Debian Bug report logs - #4525
NOT A BUG [was: dpkg-buildpackage assumes file protections and shoots self in foot]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: krs@caos.aamu.edu (Karl Sackett)

To: submit@bugs.debian.org

Subject: dpkg-buildpackage assumes file protections and shoots self in foot

Date: Thu, 19 Sep 1996 13:30:13 -0500 (CDT)

Package: dpkg-dev
Version: 1.4.0

The umask for my account is set to 077.  Those portions of dpkg-buildpackage
which run as root create files with protection set to 600 and owned by
root.root.  Because of this, the non-root portions of dpkg-buildpackage
cannot access the files debian/files and debian/substvars, generate error
messages saying these files cannot be found, and dpkg-buildpackage dies.

-- 
Karl Sackett                                           krs@caos.aamu.edu
Run silent, run deep

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: heiko@lotte.sax.de (Heiko Schlittermann)

To: krs@caos.aamu.edu, 4525@bugs.debian.org

Cc: submit@bugs.debian.org

Subject: Re: Bug#4525: dpkg-buildpackage assumes file protections and shoots self in foot

Date: Fri, 20 Sep 1996 13:20:29 +0200 (MET DST)

Karl Sackett wrote:
: 
: Package: dpkg-dev
: Version: 1.4.0
: 
: The umask for my account is set to 077.  Those portions of dpkg-buildpackage
: which run as root create files with protection set to 600 and owned by
: root.root.  Because of this, the non-root portions of dpkg-buildpackage
: cannot access the files debian/files and debian/substvars, generate error
: messages saying these files cannot be found, and dpkg-buildpackage dies.

Hmm, should the root portions change the umask before creating any
files?  (I think, it's no good idea.)

My debian/rules contain

        chmod -R u=rwX,go=rX debian
        chown -R root.root debian

BTW, if the files already exist, the mode shouldn't get changed, does
it?  (What happens if you touch debian/files debian/substvars and chmod
'em rw-r--r--?)

    Heiko
--
email : heiko@lotte.sax.de heiko@debian.org heiko@sax.de
pgp   : A1 7D F6 7B 69 73 48 35  E1 DE 21 A7 A8 9A 77 92 
finger: heiko@sax.sax.de         heiko@master.debian.org

Message #20 received at 4525@bugs.debian.org (full text, mbox, reply):

From: Guy Maor <maor@ece.utexas.edu>

To: Heiko Schlittermann <heiko@lotte.sax.de>, 4525@bugs.debian.org

Subject: Re: Bug#4525: dpkg-buildpackage assumes file protections and shoots self in foot

Date: Sat, 21 Sep 1996 00:29:08 -0500 (CDT)

On Fri, 20 Sep 1996, Heiko Schlittermann wrote:

> Hmm, should the root portions change the umask before creating any
> files?  (I think, it's no good idea.)

I also think it's a bad idea of dpkg to change the umask.  His
debian/rules should fix the permissions of files it creates.  This is a
non-bug.


Guy

Message #23 received at 4525-quiet@bugs.debian.org (full text, mbox, reply):

From: Ian Jackson <ian@chiark.greenend.org.uk>

To: Debian developers list <debian-devel@lists.debian.org>

Cc: 4524-quiet@bugs.debian.org, 4525-quiet@bugs.debian.org, 4554-quiet@bugs.debian.org

Subject: dpkg changes and queries - the answers to your questions

Date: Sun, 22 Sep 96 20:01 BST

I've just read debian-devel, and:

0. Yes, all existing packages should now be converted to the new
source format, and new packages should be in this format too.

1. Yes, dpkg-source doesn't work with hardlinks.  I think that
hardlinks in source packages are evil.  Perhaps they can be made to
work - Heiko's patch seems reasonable (until someone wants a filename
containing the string ` link to ').  However, I'd recommend just
removing the hardlink and replacing it with a symlink (or just
deleting one name).  There is no problem with doing that, and it is
fine wrt our policy about original sources.

2. I don't know what to do about tar doing nasty things to filenames.
If this is a design feature of all tars then dpkg-source should be
changed to unmangle the filename on output from tar.

3. Do NOT use Michael Meskes's patch to quote the argument to
$rootcommand in dpkg-buildpackage.  Instead, RTFM.  Please DO NOT
release a dpkg with Michael Meskes's patch.  Thank you.

4. dpkg-name belongs in the dpkg-dev package.  If anyone is releasing
a new dpkg they should move it.  See debian/rules.

5. I don't understand the problem with WIFSIGNALED, but this is
definitely a bug in the Perl installation and not in dpkg-source.

6. Karl Sackett's fix for an error message typo (Bug 4524) is good.
Heiko, please close the report if you like but definitely mail me the
patch.

7. Ives Arrouye asked about `Source: php' / `Package: php-module'.
This will work but you have to give dpkg-gencontrol the -p option.
There should be no need to have one of the binary packages named the
same as the source.

8. Regarding dpkg-shlibdeps: every shared library package should
provide a `shlibs' file for the libraries it contains.  This is put in
the DEBIAN directory when the package is built, and will end up in
/var/lib/dpkg/info/<pkg>.shlibs when it is installed.  dpkg-shlibdeps
looks there (but earlier versions had a bug).  The
/etc/dpkg/shlibs.local file is only there to sort things out with the
most basic packages before they have shlibs files in the shared
library packages.

Documentation for this is available.

If you find that your package needs a shared library package which
doesn't have the dpkg-shlibdeps support why not convert it now ?  See
the section on other-than-usual-maintainer releases in the policy
manual.

9. On permissions of maintainer scripts - this has affected libpng at
least: dpkg-source honours the extracter's umask, unlike tar.  The
debian/rules file should explicitly set the permissions and not rely
on (say) cp to copy them correctly.

10. Re dpkg-buildpackage and the failure to build due to permissions
(bug 4525).  I'm inclined to say "don't build with a umask of 077
then".  I don't think that all packages' debian/rules should be
responsible for fixing the permissions of the created files.

11. Christian Schwartz posted a Perl script that (I presume) produces
much the same output as
 sed -e 's/ +/ /' | sort +2
does on the Maintainers file in the indices subdirectory of the ftp
site.

12. llucius posts a patch to dpkg-buildpackage to make it pass -v, -m
and -C to dpkg-genchanges.  His patch is not in line with my intent,
and won't work when the arguments have spaces.  The call to
dpkg-genchanges needs to read
 withecho dpkg-genchanges $sourcestyle "$@" >"$chg"
instead of the thing in his patch.  (Bug #4554.)

I hope this is enough to keep you going for another week :-).

Ian.

Message #26 received at 4525-quiet@bugs.debian.org (full text, mbox, reply):

From: branderh@iaehv.nl (Erick Branderhorst)

To: ian@chiark.greenend.org.uk (Ian Jackson)

Cc: debian-devel@lists.debian.org, 4524-quiet@bugs.debian.org, 4525-quiet@bugs.debian.org, 4554-quiet@bugs.debian.org

Subject: Re: dpkg changes and queries - the answers to your questions

Date: Mon, 23 Sep 1996 14:00:10 +0100

> 5. I don't understand the problem with WIFSIGNALED, but this is
> definitely a bug in the Perl installation and not in dpkg-source.

So the WIFSIGNALED thing has to do with perl.  Here is some about the
perl I have installed on my system.

Erick

$ dpkg --status perl
Package: perl
Status: install ok installed
Priority: important
Section: devel
Maintainer: Darren Stalder <torin@daft.com>
Source: perl
Version: 5.003-2
Pre-Depends: libc5, libgdbm1, libdb1
Recommends: libc5-dev
Description: Larry Wall's Practical Extracting and Report Language.
 An interpreted scripting language, known among some as "Unix's
 Swiss Army Chainsaw".
 .
 Perl is optimized for scanning arbitrary text files and system 
 administration. It has built-in extended regular expression matching
 and replacement, a dataflow mechanism to improve security with
 setuid scripts and is extendible via modules that can interface
 to C libraries.

$ ls -l /bin/perl
lrwxrwxrwx   1 root     root           15 Jul  3 11:29 /bin/perl -> ../usr/bin/perl
$ /usr/bin/perl -v

This is perl, version 5.003 with EMBED
	built under linux at Jul  1 1996 10:21:20
	+ suidperl security patch

Copyright 1987-1996, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5.0 source kit.

$ /usr/bin/perl -V
Summary of my perl5 (5.0 patchlevel 3 subversion 0) configuration:
  Platform:
    osname=linux, osver=2.0.0, archname=i486-linux
    uname='linux perv 2.0.0 #2 tue jun 11 01:31:01 pdt 1996 i486 '
    hint=recommended, useposix=true, d_sigaction=define
  Compiler:
    cc='cc', optimize='-O2 -fomit-frame-pointer', gccversion=2.7.2
    cppflags='-Dbool=char -DHAS_BOOL -I/usr/include/db -I/usr/local/include'
    ccflags ='-Dbool=char -DHAS_BOOL -I/usr/include/db -I/usr/local/include'
    stdchar='char', d_stdstdio=define, usevfork=false
    voidflags=15, castflags=0, d_casti32=define, d_castneg=define
    intsize=4, alignbytes=4, usemymalloc=n, randbits=31
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lndbm -lgdbm -ldbm -ldb -ldl -ldld -lm -lc
    libc=/lib/libc.so.5.2.18, so=so
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

@INC: /usr/lib/perl5/i486-linux/5.003 /usr/lib/perl5 /usr/local/lib/site_perl/i486-linux /usr/local/lib/site_perl .
$ 

Message #29 received at 4525-quiet@bugs.debian.org (full text, mbox, reply):

From: heiko@lotte.sax.de (Heiko Schlittermann)

To: ian@chiark.greenend.org.uk (Ian Jackson)

Cc: debian-devel@lists.debian.org, 4524-quiet@bugs.debian.org, 4525-quiet@bugs.debian.org, 4554-quiet@bugs.debian.org

Subject: Re: dpkg changes and queries - the answers to your questions

Date: Mon, 23 Sep 1996 21:42:05 +0200 (MET DST)

Ian Jackson wrote:
: 
: 1. Yes, dpkg-source doesn't work with hardlinks.  I think that
: hardlinks in source packages are evil.  Perhaps they can be made to
: work - Heiko's patch seems reasonable (until someone wants a filename
: containing the string ` link to ').  However, I'd recommend just

hmm ... but this seems not too often, at least less often then
the occurence of real hard links.

: removing the hardlink and replacing it with a symlink (or just
: deleting one name).  There is no problem with doing that, and it is
: fine wrt our policy about original sources.

The dpkg-source -b should scan for hardlinks and convert 'em.


: 2. I don't know what to do about tar doing nasty things to filenames.
: If this is a design feature of all tars then dpkg-source should be
: changed to unmangle the filename on output from tar.

I've done it.  

cpio returns iso conformant file names (e.g. with real umlauts), tar
doesn't -- it converts such umlauts to their octal representation.

A line 

        /\\/ and eval "\$_ = \"$_\"";

does the job on the mangeled (?) names from tar's output.


: 3. Do NOT use Michael Meskes's patch to quote the argument to
: $rootcommand in dpkg-buildpackage.  Instead, RTFM.  Please DO NOT
: release a dpkg with Michael Meskes's patch.  Thank you.

Hmm, I've changed it.  The default root command is now `eval',
the lines are now read as:

        withecho $rootcommand "debian/rules clean"

If I did no mistakes it worked for me.
(I've running a patched su (using SUPASS env., similar to PGPPASS).
(sudo needs absolute path names, super -- I don't know)

: 4. dpkg-name belongs in the dpkg-dev package.  If anyone is releasing
: a new dpkg they should move it.  See debian/rules.

Done.

: 6. Karl Sackett's fix for an error message typo (Bug 4524) is good.
: Heiko, please close the report if you like but definitely mail me the
: patch.

Ok, I'll mail you a diff 1.4.0.1 against 1.4.0, including this
patch too.

: 10. Re dpkg-buildpackage and the failure to build due to permissions
: (bug 4525).  I'm inclined to say "don't build with a umask of 077
: then".  I don't think that all packages' debian/rules should be
: responsible for fixing the permissions of the created files.

The only files created by the debian tools (dpkg-*) are debian/files
and debian/substvars.  I've changed dpkg-* so now 
these files are chowned to getlogin().getgrnam(getlogin()).  I believe,
it's the most approbiate setting. (???)

: 12. llucius posts a patch to dpkg-buildpackage to make it pass -v, -m
: and -C to dpkg-genchanges.  His patch is not in line with my intent,
: and won't work when the arguments have spaces.  The call to
: dpkg-genchanges needs to read
:  withecho dpkg-genchanges $sourcestyle "$@" >"$chg"
: instead of the thing in his patch.  (Bug #4554.)

I'll have a look at it.

: I hope this is enough to keep you going for another week :-).

 :-) not yet.


    Heiko
--
email : heiko@lotte.sax.de heiko@debian.org heiko@sax.de
pgp   : A1 7D F6 7B 69 73 48 35  E1 DE 21 A7 A8 9A 77 92 
finger: heiko@sax.sax.de         heiko@master.debian.org

Message #34 received at 4525-maintonly@bugs.debian.org (full text, mbox, reply):

From: postmaster@blaakmeer.student.utwente.nl

To: 4525-maintonly@bugs.debian.org

Subject: Old bugs need to be looked at

Date: Sun, 1 Feb 1998 12:01:09 +0100 (CET)

This is an automated message sent to all bugs older than one year.

This bug is very old. Please take a look at it and see if you can fix it.
If it has already been fixed, please close it.

If you have problems fixing it or if you don't have the time to fix it,
please ask the people on debian-devel@lists.debian.org for help, so that
at least the oldest bugs can be solved before Debian 2.0 is released.

Remco Blaakmeer

Message #39 received at 4525@bugs.debian.org (full text, mbox, reply):

From: Adam Di Carlo <apharris@burrito.onshore.com>

To: control@bugs.debian.org

Cc: 4641@bugs.debian.org, 5807@bugs.debian.org, 4525@bugs.debian.org, 4628@bugs.debian.org, 7714@bugs.debian.org, 10404@bugs.debian.org, 13961@bugs.debian.org

Subject: dpkg-dev bugs that are not bugs -- please close!

Date: 07 Nov 1998 14:03:01 -0500

retitle 4641 NOT A BUG [was: dpkg-source cannot create existing .tmp-nest dir]
retitle 5807 NOT A BUG [was: dpkg-source .tmp-nest bug]
thanks
retitle 4525 NOT A BUG [was: dpkg-buildpackage assumes file protections and shoots self in foot]
retitle 4628 dpkg-source feature request: deal with binary files
severity 4628 wishlist
retitle 7714 CLOSABLE [was: dpkg-source should possibly not use unified diff format]
retitle 10405 NOT A BUG [was: inconsistent docs]
severity 13961 wishlist
thanks

Bugs 4641 and 5807 request that dpkg removes pre-existing .tmp-nest
files, rather than erroring out.  I disagree, and I think the dpkg
developers would agree.  Removing a directory w/o asking would be a
big bug, and a possible security problem.

Bug 4525 is not a bug, so have said Ian and Guy (read the bug log).

Bug 7714 is not a bug, nor would anyone really recommend going from
unified diff format to '-C 2'.

Bug 10405 is not a bug, not a good idea, and a policy issue rather
than a dpkg-dev issue.  It asks for pkgs to be able to have ':' in the
names of them, a thoroughly bad idea.

Bug 13961 is a request for source-dependancies; definately an
important wishlist, but a wishlist, not a bug.

.....A. P. Harris...apharris@onShore.com...<URL:http://www.onShore.com/>

Send a report that this bug log contains spam.