OpenBSD Journal

g2k14: Christian Weisgerber on Package Building without sudo

Contributed by tbert on from the sandwich makes itself dept.

Christian Weisgerber wrote in with this report from g2k14:

I updated the gettext port, of course. What'd you think I'd do at a hackathon?

The most interesting thing I worked on at g2k14 started out with a question: Why exactly do we run the fake step as root? (Hint: FreeBSD's corresponding stage infrastructure does not.)

Because ports want to install with "install -o root -g bin"? But they only do so because we tell them to. We pass those flags to configure. We just need to stop doing this.

Because some ports want to set a special user/group and chmod to suid/sgid? The vast majority of ports do not and the few that do already require corresponding annotations in the PLIST. Why not just use this metadata for the package, instead of the actual file modes?

Really, most ports could be built just fine without sudo. Those that do not can be annotated, FAKE_AS_ROOT=Yes, and fixed eventually. (You will still need sudo for installing dependencies, though.) All that is required is a little bit of support in our infrastructure.

To this end I came up with patches to bsd.port.mk and pkg_add that accomplish this. Initial testing revealed a number of ports modules that would also require minor tweaking, but as expected it became clear that rather few changes would go a long way to handling most of the ports tree.

At this stage this is merely a proof of concept, showing that the approach is workable. To be revisited once the 5.6 release is out the door.

(Comments are closed)


Comments
  1. By Marc Espie (espie) espie@nerim.net on

    We discussed this a bit at g2k14.

    Personally, my major concern is that it will take a bit longer to do ports, as the "fake" stage is good to polish the PLIST, especially for bigger ports, so I'm going to come on the side of keeping the possibility to run fake as root.

    Besides that, yeah, not being root during fake would be good for a lot of reasons... most interesting for me is being able to suspend bulk builds (as sudo does NOT pass ^Z through, so fake stages keep running) without screwing up timings.

    Anyway, things are a bit further. I have several more changes on top of naddy, and I am currently exploring the tree... yep, looks like <500 ports will need special love to work with the changes I currently have. More specific numbers in a few days.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]