From: "'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>
To: Badrikesh Prusty <badrikesh.prusty@siemens.com>,
isar-users@googlegroups.com
Subject: Re: [PATCH] meta: default "Rules-Requires-Root: no", make it configurable
Date: Mon, 8 Sep 2025 07:28:56 +0200 [thread overview]
Message-ID: <e9e7f9af-9f53-437d-b6d7-59c58280ff2a@siemens.com> (raw)
In-Reply-To: <20250907204258.201718-1-badrikesh.prusty@siemens.com>
On 07.09.25 22:42, 'Badrikesh Prusty' via isar-users wrote:
> From: badrikesh prusty <badrikesh.prusty@siemens.com>
>
> Setting "Rules-Requires-Root: no" in the debian/control file avoids
> unnecessarily calling fakeroot in the build environment. Packages which
> require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
> with the desired value.
>
> Debian recommends not using fakeroot to build a package if it is not
> required i.e., if a package's build doesn't require any privileged
> operations such as changing ownership to root, installing/modifying
> files as root.
>
> This also fixes hangs observed during fakeroot calls in
> dpkg-buildpackage. References:
> https://github.com/ilbers/isar/issues/113
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114644
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072521
>
> Signed-off-by: Badrikesh Prusty <badrikesh.prusty@siemens.com>
> ---
> meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl | 1 +
> meta/recipes-bsp/optee-ftpm/optee-ftpm.inc | 3 +++
> meta/recipes-bsp/optee-os/files/debian/control.tmpl | 1 +
> meta/recipes-bsp/optee-os/optee-os.inc | 4 +++-
> meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl | 1 +
> .../trusted-firmware-a/trusted-firmware-a-custom.inc | 4 +++-
> meta/recipes-bsp/u-boot/files/debian/control.tmpl | 1 +
> meta/recipes-bsp/u-boot/u-boot-custom.inc | 4 +++-
> meta/recipes-kernel/linux-module/files/debian/control.tmpl | 1 +
> meta/recipes-kernel/linux-module/module.inc | 2 ++
> meta/recipes-kernel/linux/files/debian/control.tmpl | 1 +
> meta/recipes-kernel/linux/linux-custom.inc | 2 ++
> 12 files changed, 22 insertions(+), 3 deletions(-)
You are missing the most important control point:
meta/classes/debianize.bbclass
But not already the changes here justify a RECIPE-API-CHANGELOG.md entry.
BTW, what about meta-isar/recipes-app/snake4/files/debian/control
and meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl?
>
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> index e6af7554..d4374909 100644
> --- a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> @@ -4,6 +4,7 @@ Priority: optional
> Standards-Version: 3.9.6
> Maintainer: Unknown maintainer <unknown@example.com>
> Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
> +Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Why making this a variable? optee-client already hard-codes it to no.
Applies to the others as well.
>
> Package: ${PN}
> Architecture: any
> diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> index 738b694a..257c5c4c 100644
> --- a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> +++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
> @@ -23,6 +23,8 @@ DEBIAN_BUILD_DEPENDS ?= " \
> optee-os-tadevkit-${OPTEE_NAME} \
> "
>
> +DEBIAN_RULES_REQUIRES_ROOT ?= "no"
> +
> TA_CPU ?= "unknown"
> TA_DEV_KIT_DIR ?= "unknown"
> OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
> @@ -30,6 +32,7 @@ OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
> TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
> TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
> DEBIAN_COMPAT \
> + DEBIAN_RULES_REQUIRES_ROOT \
> OPTEE_FTPM_BUILD_ARGS_EXTRA \
> TA_CPU \
> TA_DEV_KIT_DIR"
> diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> index 7bcd6edb..443578bd 100644
> --- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> +++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
> @@ -4,6 +4,7 @@ Priority: optional
> Standards-Version: 3.9.6
> Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
> Maintainer: ISAR project <isar-users@googlegroups.com>
> +Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
>
> Package: ${DEBIAN_PACKAGE_NAME}
> Architecture: ${DISTRO_ARCH}
> diff --git a/meta/recipes-bsp/optee-os/optee-os.inc b/meta/recipes-bsp/optee-os/optee-os.inc
> index eac75ae8..edd21f58 100644
> --- a/meta/recipes-bsp/optee-os/optee-os.inc
> +++ b/meta/recipes-bsp/optee-os/optee-os.inc
> @@ -22,8 +22,10 @@ DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
>
> DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
>
> +DEBIAN_RULES_REQUIRES_ROOT ?= "no"
> +
> TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> -TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
> +TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_PACKAGE_NAME DEBIAN_RULES_REQUIRES_ROOT OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
>
> # split strip platform flavor, if any, from the specified platform string
> OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
> diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
> index cf4607e3..311b44c0 100644
> --- a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
> +++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
> @@ -4,6 +4,7 @@ Priority: optional
> Standards-Version: 3.9.6
> Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
> Maintainer: ISAR project <isar-users@googlegroups.com>
> +Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
>
> Package: trusted-firmware-a-${TF_A_NAME}
> Architecture: ${DISTRO_ARCH}
> diff --git a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
> index 9f143b13..4ea7cc6c 100644
> --- a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
> +++ b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
> @@ -20,10 +20,12 @@ TF_A_BINARIES ?= "release/bl31.bin"
>
> DEBIAN_BUILD_DEPENDS ?= ""
>
> +DEBIAN_RULES_REQUIRES_ROOT ?= "no"
> +
> PROVIDES += "trusted-firmware-a-${TF_A_NAME}"
>
> TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> -TEMPLATE_VARS += "DEBIAN_COMPAT \
> +TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_RULES_REQUIRES_ROOT \
> TF_A_NAME DEBIAN_BUILD_DEPENDS TF_A_PLATFORM TF_A_EXTRA_BUILDARGS"
>
> do_prepare_build() {
> diff --git a/meta/recipes-bsp/u-boot/files/debian/control.tmpl b/meta/recipes-bsp/u-boot/files/debian/control.tmpl
> index 006982c2..6cbdf02c 100644
> --- a/meta/recipes-bsp/u-boot/files/debian/control.tmpl
> +++ b/meta/recipes-bsp/u-boot/files/debian/control.tmpl
> @@ -4,6 +4,7 @@ Priority: optional
> Standards-Version: 3.9.6
> Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
> Maintainer: ISAR project <isar-users@googlegroups.com>
> +Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
>
> Package: u-boot-${MACHINE}
> Architecture: ${DISTRO_ARCH}
> diff --git a/meta/recipes-bsp/u-boot/u-boot-custom.inc b/meta/recipes-bsp/u-boot/u-boot-custom.inc
> index 2d6dd8e0..e3081ce9 100644
> --- a/meta/recipes-bsp/u-boot/u-boot-custom.inc
> +++ b/meta/recipes-bsp/u-boot/u-boot-custom.inc
> @@ -20,12 +20,14 @@ SRC_URI += "file://debian/"
>
> DEBIAN_BUILD_DEPENDS ?= "bc, bison, flex, device-tree-compiler, git"
>
> +DEBIAN_RULES_REQUIRES_ROOT ?= "no"
> +
> U_BOOT_BIN_INSTALL ?= "${U_BOOT_BIN}"
>
> U_BOOT_EXTRA_BUILDARGS ??= "BL31=${BL31} TEE=${TEE}"
>
> TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
> -TEMPLATE_VARS += "MACHINE DEBIAN_BUILD_DEPENDS U_BOOT_CONFIG U_BOOT_BIN \
> +TEMPLATE_VARS += "MACHINE DEBIAN_BUILD_DEPENDS DEBIAN_RULES_REQUIRES_ROOT U_BOOT_CONFIG U_BOOT_BIN \
> U_BOOT_EXTRA_BUILDARGS DEBIAN_COMPAT"
>
> U_BOOT_TOOLS_PACKAGE ?= "0"
> diff --git a/meta/recipes-kernel/linux-module/files/debian/control.tmpl b/meta/recipes-kernel/linux-module/files/debian/control.tmpl
> index 45fcbc0e..914733d8 100644
> --- a/meta/recipes-kernel/linux-module/files/debian/control.tmpl
> +++ b/meta/recipes-kernel/linux-module/files/debian/control.tmpl
> @@ -4,6 +4,7 @@ Priority: optional
> Standards-Version: 3.9.6
> Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
> Maintainer: ${MAINTAINER}
> +Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
>
> Package: ${PN}
> Architecture: any
> diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
> index d2a41766..b51e8965 100644
> --- a/meta/recipes-kernel/linux-module/module.inc
> +++ b/meta/recipes-kernel/linux-module/module.inc
> @@ -34,6 +34,7 @@ KERNEL_MODULE_SIGNATURES ??= ""
> DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
> DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
> DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
> +DEBIAN_RULES_REQUIRES_ROOT ?= "no"
>
> SRC_URI += "file://debian/"
>
> @@ -63,6 +64,7 @@ TEMPLATE_VARS += " \
> KAFLAGS \
> MODULE_DIR \
> DEBIAN_BUILD_DEPENDS \
> + DEBIAN_RULES_REQUIRES_ROOT \
> SIGNATURE_KEYFILE \
> SIGNATURE_CERTFILE \
> SIGNATURE_HASHFN \
> diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
> index a79b86c4..479f8ff0 100644
> --- a/meta/recipes-kernel/linux/files/debian/control.tmpl
> +++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
> @@ -4,6 +4,7 @@ Priority: optional
> Maintainer: ${MAINTAINER}
> Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), bc, kmod, cpio, ${KBUILD_DEPENDS}
> Homepage: http://www.kernel.org/
> +Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
>
> Package: linux-image-${KERNEL_NAME_PROVIDED}
> Build-Profiles: <kernel>
> diff --git a/meta/recipes-kernel/linux/linux-custom.inc b/meta/recipes-kernel/linux/linux-custom.inc
> index 01e9bff7..e073206f 100644
> --- a/meta/recipes-kernel/linux/linux-custom.inc
> +++ b/meta/recipes-kernel/linux/linux-custom.inc
> @@ -17,6 +17,8 @@ DISTRIBUTOR ?= "ISAR"
> # pinned due to known or possible issues with compat 12
> DEBIAN_COMPAT:buster = "10"
>
> +DEBIAN_RULES_REQUIRES_ROOT ?= "no"
> +
> KBUILD_DEPENDS ?= "build-essential:native, \
> libelf-dev:native, \
> libncurses-dev:native, \
Do we have packages in isar where we know that root is indeed needed?
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/e9e7f9af-9f53-437d-b6d7-59c58280ff2a%40siemens.com.
next prev parent reply other threads:[~2025-09-08 5:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-07 20:42 'Badrikesh Prusty' via isar-users
2025-09-07 20:54 ` 'Badrikesh Prusty' via isar-users
2025-09-08 5:28 ` 'Jan Kiszka' via isar-users [this message]
2025-09-08 8:02 ` 'Felix Moessbauer' via isar-users
2025-09-11 9:43 ` 'Prusty, Badrikesh' via isar-users
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e9e7f9af-9f53-437d-b6d7-59c58280ff2a@siemens.com \
--to=isar-users@googlegroups.com \
--cc=badrikesh.prusty@siemens.com \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox