summaryrefslogtreecommitdiff
path: root/makechrootpkg.in
AgeCommit message (Collapse)Author
2020-04-08makechrootpkg & mkarchroot: init and populate keyringsErich Eckner
We had trouble in the past with not properly initialized keyrings. This change aims at fixing this.
2020-04-08makechrootpkg: bend to allow running solely namcap via "*-build -- -- ↵Erich Eckner
--verifysource"
2020-04-08allow PKGEXT to be set from the environmentErich Eckner
2020-02-27makechrootpkg: use the chroot database to find checkpkg packagesEli Schwartz
We don't want to check against the current version known to the host system, because that will be incorrect in a wide variety of situations, including: - the build host hasn't done a full system upgrade yet - we're building against staging, and want to see the delta between different staging versions - we're building against extra, but the host runs testing which carries changes we don't want to visualize right now - the chroot has a configured database not available to the host, and the package is only available there Essentially, it's rarely 100% correct to run checkpkg on the host, but we already have a database we *know* is correct, and that is the one we just built the package against. So let's use that. This also fixes a bug in the current logic, where in order to try downloading fresh databases, we work in a non-cached temporary working database to download the package files, but then let checkpkg default to comparing packages in the system database. Since we are explicitly trying to compare against packages that differ from the host's pacman database, we need to pass the package files as options to checkpkg, using the additional modes added in commit c14338c0fe71a74f5e56b4f3af7c548fe0928e15 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-12-05makechrootpkg: sync databases for checkpkg off-siteLevente Polyak
Use pacman's --dbpath feature to sync fresh databases inside an isolated location and split up the database sync and package location calls to remove the need of weird grep calls. It isn't nice of makechrootpkg to modify the host database state just by building packages. No foreign program shall automatically modify the host database other than by the explicit will of a system maintainer, which is the major reason this changes get incorporated. However, there is certain indoctrinated believe that using -Sy is the prime evil. In fact it has been declared as a social rule to a technical problem of not getting into potential partial upgrade states. This is not a proper loophole less solution as there are multiple ways and use cases that lead to such a state, like aborting a -Syu on the prompt for whatever reason, what really matters is that it is not a technically bullet proof solution to solve the problem. Databases shall have the freedom to be as up to date as databases or their owner wishes, allowing querying on latest database state without fear. The only loophole-less contract that _really_ is from importance is always using -Su instead of plain -S to install packages. Installing packages is what actually brings one into a potential partial upgrade state and by using -Su an outstanding upgrade is forced when installing a new package. This properly solves all edge cases in a technical manner instead of declaring people who abort the prompt of -Syu to be the problem. In fact, using this simple contract allows whatever system maintenance workflow a host owner wants to follow, which may still be to always use -Syu and deal with system upgrades explicitly instead of the time when installing new packages, but the -Su contract is the real safe guard to guarantee no edge case can ever slip in. This magically also opens up the freedom to people who wish to use -Sy to simply query on up to date data as the currently indoctrinated "never do -Sy" stone plates not only are not rock solid in technical terms but also make certain use cases simply impossible and hence cripple the functionality without at the very least being fully loophole free. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-11-30makechrootpkg: double quote array expansions for checkpkg locationsLevente Polyak
Avoid re-splitting remotepkg elements used for checkpkg conditions.
2019-11-30makechrootpkg: sync database for checkpkg to avoid nonexistent targetsLevente Polyak
For build servers or similar infrastructure its relatively common to not sync/update the database regularly. This leads to problems properly running checkpkg duo to nonexistent target files that we try to download. As building on build servers is a very common use case, lets ensure we sync the local database before trying to resolve the package locations.
2019-11-30makechrootpkg: check local pkg versions before downloading for checkpkgLevente Polyak
Avoid always trying to download and output the according message. Add checks for packages either not being available in the repo or all variants have up to date versions stored in the local cache.
2019-11-07use libmakepkg to find and use variables in makepkg.confEli Schwartz
- drop homebrew function in makechrootpkg - use better mock to find invoking user's $HOME - make offload-build respect makepkg.conf to determine where to sync files, matching the behavior of makechrootpkg Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-09-28checkpkg: add option to print a warning in case of differencesLevente Polyak
Sometimes its desired to be explicitly made aware of differences reporter by checkpkg via printing a warning instead of a regular message. Automatically use --warn for makechrootpkg builds so packagers are made visibly aware of a soname bump by simply looking out for colors indicating non success messages. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-09-28checkpkg: add option to avoid keeping the tmp dirLevente Polyak
In some cases, like default makechrootpkg execution, the temporary directory used to assemble the differences is not required. Add an option to checkpkg that allows to get rid of that directory after run and call it automatically like that in makechrootpkg. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-09-28makechrootpkg: run checkpkg automatically after buildLevente Polyak
Cache previous versions required for checkpkg via pacman to avoid multiple downloads when running multiple times. In case we can't download the packages, like while building out of repo packages, print a warning instead of running checkpkg Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-09-12Revert "makechrootpkg: with -n, check if the package failed to install"Eli Schwartz
This reverts commit be44b9cde15f3228839253c0c0d7d56c124c4e26. This was a nice idea in theory, because it means that we can catch conflicting files before releasing them into the repos. In practice, there were unanticipated side effects: single-package installs which conflict against their own makedepends cannot be installed either. Examples include: - kernel modules which makedepend on their dkms equivalent - jack2, which makedepends/optdepends on portaudio, which requires jack... but jack2 is a drop-in provides/conflicts jack. We cannot reliably detect when makepkg --install will error out because of dependency conflicts vs. packages which are simply broken. So, back out this change for now. Revisit this once pacutils has a new release, because it will add the option --resolve-conflicts=all, allowing for much better scripted responses to "foo conflicts with bar, remove bar? [y/N]" than simply "--noconfirm and fail". Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: with -n, check if the package failed to installEli Schwartz
We previously whitelisted this return code because split packages can frequently conflict each other, so makepkg -i is *expected* to fail in such a case. However, there is no good reason to let this succeed if the pkgbase only builds one pkgname -- that will always be a severe issue. Add a check for how many split Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: make the -U option work for the first time everEli Schwartz
The -U option was initially introduced in commit cda9cf436b2897b063c1e40efb144404aad8b821 in order to enable running makechrootpkg as root, delegating to another, manually selected, user to perform various non-root tasks (given that makepkg was modified to throw fatal errors when run as root without the option of --asroot to disable that). However, it was only ever implemented for the --verifysource option outside of the chroot, and the builduser inside the chroot is created with the same uid as the makechrootpkg invoker. It needs to run as the same uid, because it needs rw access to $startdir and $SRCDEST! Additionally this lets the invoking user more easily inspect the build directory in case of problems... The correct solution for this is to properly implement the initial intention of the -U option, and make it override the autodetection of the "invoking user" which is normally done by inspecting $SUDO_USER. This is then used as the single source of truth for "who am I pretending to be". Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: also downgrade packages when updating chrootsEli Schwartz
Packages should never be getting downgraded... unless a package is pulled from testing, e.g. for example if gcc9 totally breaks the linux kernel. In such cases, the master repo says there is a downgrade, so we'd better go with that. Basically, ensure that packages match the repo they are being built against. Consistency at all costs! Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: when installing with -I, ensure package is installedEli Schwartz
noconfirm is wrong here, as we don't want to accept the default answer -- we want to install the new package, even if it conflicts and provides an existing one. After all, we explicitly asked for it. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: accept arguments useful to verifysourceEli Schwartz
And pass them on to download_sources outside the chroot. Fixes FS#35652 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: fix breakage in makepkg option parsingEli Schwartz
In commit bd826752c9dc8f01917ee831302b6220ad09603a, support for short options was added to the heuristic for --noextract, but in the process, we changed to loop over the set of user options plus the builtin defaults for inside the chroot. This was wrong, as we only care about the user options -- moreover, it prevents us from adding verifysource support *outside* the chroot, for options that are also chroot options, like --holdver. Also remove uselessly duplicated line. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09Escape paths with ":" that are passed to systemd-nspawn --bindEli Schwartz
When parsing paths to automatically make available to the container, the ":" is used internally by systemd-nspawn to signify destinations in the container. Replace automatically with "\:" for the mounts that we set up, in order to safely handle a working directory etc. that contains this character. For bind options exposed to the user, it is assumed the user takes care of passing systemd-nspawn compatible paths themselves. Fixes FS#60845 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: check truthiness using shell arithmeticEli Schwartz
Using the literal strings "true" and "false" is inaccurate and may result in uncertainty of whether it is set when doing string comparison, or simply rely on the shell implementation of treating the string as a command builtin, then executing the value as a shell command. Emulate makepkg, which makes heavy use of shell arithmetic for this purpose. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09Revert "makechrootpkg: Have functions be more function-y."Eli Schwartz
This reverts (the bulk of) commit 2fd5931a8c67289a8a4acd327b3ce99a5d64c8c7. Reducing globals makes little sense in in a oneshot bash script, but reduces code clarity and in fact resulted in bugs because even the commit author couldn't keep track of the script state. An exit was changed to a return, even though that made no sense outside of a function, and has been duly returned to being an exit. This was never tested and later papered over by wrapping the entire script in a main() function and then calling the function for hysterical raisins. The functiony nature of sync_chroot/delete_chroot is preserved, as those functions demonstrate meaningfully standalone functionality -- who knows? we may want to reuse this. Everything else is tightly bound to the internal logic of makechrootpkg. Completely separate functionality that was silently implemented in the original commit is also preserved: - declare a couple of variables as locals - move the abort-on-no-PKGBUILD outside the install_packages function Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09Revert "makechrootpkg: Avoid having code floating around outside of a function."Eli Schwartz
This reverts commit 49088b0860276c664933c2b3e36a2fef714b7a07. The fundamental intention was flawed and broken, it caused annoying issues and regressions, and the self-avowed sole purpose of the change was so that a downstream project could *post-modify the script and source it as a library*. That is not okay. You don't wrap non-factorable code in a function called main() and call it a library. The only possible use for this is to treat makechrootpkg *internals* as a library, which is not supported. Downstream projects that wish to use the functionality of makechrootpkg should treat makepkg as a command with a public API in the form of command line options. That is kind of how commands of all kinds work, since forever. That is how all users of makechrootpkg *except for parabola* use it. Arguments that "it saves us the cost of fork+exec to bash" are simply invalid. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-08-09makechrootpkg: load makepkg.conf variables correctlyEli Schwartz
Since makepkg.conf is a bash-compatible configuration file, it must be sourced. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2019-06-12Revert "makechrootpkg: sync_chroot: Make more general."Eli Schwartz via arch-projects
This reverts commit 6d1992909cc46e293027ff488ae2632047603e66. It has never worked. In commit c86823a2d4a4152c71faa1c3bab227756232996f it was noted that it compared the device numbers for [[ $1 = $1 ]] which was a useless check and always returned true, for *any* btrfs filesystem. Now that the function is corrected to compare [[ $1 = $2 ]] the check is still useless, but this time because it always returns false -- btrfs subvolumes on the same filesystem do *not* share device numbers. So let's go back to the original working implementation that only matters in terms of makechrootpkg, and just checks if makechrootpkg's root working directory is btrfs (in which case we know it will be a subvolume because mkarchroot will create it that way). This restores our special support for the btrfs filesystem. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2019-03-25makechrootpkg: keep *DEST, MAKEFLAGS & PACKAGERMatt Robinson
If makechrootpkg is called as non-root, the {SRC,SRCPKG,PKG,LOG}DEST, MAKEFLAGS and PACKAGER environment variables are lost in the call to check_root(). Add these to the passed keepenv list so that they are preserved instead.
2019-01-22remove empty tree if "--verifysource" failedErich Eckner
makechrootpkg's download_sources() leaves a stray directory if "makepkg --verifysource" failed. We use "setup_workdir" instead of "mktemp -d", because this ensures the correct garbage collection. Signed-off-by: Erich Eckner <git@eckner.net>
2018-05-31makechrootpkg: whitelist return code 14 from makepkgEli Schwartz via arch-projects
makepkg 5.1 implements error codes, and 14 means that installing the packages after they were built has failed. We don't care about this error and would like makechrootpkg to succeed regardless, e.g. for split packages that are mutually exclusive. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-05-16Do not assume the makechrootpkg user's groupname is the same as the username20180528Eli Schwartz
chown support "$user:$group" but also "$user:" which infers $group rather than leaving it as root. This looks up the group name in cases where the default group is e.g. "users" and users do not get their own unique groups.
2018-05-13makechrootpkg: Do not copy the user keyring into the chroot.Eli Schwartz
Since commit 75fdff1811a0487f82c75b2e260da905102b4eea we no longer run integrity checks inside the chroot anyway, so this is no longer needed and will never be used.
2018-05-12makechrootpkg: add /etc/shadow entry for builduserEvangelos Foutras
Without it, sudo 1.8.23 will return an error: sudo: PAM account management error: Authentication service cannot retrieve authentication info
2018-03-24makechrootpkg: fix verifysource with pacman-gitEli Schwartz
In pacman-git commit d8717a6a9666ec80c8645d190d6f9c7ab73084ac makepkg started checking that the setuid/setgid bit could be removed on the $BUILDDIR in order to prevent this propagating to the packages themselves. Unfortunately, this requires the temporary builddir used during the --verifysource stage of makepkg, to be owned by $makepkg_user which was not the case as it is created as root using mktemp (and given world rwx in addition to the restricted deletion bit.) Obviously makepkg cannot chmod a directory that it does not own. Fix this by making $makepkg_user the owner of that directory, as should have been the case all along. (Giving world rwx is illogical on general principle. The fact that this is a workaround for makepkg demanding these directories be writable even when they are not going to be used for the makepkg options in question, is not justification for being careless.) Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-03-24makechrootpkg: respect GNUPGHOMEEmiel Wiedijk
Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user uses a custom GPG home directory, the siganture checking would fail. Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg. Signed-off-by: Emiel Wiedijk <me@aimileus.nl>
2018-01-21makechrootpkg: make sure that makepkg.conf is always parsed as textBartłomiej Piotrowski
2018-01-21makechrootpkg: Adjust to work properly with `set -e`Luke Shumaker
This worked properly until eab5aba.
2018-01-21makechrootpkg: Fix anti-pattern when checking for enabled featuresEli Schwartz
Don't use error-prone logic e.g. foo=true; if $foo ... This completely fails to act as expected when the variable is unset because of unrelated bugs. While this merely causes the default behavior to be "false" rather than "true" in such cases, it is better to fail to enable explicitly requested behavior (which will be noticed by the user) than to simply upgrade to this behavior for free (which may not seem to have any obvious cause). Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2018-01-21makechrootpkg: Fix unconditionally running namcapEli Schwartz
Fixes regression in 2fd5931a8c67289a8a4acd327b3ce99a5d64c8c7 $run_namcap will always be set to "" `if $not_a_var; then ...; fi` is always truthful when $not_a_var is unset or equal to "" and the `then` clause will always be run. I'm not sure why global state variables need to be cloned locally for their sole explicit purpose. But for now this patch implements the minimum necessary work to properly pass the "do I want namcap" variable into prepare_chroot() according to the current logic flow. Note that I have still not thorougly tested makechrootpkg. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
2017-12-27Revert "makechrootpkg: Reopen console to assign the CTTY"Evangelos Foutras
This reverts commit ddd508efc083fc9beb6f2c96e2537521b31c1e6f. The underlying bug (FS#56529) was fixed in glibc 2.26-9.
2017-11-22Support reproducible buildsEli Schwartz
Recent development versions of makepkg support reproducible builds through the environment variable SOURCE_DATE_EPOCH. Pass this variable through makechrootpkg to makepkg when available. Also initialize SOURCE_DATE_EPOCH whenever running archbuild to enforce reproducible builds for repository packages. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
2017-10-30makechrootpkg: Fix function usage commentsLuke Shumaker
A couple of the comments noting which globals are used by functions are outdated/wrong. - download_sources() : Remove USER from the list. It was always wrong. Originally, it should have been SUDO_USER (not USER), but I should have removed it entirely in 4f23609. - move_products() : Add SRCPKGDEST to the list. Though the commit adding the comment was only recently upstreamed (as 2fd5931), it originated in 2013 in a commit that has since been rebased many times. Anyway, in this rebasing, it missed move_products() starting to pay attention to SRCPKGDEST in fd1be1b (since nothing made git think there was a "conflict").
2017-10-30makechrootpkg: move init_variables() to be part of main()Luke Shumaker
The reason it wasn't moved before was just to keep the diffs (with --ignore-all-space) smaller, to make merging and rebasing work easier. Moving code around in a file tends to make that difficult. But, readability wise, it belongs in main().
2017-09-14makechrootpkg: Reopen console to assign the CTTYJan Alexander Steffens (heftig)
nspawn does not give us a controlling terminal, hence we ignore interrupts. Apparently this was lost in systemd at some point. Hack around this by reopening the console to make it the controlling terminal.
2017-09-14makechrootpkg: Prevent collecting coredumpsJan Alexander Steffens (heftig)
Coredumps from build chroots are not generally useful. Prevent them from being generated. Avoids a lot of annoyance from the GCC testsuite spawning lots of systemd-coredump processes. Just set the soft limit so the user can still raise it in the PKGBUILD if they insist.
2017-08-24makechrootpkg: Also look for -e as --noextractJan Alexander Steffens (heftig)
2017-08-24makechrootpkg: Prevent removing build dir when --noextract specifiedMartchus
2017-07-13makechrootpkg: Skip integrity checks inside the chrootJan Alexander Steffens (heftig)
We've already done these during download_sources().
2017-07-13makechrootpkg: Use long args for makepkgJan Alexander Steffens (heftig)
Slightly more verbose, but also more understandable.
2017-07-13makechrootpkg: Move makepkg-as-root check to main()Jan Alexander Steffens (heftig)
download_sources(), while the first invocation of makepkg, is a rather odd place for this kind of guard.
2017-07-05makechrootpkg: Fix broken symlinks because of chroot SRCPKGDEST /srcpkgdestLuke Shumaker
Commit 58968cf fixed symlinks for package products in $startdir in light of the simplified chroot setup. However, a similar change needs to be made for source-package products. This was an easy omission to make because makechrootpkg does not produce source-pakcages by default.
2017-07-05Add `# shellcheck` directives to quiet shellcheck, add PKGBUILD.protoLuke Shumaker
The added PKGBUILD.proto file is so that shellcheck can know know what to expect that a PKGBUILD sets.