package: release.debian.org user: release.debian....@packages.debian.org usertags: unblock x-debbugs-cc: pbuilder-ma...@lists.alioth.debian.org
We pbuilder maintainers would like to fix #841935 for good, so James did
some great work and testing to fix it. I also cofirm that all my tests
went well.
While on it I'd like to slip in some very other minor changes.
See the attached debdiff for the details.
TIA.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
diffstat for pbuilder-0.228.5 pbuilder-0.228.5+
debian/NEWS | 4 +---
debian/changelog | 23 +++++++++++++++++++++++
debian/control | 1 +
pbuilder-checkparams | 2 +-
pbuilder-modules | 38 +++++++++++++++++++++++++++++++++++++-
pbuilder.8 | 3 ++-
pbuilderrc.5 | 38 ++++++++++++++++++++++----------------
7 files changed, 87 insertions(+), 22 deletions(-)
diff -Nru pbuilder-0.228.5/debian/changelog pbuilder-0.228.5+/debian/changelog
--- pbuilder-0.228.5/debian/changelog 2017-03-02 17:16:19.000000000 +0100
+++ pbuilder-0.228.5+/debian/changelog 2017-03-10 14:33:53.000000000 +0100
@@ -1,3 +1,26 @@
+pbuilder (0.228.5+) UNRELEASED; urgency=medium
+
+ [ James Clarke ]
+ * modules: Use a new /dev/pts instance inside the chroot.
+ This allows for better isolation as the build process is no longer able
+ to see the host's PTYs, other than the controlling terminal (if there is
+ one). By using a new instance, we can also control the permissions of
+ /dev/pts/ptmx, ensuring that the build process is always able to create
+ new PTYs, even if the host's has the default 000 mode.
+ Thanks to Simon McVittie <s...@debian.org> for the thorough investigation.
+ Closes: #841935
+
+ [ Mattia Rizzolo ]
+ * pbuilderrc.5:
+ + Update the details about the currently available dependency resolvers.
+ * debian/NEWS:
+ + Remove changes reverted in successive fixup uploads.
+ * checkparams:
+ + Make --extrapackages cumulative. Specifying --extrapackages multiple
+ times will now add packages to the list.
+
+ -- Mattia Rizzolo <mat...@debian.org> Fri, 10 Mar 2017 14:33:53 +0100
+
pbuilder (0.228.5) unstable; urgency=medium
[ Thorsten Glaser ]
diff -Nru pbuilder-0.228.5/debian/control pbuilder-0.228.5+/debian/control
--- pbuilder-0.228.5/debian/control 2017-01-24 00:51:09.000000000 +0100
+++ pbuilder-0.228.5+/debian/control 2017-03-10 14:05:32.000000000 +0100
@@ -25,6 +25,7 @@
Depends:
debootstrap | cdebootstrap,
dpkg-dev (>= 1.17.0),
+ util-linux (>= 2.26.2-4) | initscripts (<< 2.88dsf-59.1),
wget,
${misc:Depends},
Recommends:
diff -Nru pbuilder-0.228.5/debian/NEWS pbuilder-0.228.5+/debian/NEWS
--- pbuilder-0.228.5/debian/NEWS 2017-01-18 12:34:59.000000000 +0100
+++ pbuilder-0.228.5+/debian/NEWS 2017-03-10 14:28:34.000000000 +0100
@@ -10,9 +10,7 @@
in pbuilder, such as bind-mounting /dev/shm from the host, to avoid
situations like over-mounting.
- Pdebuild now uses dpkg-source directly to generate the dsc to pass to
- pbuilder rather than dpkg-buildpackage -S, therefore DEBBUILDOPTS no
- longer affect this. It will also no longer generate a source changes file
+ Pdebuild will no longer generate a source changes file
if BUILDRESULT is the parent directory, since the dsc will be overwritten
when copying back the build results, possibly invalidating the previous
changes file; please use pbuilder's new --source-only-changes option.
diff -Nru pbuilder-0.228.5/pbuilder.8 pbuilder-0.228.5+/pbuilder.8
--- pbuilder-0.228.5/pbuilder.8 2017-01-15 18:04:50.000000000 +0100
+++ pbuilder-0.228.5+/pbuilder.8 2017-03-10 14:28:36.000000000 +0100
@@ -638,7 +638,8 @@
and
.BR "update" .
-The packages should be specified as a space-delimited list.
+The packages should be specified as a space-delimited list, or by specifying
+\-\-extrapcakges multiple times.
.TP
.BI "\-\-debemail [" "maintainer-name <email-address>" "]"
diff -Nru pbuilder-0.228.5/pbuilder-checkparams
pbuilder-0.228.5+/pbuilder-checkparams
--- pbuilder-0.228.5/pbuilder-checkparams 2017-01-15 18:04:50.000000000
+0100
+++ pbuilder-0.228.5+/pbuilder-checkparams 2017-03-10 14:28:36.000000000
+0100
@@ -170,7 +170,7 @@
shift; shift;
;;
--extrapackages)
- EXTRAPACKAGES="$2";
+ EXTRAPACKAGES="${EXTRAPACKAGES:+$EXTRAPACKAGES }$2";
shift; shift;
;;
--hookdir)
diff -Nru pbuilder-0.228.5/pbuilder-modules pbuilder-0.228.5+/pbuilder-modules
--- pbuilder-0.228.5/pbuilder-modules 2017-02-05 16:38:30.000000000 +0100
+++ pbuilder-0.228.5+/pbuilder-modules 2017-03-10 14:05:32.000000000 +0100
@@ -276,6 +276,12 @@
umount_one "$SELINUX"
fi
if [ "$DEB_BUILD_ARCH_OS" = "linux" ] && [ "$USEDEVPTS" = "yes" ]; then
+ if mountpoint -q "$BUILDPLACE/dev/console"; then
+ umount_one "dev/console"
+ fi
+ if mountpoint -q "$BUILDPLACE/dev/ptmx"; then
+ umount_one "dev/ptmx"
+ fi
umount_one "dev/pts"
fi
if [ "$DEB_BUILD_ARCH_OS" = "kfreebsd" ] || [ "$USEDEVFS" = "yes" ]; then
@@ -383,8 +389,38 @@
TTYGRP=5
TTYMODE=620
[ -f /etc/default/devpts ] && . /etc/default/devpts
- mount -t devpts none "$BUILDPLACE/dev/pts"
-onoexec,nosuid,gid=$TTYGRP,mode=$TTYMODE
+ # Even wheezy has CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, so no need to
+ # fall back to the old method with just /dev/ptmx.
+ mount -t devpts devpts "$BUILDPLACE/dev/pts" -o
newinstance,noexec,nosuid,gid=$TTYGRP,mode=$TTYMODE,ptmxmode=0666
mounted[${#mounted[@]}]="$BUILDPLACE/dev/pts"
+
+ # If /dev/ptmx is a symlink, it should be /dev/ptmx -> pts/ptmx
+ # and since ptmxmode is 0666, /dev/pts/ptmx will have mode 0666.
+ # However, if it is not a symlink, then any PTYs created inside the
+ # chroot will not be visible. We could delete /dev/ptmx and replace
+ # it with a symlink, but it's safer just to bind-mount it.
+ # This is based on the recommendations in
+ # Documentation/filesystems/devpts.txt
+ # (linux.git commit 784c4d8b1b1e66f8c45e8b889613f4982f525b2b)
+ if [ ! -L "$BUILDPLACE/dev/ptmx" ]; then
+ log.i "redirecting /dev/ptmx to /dev/pts/ptmx"
+ mount --bind "$BUILDPLACE/dev/pts/ptmx" "$BUILDPLACE/dev/ptmx"
+ mounted[${#mounted[@]}]="$BUILDPLACE/dev/ptmx"
+ fi
+
+ # If there is a controlling TTY, it must be available to the chroot.
+ # The standard practice (at least by lxc and systemd-nspawn) is to
+ # bind-mount it onto /dev/console.
+ if CURRENT_TTY="$(tty)"; then
+ # We need /dev/console to exist to be able to bind-mount onto it.
+ # Might as well make the proper device node rather than a file.
+ if [ ! -e "$BUILDPLACE/dev/console" ]; then
+ log.i "creating /dev/console"
+ mknod -m 600 "$BUILDPLACE/dev/console" c 5 1
+ fi
+ log.i "mounting $CURRENT_TTY over /dev/console"
+ mount --bind "$CURRENT_TTY" "$BUILDPLACE/dev/console"
+ fi
fi
if [ -n "$SELINUX" ]; then
log.i "mounting selinux filesystem"
diff -Nru pbuilder-0.228.5/pbuilderrc.5 pbuilder-0.228.5+/pbuilderrc.5
--- pbuilder-0.228.5/pbuilderrc.5 2017-02-05 16:38:30.000000000 +0100
+++ pbuilder-0.228.5+/pbuilderrc.5 2017-03-10 14:28:22.000000000 +0100
@@ -383,25 +383,31 @@
.TP
.BI "PBUILDERSATISFYDEPENDSCMD=" "/usr/lib/pbuilder/pbuilder\-satisfydepends"
This option is used by various parts of pbuilder to satisfy
-(i.e. install) the build-dependencies of a package. There are four
-implementations:
+(i.e. install) the build-dependencies of a package.
+These are the available implementations:
-The "experimental" implementation,
-"pbuilder\-satisfydepends\-experimental", which might be useful to pull
-packages from experimental or from repositories with a low APT Pin
-Priority.
-
-The "aptitude" implementation, which will resolve build-dependencies
-and build-conflicts with aptitude which helps dealing with complex
-cases but does not support unsigned APT repositories.
-
-The "gdebi" implementation, which will resolve build-dependencies
-using gdebi tool, faster than classic implementation, and does not
-require installation of a dummy package like the aptitude
+.I pbuilder\-satisfydepends\-apt
+the newest implementation, which leverage the ability of apt 1.4 to satisfy
+build dependencies and build conflicts from a .dsc; useful since it's pretty
+fast and doesn't require the installation of any non-required package in the
+chroot, nor of dummy packages.
+
+.I pbuilder\-satisfydepends\-experimental
+might be useful to pull packages from repositories with a low APT Pin Priority
+(for example, Debian's experimental or stable-backports).
+
+.I pbuilder\-satisfydepends\-aptitude
+will resolve build-dependencies and build-conflicts with aptitude which helps
+dealing with complex cases but does not support unsigned APT repositories.
+
+.I pbuilder\-satisfydepends\-gdebi
+will resolve build-dependencies using gdebi, faster than classic
implementation,
+and does not require installation of a dummy package like the aptitude
implementation.
-The "classic" implementation, which was the original implementation
-used until 0.172.
+.I pbuilder\-satisfydepnds\-classic
+the "classic" implementation, which was the original implementation used by
+default until v0.172.
The default is now "aptitude".
.TP
signature.asc
Description: PGP signature
