From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6641861376070385664 X-Received: by 2002:a50:b86f:: with SMTP id k44mr9550419ede.7.1546883515850; Mon, 07 Jan 2019 09:51:55 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:4acd:: with SMTP id u13-v6ls432282ejt.6.gmail; Mon, 07 Jan 2019 09:51:55 -0800 (PST) X-Google-Smtp-Source: AFSGD/VV4zC6nwS3L4tOY+3NoLn0HZrPlAYYLNTjelZfdA96oiER/zFcf8l1VvtRCwjcdqJgBWsN X-Received: by 2002:a17:906:190c:: with SMTP id a12-v6mr8233249eje.6.1546883515449; Mon, 07 Jan 2019 09:51:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546883515; cv=none; d=google.com; s=arc-20160816; b=Z2a26dJne1GiwW64hZjF2FX42fudJteuItnzOL1Fimq85JRBOSbA5JqG9PfKOTDXkw up8SMKUd3Tm0RjqbNJGVdhqA6ggHdKqDMWGuf7kiLi0rutA6ICD6qmgmCeWeiAPyCAFV Fb8cm3IqloPHap3iTDdz2IHCevpzHKOOFzHztHYEOp/tY2jnPOIAemLNjaTmmnhj0vZS +QViVY6tGXzUQMvoX4EGl039Y0SzYIPCL31AXq1iCfISgcgfKji5v1nNthgPpNIsiDy5 Y0IoNK4RdGKBJbFIe4T14+78naVKOvwyuk8sdbvWDGgnz7lvZp+O5EYBeWoWmRxwPigP NZnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=gQv+okvJdJJXiN+CRPYzFl0bWbu9W/OEg58fAiHhqc4=; b=RmgI0eFQ7T7Dz1R4pxtpUBKCiNJSvFT1UAw2xH3XZEOH8tonF+/T+swce7Uy8zdlEQ gXuDgOG+XunUHdzdp0IMl4OWILRH6R4Aw6iovlSjO1n7T+9PKYRyDPno6mzQ16cVzxiM tMAVptCkNa/ahatHRVA+abRNV06Zcb0hZSWiLIcvmmmsp7mjjlvLN7/rr6lF/kUck9ce /93771/t0zfAw1lTSDo057DgB22rCQzIWE7UWArVJmsCbf++hkENBi28C89/bbL9lFqF WXvrzv42Ctxm6f+a5KQdWNBQJ4Ke5VSGFAyr5oPG/DPe4Ve6a1cTC5BZvFB1RCwHlwup Eoxg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id l31si2970855edb.5.2019.01.07.09.51.55 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Jan 2019 09:51:55 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x07Hptmd027755 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 7 Jan 2019 18:51:55 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.158]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x07Hpsqj022851; Mon, 7 Jan 2019 18:51:54 +0100 Date: Mon, 7 Jan 2019 18:51:53 +0100 From: Henning Schild To: Jan Kiszka Cc: isar-users Subject: Re: [PATCH 1/7] dpkg-raw: Respect file permissions defined by recipe Message-ID: <20190107185153.48ff9b83@md1za8fc.ad001.siemens.net> In-Reply-To: <73e2f06f-9ece-1c7c-739f-b572a109179c@siemens.com> References: <20190107142049.0c5426a3@md1za8fc.ad001.siemens.net> <20190107151959.2627fcd8@md1za8fc.ad001.siemens.net> <1552f87b-a193-fca2-6496-e94554b21d6f@siemens.com> <30994991-d72e-1a54-6f90-1a89e926e121@siemens.com> <20190107172810.10e0178b@md1za8fc.ad001.siemens.net> <73e2f06f-9ece-1c7c-739f-b572a109179c@siemens.com> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TUID: eZ64swg1rqEX Am Mon, 7 Jan 2019 17:54:26 +0100 schrieb Jan Kiszka : > On 07.01.19 17:28, Henning Schild wrote: > > Am Mon, 7 Jan 2019 15:26:16 +0100 > > schrieb Jan Kiszka : > > =20 > >> On 07.01.19 15:20, Jan Kiszka wrote: =20 > >>> On 07.01.19 15:19, Henning Schild wrote: =20 > >>>> Am Mon, 7 Jan 2019 14:28:47 +0100 > >>>> schrieb Jan Kiszka : > >>>> =20 > >>>>> On 07.01.19 14:20, Henning Schild wrote: =20 > >>>>>> Am Wed, 2 Jan 2019 12:34:11 +0100 > >>>>>> schrieb Jan Kiszka : =20 > >>>>>>> From: Jan Kiszka > >>>>>>> > >>>>>>> dh_fixperms overwrites the permissions do_install defined > >>>>>>> carefully. Skip this step to avoid that. > >>>>>>> > >>>>>>> Fixes: f301ccb2b5b1 ("meta/dpkg-raw: build raw packages like > >>>>>>> all others") CC: Henning Schild > >>>>>>> Signed-off-by: Jan Kiszka > >>>>>>> --- > >>>>>>> =C2=A0=C2=A0 meta/classes/dpkg-raw.bbclass | 4 +++- > >>>>>>> =C2=A0=C2=A0 1 file changed, 3 insertions(+), 1 deletion(-) > >>>>>>> > >>>>>>> diff --git a/meta/classes/dpkg-raw.bbclass > >>>>>>> b/meta/classes/dpkg-raw.bbclass index 8d11433..10fb1b9 100644 > >>>>>>> --- a/meta/classes/dpkg-raw.bbclass > >>>>>>> +++ b/meta/classes/dpkg-raw.bbclass > >>>>>>> @@ -56,9 +56,11 @@ EOF > >>>>>>> =C2=A0=C2=A0 deb_create_rules() { > >>>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 cat << EOF > ${S}/debian/ru= les > >>>>>>> =C2=A0=C2=A0 #!/usr/bin/make -f > >>>>>>> + > >>>>>>> +override_dh_fixperms: > >>>>>>> + > >>>>>>> =C2=A0=C2=A0 %: > >>>>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dh \$@ > >>>>>>> - =20 > >>>>>> > >>>>>> I think it is not a good idea to do that in general. While you > >>>>>> might have found an example where dh_fixperms caused problems, > >>>>>> there are probably many where it helps. Say people use "cp" to > >>>>>> fill ${D} or "echo" to fill ${D}/bin/ =20 > >>>>> > >>>>> I'm open for better suggestions. =20 > >>>> > >>>> The suggestion is to do that in the one recipe that you need it > >>>> for, and not touch the general case. =20 > >>> > >>> ...except for causing that regression: Keep in mind that we used > >>> to respect permissions defined by the user before the switch to > >>> packaging via Debian! =20 > >=20 > > True, but there is a changelog section that even tells users how to > > disable certain dhs for their recipes. > > =20 > >> To make my issue more concrete: Consider you want to package > >> secrets this way. Then it would be rather ugly to even temporary > >> have them group or even work readable during packaging and > >> installation - in case you suggestion should be to adjust the > >> permissions in a postinst. =20 > >=20 > > Having secrets in your repo and build process would be ugly as well, > > many spots where they could leak. So i do not think that is a good > > example. > > And i am not talking about a postinst, but a rules file that does > > exactly what yours does. See what example-raw does for dh_usrlocal, > > if you bring your rules you do not get the defaults. > > Looking at the man-page i see a lot of "removes permission", where > > documentation seems to be the only exception. Again secret does not > > seem to be a good example. (except you place it in > > usr/share/doc ;) ) > >=20 > > What exactly is your motivation for the change? =20 >=20 > Allow to ship files that are not world-readable by defaults. That's a > pretty common pattern, e.g. to add pre-generated keys, certificates, > wifi passwords etc. I think i got that but i am not sure how they would become world readable, not from the man-page nor from the code. Except you got the location "wrong". So a full path example with the permissions before and after is what i was asking for. Henning > So I don't think it is a good idea that dpkg-raw now breaks this use > case, sometimes silently(!), and forces users to overload their rules > files. I'm not even sure that it makes sense for Debian to add these > permissions to during the fixperms phase, but I didn't dig into that > details. >=20 > Jan >=20