diff options
author | Luke Shumaker <lukeshu@lukeshu.com> | 2018-08-03 00:25:24 -0400 |
---|---|---|
committer | Luke Shumaker <lukeshu@lukeshu.com> | 2018-08-04 12:59:20 -0400 |
commit | 646ac0258c3295943778142468aadfe5b04ad6d1 (patch) | |
tree | c4e0695cae1c0e24dd3ea542d2ad7f63ad48a218 /src/chroot-tools/libremakepkg | |
parent | 044b4e16b9bdd2b3c6622af6216888ddf0a16644 (diff) |
libremakepkg,chcleanup: Be stricter about network accessv20180804
Objectives:
- Once the source package has been created, never run makepkg with
networking enabled again, so that we can be 100% sure that the source
package has all of the sources that we need.
- Don't let makepkg edit the PKGBUILD (eg. by evaluating pkgver())
User-facing changes:
- libremakepkg now disables networking during prepare()
- libremakepkg no longer runs pkgver()
- chcleanup (and thus `librechroot clean-pkgs`) now also installs packages
Technical description of changes:
- In devtools (and not really in this commit):
* No longer split /chrootprepare off of /chrootbuild. The point of
splitting it was that we'd have prepare() run from /chrootprepare
and the rest later run from /chrootbuild, so that we could leave
networking enabled during prepare() but not the rest. Now that we're
disabling networking during prepare(), that's pointless.
* Have download_sources create a source package (rather than having
/chrootbuild create the source package at the same time that we create
the binary package). We adjust the caller to temporarily set
SRCPKGDEST to a temporary directory, so that we can get the file and
control the filename when we move it in to the real SRCPKGDEST.
- Have chcleanup install the dependencies. If we used the traditional
`makepkg --sync` to install the dependencies, then we'd be breaking the
"no networking for makepkg after source package creation" objective.
chcleanup already has all of the logic necessary to accomplish this.
If there's a discrepancy in chcleanup behavior and makepkg behavior, and
makepkg thinks it needs to install something, then that just means we'll
have to fix the bug in chcleanup, instead of letting it go for more than
a year (*cough* https://labs.parabola.nu/issues/1311 *cough*).
- Use files extracted from the source package (rather than files found in
the current directory) to build the package.
- We mount the temporary directory containing the extracted source package
files read-only, to be sure that makepkg doesn't modify the PKGBUILD.
This is necessary because --holdver only disables pkgver() if it's a VCS
package.
Diffstat (limited to 'src/chroot-tools/libremakepkg')
-rwxr-xr-x | src/chroot-tools/libremakepkg | 60 |
1 files changed, 45 insertions, 15 deletions
diff --git a/src/chroot-tools/libremakepkg b/src/chroot-tools/libremakepkg index f5f4855..c6faf31 100755 --- a/src/chroot-tools/libremakepkg +++ b/src/chroot-tools/libremakepkg @@ -110,24 +110,32 @@ chroot_cleanup() { build() ( local copydir=$1 - local repack=$2 - local makepkg_args=("${@:3}") + local srcpkg=$2 + local repack=$3 + local makepkg_args=("${@:4}") + + local startdir + startdir=$(mktemp -d) + chown "$LIBREUSER:" "$startdir" + trap "rm -rf -- ${startdir@Q}" EXIT + sudo -u "$LIBREUSER" bsdtar -xf "$srcpkg" -C "$startdir" --strip-components 1 local run_ynet=() local run_nnet=() if $INCHROOT; then - run_ynet=(unshare) - run_nnet=(unshare --net) + local _run=(sh -c "mount --bind -o ro -- ${startdir@Q} ${startdir@Q} && cd ${startdir@Q} && \$@" --) + run_ynet=(unshare --mount -- "${_run[@]}") + run_nnet=(unshare --mount --net -- "${_run[@]}") else + librechroot_flags+=(-r "$startdir:/startdir") run_ynet=(librechroot "${librechroot_flags[@]}" run) run_nnet=(librechroot "${librechroot_flags[@]}" -N run) fi $NONET || run_nnet=("${run_ynet[@]}") prepare_chroot "$copydir" "$LIBREHOME" "$repack" false - "${run_ynet[@]}" /chrootprepare "${makepkg_args[@]}" |& indent run_hook pre_build "$copydir" - trap "run_hook post_build ${copydir@Q}" EXIT + trap "run_hook post_build ${copydir@Q}; rm -rf -- ${startdir@Q}" EXIT "${run_nnet[@]}" /chrootbuild "${makepkg_args[@]}" |& indent ) @@ -166,10 +174,10 @@ usage() { flag "-w <$(_ 'PATH[:PATH]')>" 'Bind mount a file or directory, read/write' flag "-r <$(_ 'PATH[:PATH]')>" 'Bind mount a file or directory, read-only' print ' %s options:' libremakepkg - flag '-N' "Don't disable networking during build() and - package(). PLEASE don't use this unless you - have a special reason, its use is a violation - of Parabola policy." + flag '-N' "Don't disable networking during prepare(), + build(), and package(). PLEASE don't use this + unless you have a special reason, its use is a + violation of Parabola policy." flag '-R' 'Repackage contents of the package without rebuilding' flag '-h' 'Show this message' } @@ -248,7 +256,7 @@ main() { fi # Make sure that the various *DEST directories exist - mkdir -p -- "$PKGDEST" "$SRCDEST" "$SRCPKGDEST" "$LOGDEST" + sudo -u "$LIBREUSER" mkdir -p -- "$PKGDEST" "$SRCDEST" "$SRCPKGDEST" "$LOGDEST" # OK, we are starting now ############################################## @@ -257,8 +265,6 @@ main() { "Waiting for existing lock on build directory to be released" else librechroot_flags+=( - -w "$PWD:/startdir" - -w "$SRCDEST:/srcdest" -n "$CHROOT" -l "$copy" ) @@ -279,13 +285,37 @@ main() { # Pre-build msg 'Starting pre-build activities...' run_hook check_pkgbuild + msg 'Downloading sources...' - download_sources "$copydir" "$LIBREUSER" |& indent + local srcpkgdest srcpkg + srcpkgdest="$(mktemp -d)" + chown "$LIBREUSER:" "$srcpkgdest" + trap "rm -rf -- ${srcpkgdest@Q}" EXIT + SRCPKGDEST="$srcpkgdest" download_sources "$copydir" "$LIBREUSER" |& indent + srcpkg=("$srcpkgdest"/*) + if (( ${#srcpkg[@]} != 1 )); then + error 'Something went funny with makepkg --allsource' + return $EXIT_FAILURE + fi + # We want to inject "-$pkgarch" in to srcpkg's filename, right before $SRCEXT + local srcext pkgarch srcpkg_filename + srcext="$(MAKEPKG_CONF=$copydir/etc/makepkg.conf get_var makepkg SRCEXT)" + if [[ "$(bsdtar xfO "$srcpkg" --include='*/.SRCINFO' | grep $'\tarch =')" = $'\tarch = any' ]]; then + pkgarch=any + else + pkgarch=$CARCH + fi + srcpkg_filename=${srcpkg##*/} + srcpkg_filename=${srcpkg_filename%"${srcext}"}-${pkgarch}${srcext} + mv -T -- "$srcpkg" "$SRCPKGDEST/${srcpkg_filename}" + srcpkg="$SRCPKGDEST/${srcpkg_filename}" + rmdir -- "${srcpkgdest}" + trap EXIT # Build msg 'Starting to build the package...' trap "exit_copy '$copydir' '$LIBREUSER'" EXIT - build "$copydir" "$repack" "${makepkg_args[@]}" + build "$copydir" "$srcpkg" "$repack" "${makepkg_args[@]}" # Post-build msg 'Starting post-build activities...' |