g2k14: Christian Weisgerber on Package Building without sudo
Contributed by tbert on Sun Aug 3 05:54:09 2014 (GMT)
from the sandwich makes itself dept.
Christian Weisgerber wrote in with this report from g2k14:
I updated the gettext port, of course. What'd you think I'd do at
The most interesting thing I worked on at g2k14 started out with a
question: Why exactly do we run the fake step as root? (Hint:
FreeBSD's corresponding stage infrastructure does not.)
Because ports want to install with "install -o root -g bin"? But
they only do so because we tell them to. We pass those flags to
configure. We just need to stop doing this.
Because some ports want to set a special user/group and chmod to
suid/sgid? The vast majority of ports do not and the few that do
already require corresponding annotations in the PLIST. Why not
just use this metadata for the package, instead of the actual file
Really, most ports could be built just fine without sudo. Those
that do not can be annotated, FAKE_AS_ROOT=Yes, and fixed eventually.
(You will still need sudo for installing dependencies, though.) All
that is required is a little bit of support in our infrastructure.
To this end I came up with patches to bsd.port.mk and pkg_add that
accomplish this. Initial testing revealed a number of ports modules
that would also require minor tweaking, but as expected it became
clear that rather few changes would go a long way to handling most
of the ports tree.
At this stage this is merely a proof of concept, showing that the
approach is workable. To be revisited once the 5.6 release is out
<< BSDNow Episode 048: Liberating SSL | Reply | Flattened | Expanded | OpenBSD product distribution will move >>
Re: g2k14: Christian Weisgerber on Package Building without sudo (mod 8/66)
by Marc Espie (espie) (firstname.lastname@example.org) on Sun Aug 3 20:28:51 2014 (GMT)
We discussed this a bit at g2k14.
Personally, my major concern is that it will take a bit longer to do ports, as the "fake" stage is good to polish the PLIST, especially for bigger ports, so I'm going to come on the side of keeping the possibility to run fake as root.
Besides that, yeah, not being root during fake would be good for a lot of reasons... most interesting for me is being able to suspend bulk builds (as sudo does NOT pass ^Z through, so fake stages keep running) without screwing up timings.
Anyway, things are a bit further. I have several more changes on top of naddy, and I am currently exploring the tree... yep, looks like <500 ports will need special love to work with the changes I currently have. More specific numbers in a few days.
[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
Add Story |
Copyright © 2004-2008
All rights reserved.
Articles and comments are copyright their respective authors,
submission implies license to publish on this web site.
Contents of the archive prior to April 2nd 2004 as well as images
and HTML templates were copied from the fabulous original
Jim's kind permission.
Some icons from slashdot.org
used with permission from Kathleen.
This journal runs as CGI with
on OpenBSD, the
source code is
Search engine is ht://Dig.
undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]