path: root/src
diff options
authorLuke Shumaker <>2018-08-03 00:25:24 -0400
committerLuke Shumaker <>2018-08-04 12:59:20 -0400
commit646ac0258c3295943778142468aadfe5b04ad6d1 (patch)
treec4e0695cae1c0e24dd3ea542d2ad7f63ad48a218 /src
parent044b4e16b9bdd2b3c6622af6216888ddf0a16644 (diff)
libremakepkg,chcleanup: Be stricter about network accessv20180804
Objectives: - Once the source package has been created, never run makepkg with networking enabled again, so that we can be 100% sure that the source package has all of the sources that we need. - Don't let makepkg edit the PKGBUILD (eg. by evaluating pkgver()) User-facing changes: - libremakepkg now disables networking during prepare() - libremakepkg no longer runs pkgver() - chcleanup (and thus `librechroot clean-pkgs`) now also installs packages Technical description of changes: - In devtools (and not really in this commit): * No longer split /chrootprepare off of /chrootbuild. The point of splitting it was that we'd have prepare() run from /chrootprepare and the rest later run from /chrootbuild, so that we could leave networking enabled during prepare() but not the rest. Now that we're disabling networking during prepare(), that's pointless. * Have download_sources create a source package (rather than having /chrootbuild create the source package at the same time that we create the binary package). We adjust the caller to temporarily set SRCPKGDEST to a temporary directory, so that we can get the file and control the filename when we move it in to the real SRCPKGDEST. - Have chcleanup install the dependencies. If we used the traditional `makepkg --sync` to install the dependencies, then we'd be breaking the "no networking for makepkg after source package creation" objective. chcleanup already has all of the logic necessary to accomplish this. If there's a discrepancy in chcleanup behavior and makepkg behavior, and makepkg thinks it needs to install something, then that just means we'll have to fix the bug in chcleanup, instead of letting it go for more than a year (*cough* *cough*). - Use files extracted from the source package (rather than files found in the current directory) to build the package. - We mount the temporary directory containing the extracted source package files read-only, to be sure that makepkg doesn't modify the PKGBUILD. This is necessary because --holdver only disables pkgver() if it's a VCS package.
Diffstat (limited to 'src')
3 files changed, 61 insertions, 17 deletions
diff --git a/src/chroot-tools/ b/src/chroot-tools/
index 7826753..317bf10 100644
--- a/src/chroot-tools/
+++ b/src/chroot-tools/
@@ -88,7 +88,6 @@ pacman -b "${TEMPDIR}" \
# Diff installed packages against a clean chroot then remove leftovers
packages=($(comm -23 <(pacman -Qq | sort -u) \
<(sort -u "${pkglist}")))
if [[ ${#packages[@]} = 0 ]]; then
msg2 "No packages to remove"
@@ -101,3 +100,17 @@ else
pacman --noconfirm -R --nosave "${packages[@]}"
+packages=($(comm -13 <(pacman -Qq | sort -u) \
+ <(sort -u "${pkglist}")))
+if [[ ${#packages[@]} = 0 ]]; then
+ msg2 "No packages to add"
+ msg2 "Adding %d packages" ${#packages[@]}
+ if ${DRYRUN}; then
+ echo "${packages[*]}"
+ else
+ pacman --noconfirm -S "${packages[@]}"
+ fi
diff --git a/src/chroot-tools/librechroot b/src/chroot-tools/librechroot
index 6db11a8..923b818 100755
--- a/src/chroot-tools/librechroot
+++ b/src/chroot-tools/librechroot
@@ -274,7 +274,8 @@ usage() {
flag 'clean-pkgs' 'Remove all packages from the chroot copy that
are not in base-devel, $CHROOTEXTRAPKG, or named
as a dependency in the file `/startdir/PKGBUILD`
- in the chroot copy'
+ in the chroot copy; and install all packages
+ that are.'
print ' Other:'
flag "run $(_ CMD...)" 'Run CMD in the chroot copy'
flag 'enter' 'Enter an interactive shell in the chroot copy'
diff --git a/src/chroot-tools/libremakepkg b/src/chroot-tools/libremakepkg
index f5f4855..c6faf31 100755
--- a/src/chroot-tools/libremakepkg
+++ b/src/chroot-tools/libremakepkg
@@ -110,24 +110,32 @@ chroot_cleanup() {
build() (
local copydir=$1
- local repack=$2
- local makepkg_args=("${@:3}")
+ local srcpkg=$2
+ local repack=$3
+ local makepkg_args=("${@:4}")
+ local startdir
+ startdir=$(mktemp -d)
+ chown "$LIBREUSER:" "$startdir"
+ trap "rm -rf -- ${startdir@Q}" EXIT
+ sudo -u "$LIBREUSER" bsdtar -xf "$srcpkg" -C "$startdir" --strip-components 1
local run_ynet=()
local run_nnet=()
if $INCHROOT; then
- run_ynet=(unshare)
- run_nnet=(unshare --net)
+ local _run=(sh -c "mount --bind -o ro -- ${startdir@Q} ${startdir@Q} && cd ${startdir@Q} && \$@" --)
+ run_ynet=(unshare --mount -- "${_run[@]}")
+ run_nnet=(unshare --mount --net -- "${_run[@]}")
+ librechroot_flags+=(-r "$startdir:/startdir")
run_ynet=(librechroot "${librechroot_flags[@]}" run)
run_nnet=(librechroot "${librechroot_flags[@]}" -N run)
$NONET || run_nnet=("${run_ynet[@]}")
prepare_chroot "$copydir" "$LIBREHOME" "$repack" false
- "${run_ynet[@]}" /chrootprepare "${makepkg_args[@]}" |& indent
run_hook pre_build "$copydir"
- trap "run_hook post_build ${copydir@Q}" EXIT
+ trap "run_hook post_build ${copydir@Q}; rm -rf -- ${startdir@Q}" EXIT
"${run_nnet[@]}" /chrootbuild "${makepkg_args[@]}" |& indent
@@ -166,10 +174,10 @@ usage() {
flag "-w <$(_ 'PATH[:PATH]')>" 'Bind mount a file or directory, read/write'
flag "-r <$(_ 'PATH[:PATH]')>" 'Bind mount a file or directory, read-only'
print ' %s options:' libremakepkg
- flag '-N' "Don't disable networking during build() and
- package(). PLEASE don't use this unless you
- have a special reason, its use is a violation
- of Parabola policy."
+ flag '-N' "Don't disable networking during prepare(),
+ build(), and package(). PLEASE don't use this
+ unless you have a special reason, its use is a
+ violation of Parabola policy."
flag '-R' 'Repackage contents of the package without rebuilding'
flag '-h' 'Show this message'
@@ -248,7 +256,7 @@ main() {
# Make sure that the various *DEST directories exist
+ sudo -u "$LIBREUSER" mkdir -p -- "$PKGDEST" "$SRCDEST" "$SRCPKGDEST" "$LOGDEST"
# OK, we are starting now ##############################################
@@ -257,8 +265,6 @@ main() {
"Waiting for existing lock on build directory to be released"
- -w "$PWD:/startdir"
- -w "$SRCDEST:/srcdest"
-n "$CHROOT"
-l "$copy"
@@ -279,13 +285,37 @@ main() {
# Pre-build
msg 'Starting pre-build activities...'
run_hook check_pkgbuild
msg 'Downloading sources...'
- download_sources "$copydir" "$LIBREUSER" |& indent
+ local srcpkgdest srcpkg
+ srcpkgdest="$(mktemp -d)"
+ chown "$LIBREUSER:" "$srcpkgdest"
+ trap "rm -rf -- ${srcpkgdest@Q}" EXIT
+ SRCPKGDEST="$srcpkgdest" download_sources "$copydir" "$LIBREUSER" |& indent
+ srcpkg=("$srcpkgdest"/*)
+ if (( ${#srcpkg[@]} != 1 )); then
+ error 'Something went funny with makepkg --allsource'
+ return $EXIT_FAILURE
+ fi
+ # We want to inject "-$pkgarch" in to srcpkg's filename, right before $SRCEXT
+ local srcext pkgarch srcpkg_filename
+ srcext="$(MAKEPKG_CONF=$copydir/etc/makepkg.conf get_var makepkg SRCEXT)"
+ if [[ "$(bsdtar xfO "$srcpkg" --include='*/.SRCINFO' | grep $'\tarch =')" = $'\tarch = any' ]]; then
+ pkgarch=any
+ else
+ pkgarch=$CARCH
+ fi
+ srcpkg_filename=${srcpkg##*/}
+ srcpkg_filename=${srcpkg_filename%"${srcext}"}-${pkgarch}${srcext}
+ mv -T -- "$srcpkg" "$SRCPKGDEST/${srcpkg_filename}"
+ srcpkg="$SRCPKGDEST/${srcpkg_filename}"
+ rmdir -- "${srcpkgdest}"
+ trap EXIT
# Build
msg 'Starting to build the package...'
trap "exit_copy '$copydir' '$LIBREUSER'" EXIT
- build "$copydir" "$repack" "${makepkg_args[@]}"
+ build "$copydir" "$srcpkg" "$repack" "${makepkg_args[@]}"
# Post-build
msg 'Starting post-build activities...'