace, i.e. either "OBS" or "OPENSUSE"? > Otherwise people will get confused ... Ok, fixed the documentation, replaced OPENSUSE_PACKAGE with OBS_PACKAGE. OBS is whole service that can host pretty much anything. OPENSUSE_RELEASE is just to make it easier to take files from one particular project (that I'll be using for "stable" releases of some packages). So it has some reasons to have different prefix... -- Michal Hrusecky signature.asc Description: Digital signature
Re: [gentoo-dev] [RFC] obs eclasses
Hi,
new versions of eclasses after hopefully fixing most of the comments.
--
Michal Hrusecky
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
# @ECLASS: obs-download.eclass
# @MAINTAINER:
# mi...@gentoo.org
# @BLURB: Simplifies downloading from openSUSE Build Service.
# @DESCRIPTION:
# This eclass constructs OBS_URI based on provided project in openSUSE Build
# Service and package name. It can be used later by packages/eclasses to
# download actual files.
#
# All you need to do in order to use it is set OBS_PROJECT and OBS_PACKAGE and
# inherit this eclass. It will provide OBS_URI in return which you will prepend
# to your files and use in SRC_URI. Alternatively you can just set
# OPENSUSE_RELEASE and OBS_PACKAGE and it will give you back OBS_URI for
# downloading files from obs projects corresponding to the specified openSUSE
# release.
# @ECLASS-VARIABLE: OPENSUSE_RELEASE
# @DEFAULT_UNSET
# @DESCRIPTION:
# From which stable openSUSE realease to take files.
# @ECLASS-VARIABLE: OBS_PROJECT
# @DEFAULT_UNSET
# @DESCRIPTION:
# In which obs project pakage is. This variable don't have to be set, if
# OPENSUSE_RELEASE is provided.
# @ECLASS-VARIABLE: OPENSUSE_PACKAGE
# @REQUIRED
# @DESCRIPTION:
# Name of the package we want to take files from.
[[ -z ${OPENSUSE_RELEASE} ]] || OBS_PROJECT="openSUSE:${OPENSUSE_RELEASE}"
[[ -n ${OBS_PROJECT} ]] || die "OBS_PROJECT not set!"
[[ -n ${OBS_PACKAGE} ]] || die "OBS_PACKAGE not set!"
OBS_URI="https://api.opensuse.org/public/source/${OBS_PROJECT}/${OBS_PACKAGE}";
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
# @ECLASS: obs-service.eclass
# @MAINTAINER:
# mi...@gentoo.org
# @BLURB: Reduces code duplication in the Open Build Service services.
# @DESCRIPTION:
# This eclass makes it easier to package Open Build Service services. Based on
# provided information it will set all needed variables and takes care of
# installation.
#
# @EXAMPLE:
# Typical ebuild using obs-service.eclass:
#
# @CODE
# EAPI=4
#
# inherit obs-service
#
# KEYWORDS=""
#
# DEPEND=""
# RDEPEND="${DEPEND}"
#
# @CODE
# @ECLASS-VARIABLE: OBS_SERVICE_NAME
# @DESCRIPTION:
# Name of the service. If not set, it is taken from ${PN}.
# @ECLASS-VARIABLE: OPENSUSE_RELEASE
# @DESCRIPTION:
# From which stable openSUSE realease to take a package.
# @ECLASS-VARIABLE: ADDITIONAL_FILES
# @DEFAULT_UNSET
# @DESCRIPTION:
# If any additional files are needed.
case "${EAPI:-0}" in
4) : ;;
*) die "EAPI=${EAPI} is not supported" ;;
esac
HOMEPAGE="http://en.opensuse.org/openSUSE:OSC";
LICENSE="GPL-2"
SLOT="0"
IUSE=""
RDEPEND="dev-util/osc"
[[ -n ${OBS_SERVICE_NAME} ]] || OBS_SERVICE_NAME=${PN/obs-service-/}
[[ -n ${OPENSUSE_RELEASE} ]] || OBS_PROJECT="openSUSE:Tools"
DESCRIPTION="Open Build Service client module - ${OBS_SERVICE_NAME} service"
OBS_PACKAGE="obs-service-${OBS_SERVICE_NAME}"
inherit obs-download
SRC_URI="${OBS_URI}/${OBS_SERVICE_NAME}"
SRC_URI+=" ${OBS_URI}/${OBS_SERVICE_NAME}.service"
for i in ${ADDITIONAL_FILES}; do
SRC_URI+=" ${OBS_URI}/${i}"
done
S="${WORKDIR}"
# @FUNCTION: obs-service_src_configure
# @DESCRIPTION:
# Does nothing. Files are not compressed.
obs-service_src_unpack() {
debug-print-function ${FUNCNAME} "$@"
}
# @FUNCTION: obs-service_src_install
# @DESCRIPTION:
# Does the installation of the downloaded files.
obs-service_src_install() {
debug-print-function ${FUNCNAME} "$@"
debug-print "Installing service \"${OBS_SERVICE_NAME}\""
exeinto /usr/lib/obs/service
doexe "${DISTDIR}"/${OBS_SERVICE_NAME}
insinto /usr/lib/obs/service
doins "${DISTDIR}"/${OBS_SERVICE_NAME}.service
if [[ -n ${ADDITIONAL_FILES} ]]; then
debug-print "Installing following additional files:"
debug-print " ${ADDITIONAL_FILES}"
exeinto /usr/lib/obs/service/${OBS_SERVICE_NAME}.files
for i in ${ADDITIONAL_FILES}; do
doexe "${DISTDIR}"/${i}
done
fi
}
EXPORT_FUNCTIONS src_install src_unpack
signature.asc
Description: Digital signature
Re: [gentoo-dev] [RFC] obs eclasses
Donnie Berkholz - 9:59 13.09.11 wrote: > On 13:11 Tue 13 Sep , Michal Hrusecky wrote: > > # Copyright 1999-2011 Gentoo Foundation > > # Distributed under the terms of the GNU General Public License v2 > > # $Header: $ > > > > # @ECLASS: obs-download.eclass > > Are there going to be lots of packages using this and not the other > eclass? I wonder whether there really need to be two of them. Two more currently. > > # @MAINTAINER: > > # mi...@gentoo.org > > # @BLURB: Reduces code duplication in the downloading from obs. > > Could you tell us what "obs" is in the blurb too? I had no clue what > this email was about (obs, osc, etc are meaningless to me) until I got > down to the eclass description. Fixed > > # @ECLASS: obs-service.eclass > > # @MAINTAINER: > > # mi...@gentoo.org > > # @BLURB: Reduces code duplication in the obs services. > > # @DESCRIPTION: > > # This eclass makes it easier to package obs services. Based on provided > > # information it will all neede variables and takes care of installation. > > Lots of typos here. Sorry, fixed. > > HOMEPAGE="http://en.opensuse.org/openSUSE:OSC"; > > LICENSE="GPL-2" > > SLOT="0" > > IUSE="" > > RDEPEND+="dev-util/osc" > > You probably want a space here. > > RDEPEND+=" dev-util/osc" Thanks, fixed. -- Michal Hrusecky signature.asc Description: Digital signature
Re: [gentoo-dev] [RFC] obs eclasses
Amadeusz Żołnowski - 13:24 13.09.11 wrote:
> Hi,
>
>
> Excerpts from Michal Hrusecky's message of 2011-09-13 13:11:28 +0200:
> > Comments and improvements are welcome.
>
> Just some minor remarks:
>
>
> > [[ -z ${OPENSUSE_RELEASE} ]] || OBS_PROJECT="openSUSE:${OPENSUSE_RELEASE}"
> > [[ -n ${OBS_PROJECT} ]] || die "OBS_PROJECT not set!"
> > [[ -n ${OBS_PACKAGE} ]] || die "OBS_PACKAGE not set!"
>
> You don't need -n/-z with [[.
But they don't do any harm either, right ;-)
> [[ $var ]] == [[ -n $var ]]
> [[ ! $var ]] == [[ -z $var ]]
>
> So:
>
> [[ ${OPENSUSE_RELEASE} ]] && OBS_PROJECT="openSUSE:${OPENSUSE_RELEASE}"
> [[ ${OBS_PROJECT} ]] || die "OBS_PROJECT not set!"
> [[ ${OBS_PACKAGE} ]] || die "OBS_PACKAGE not set!"
>
> > obs-service_src_install() {
> > debug-print-function ${FUNCNAME} "$@"
> > debug-print "Installing service \"${OBS_SERVICE_NAME}\""
> > exeinto /usr/lib/obs/service
> > doexe ${DISTDIR}/${OBS_SERVICE_NAME}
> > insinto /usr/lib/obs/service
> > doins ${DISTDIR}/${OBS_SERVICE_NAME}.service
> > if [[ -n ${ADDITIONAL_FILES} ]]; then
> > debug-print "Installing following additional files:"
> > debug-print "${ADDITIONAL_FILES}"
> > exeinto /usr/lib/obs/service/${OBS_SERVICE_NAME}.files
> > for i in ${ADDITIONAL_FILES}; do
> > doexe ${DISTDIR}/$i
>
> "" just in case.
Fixed.
--
Michal Hrusecky
signature.asc
Description: Digital signature
[gentoo-dev] [RFC] obs eclasses
Hi,
please take a look at attached eclasses. Purpose is to make installation
of obs services (plugins for osc) easier.
Comments and improvements are welcome.
Regards
--
Michal Hrusecky
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
# @ECLASS: obs-download.eclass
# @MAINTAINER:
# mi...@gentoo.org
# @BLURB: Reduces code duplication in the downloading from obs.
# @DESCRIPTION:
# This eclass constructs OBS_URI based on provided project in openSUSE Build
# Service and package name. It can be used later by packages/eclasses to
# download actual files.
#
# All you need to do in order to use it is set OBS_PROJECT and OBS_PACKAGE and
# inherit this eclass. It will provide OBS_URI in return which you will prepend
# to your files and use in SRC_URI. Alternatively you can just set
# OPENSUSE_RELEASE and OBS_PACKAGE and it will give you back OBS_URI for
# downloading files from obs projects corresponding to the specified openSUSE
# release.
# @ECLASS-VARIABLE: OPENSUSE_RELEASE
# @DEFAULT_UNSET
# @DESCRIPTION:
# From which stable openSUSE realease to take files.
# @ECLASS-VARIABLE: OBS_PROJECT
# @DEFAULT_UNSET
# @DESCRIPTION:
# In which obs project pakage is. This variable don't have to be set, if
# OPENSUSE_RELEASE is provided.
# @ECLASS-VARIABLE: OPENSUSE_PACKAGE
# @REQUIRED
# @DESCRIPTION:
# Name of the package we want to take files from.
[[ -z ${OPENSUSE_RELEASE} ]] || OBS_PROJECT="openSUSE:${OPENSUSE_RELEASE}"
[[ -n ${OBS_PROJECT} ]] || die "OBS_PROJECT not set!"
[[ -n ${OBS_PACKAGE} ]] || die "OBS_PACKAGE not set!"
OBS_URI="https://api.opensuse.org/public/source/${OBS_PROJECT}/${OBS_PACKAGE}";
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
# @ECLASS: obs-service.eclass
# @MAINTAINER:
# mi...@gentoo.org
# @BLURB: Reduces code duplication in the obs services.
# @DESCRIPTION:
# This eclass makes it easier to package obs services. Based on provided
# information it will all neede variables and takes care of installation.
#
# @EXAMPLE:
# Typical ebuild using obs-service.eclass:
#
# @CODE
# EAPI=4
#
# inherit obs-service
#
# KEYWORDS=""
#
# DEPEND=""
# RDEPEND="${DEPEND}"
#
# @CODE
# @ECLASS-VARIABLE: OBS_SERVICE_NAME
# @DESCRIPTION:
# Name of the service. If not set, it is taken from ${PN}.
# @ECLASS-VARIABLE: OPENSUSE_RELEASE
# @DESCRIPTION:
# From which stable openSUSE realease to take a package.
# @ECLASS-VARIABLE: ADDITIONAL_FILES
# @DEFAULT_UNSET
# @DESCRIPTION:
# If any additional files are needed.
case "${EAPI:-0}" in
4) : ;;
*) die "EAPI=${EAPI} is not supported" ;;
esac
HOMEPAGE="http://en.opensuse.org/openSUSE:OSC";
LICENSE="GPL-2"
SLOT="0"
IUSE=""
RDEPEND+="dev-util/osc"
[[ -n ${OBS_SERVICE_NAME} ]] || OBS_SERVICE_NAME=${PN/obs-service-/}
[[ -n ${OPENSUSE_RELEASE} ]] || OBS_PROJECT="openSUSE:Tools"
DESCRIPTION="Open Build Service client module - ${OBS_SERVICE_NAME} service"
OBS_PACKAGE="obs-service-${OBS_SERVICE_NAME}"
inherit obs-download
SRC_URI="${OBS_URI}/${OBS_SERVICE_NAME}"
SRC_URI+=" ${OBS_URI}/${OBS_SERVICE_NAME}.service"
for i in ${ADDITIONAL_FILES}; do
SRC_URI+=" ${OBS_URI}/${i}"
done
S="${WORKDIR}"
# @FUNCTION: obs-service_src_configure
# @DESCRIPTION:
# Does nothing. Files are not compressed.
obs-service_src_unpack() {
debug-print-function ${FUNCNAME} "$@"
}
# @FUNCTION: obs-service_src_install
# @DESCRIPTION:
# Does the installation of the downloaded files.
obs-service_src_install() {
debug-print-function ${FUNCNAME} "$@"
debug-print "Installing service \"${OBS_SERVICE_NAME}\""
exeinto /usr/lib/obs/service
doexe ${DISTDIR}/${OBS_SERVICE_NAME}
insinto /usr/lib/obs/service
doins ${DISTDIR}/${OBS_SERVICE_NAME}.service
if [[ -n ${ADDITIONAL_FILES} ]]; then
debug-print "Installing following additional files:"
debug-print " ${ADDITIONAL_FILES}"
exeinto /usr/lib/obs/service/${OBS_SERVICE_NAME}.files
for i in ${ADDITIONAL_FILES}; do
doexe ${DISTDIR}/$i
done
fi
}
EXPORT_FUNCTIONS src_install src_unpack
signature.asc
Description: Digital signature
