Hi We would like to propose a change in default for `dpkg`, which will enable `rootless` by default (changing it from "opt-in" to "opt-out"). This would be a considerable milestone bringing us to into 90-99% territory of removing the need for root (`fakeroot` or otherwise) in the Debian packaging stack.
While my long term goal is the complete removal of `fakeroot` as a
mandatory piece in our packaging stack, it is *not* the goal of this
MBF. For this MBF, the focus is on removing blockers to
switching the default rather than removing use of `fakeroot` in
general. This is also why one the solutions we propose to the "busy
maintainer" is an "opt-out" rather than "fix the root cause".
# The quick summary
* About 10000 packages build successfully with this change.
* About 225 bugs (~2%) would be filed at severity important due to
problems detected with these changes.
* About 650 packages (~6.5%) had an unrelated FTBFS in sid when the
test where done that could hide other failures.
* Four packages could not build on the test infrastructure.
* Two packages were identified to misbuild. These already have bugs
filed (one misbuild without the change due to a bug in packaging;
the other will misbuild with the change).
# The bug template used
Severity: important
User: ni...@thykier.net
Usertags: rrr-no-as-default-issue
Dear maintainer,
During a test rebuild for building packages "Rules-Requires-Root: no" as
the default in `dpkg`, {{ src.name }} failed to rebuild.
Log Summary:
-------------------------------------------------------------------------------
[...]
{{ log_snippet }}
-------------------------------------------------------------------------------
The above is just how the build ends and not necessarily the most
relevant part. If required, the full build log is available here (for
the next 30
days):https://people.debian.org/~nthykier/rrr-no-as-default/logs/{{ build.log_artifact_id }}.gz
You can find common solutions at https://people.debian.org/~nthykier/rrr-no-as-default/docs/solutions.md If this is really a bug in one of the build-depends, please use reassign and affects, so that this is still visible in the BTS web page for this package. If this package is listed in https://people.debian.org/~nthykier/rrr-no-as-default/docs/static-ownership.list, then please just set `Rules-Requires-Root: binary-targets` to the source stanza of `debian/control` as a fix to this bug. If this package is listed in https://people.debian.org/~nthykier/rrr-no-as-default/docs/maybe-misbuilds.list,then the package was deemed at risk for misbuilding (having wrong ownership) but had a FTBFS problem we tested it. Please test whether the package works with `Rules-Requires-Root: no` validating that the resulting deb has the correct ownership for all paths in the deb.
Thanks,
# Affected packages
We have sorted the affected packages into the following groups:
1) Packages with static non-`root:root` ownership. These will
generally need a `Rules-Requires-Root: binary-targets` for now, and
then they are done.
2) Packages that do not have any non-`root:root` ownership. These can
often be converted to `Rules-Requires-Root: no` with a bit of
tweaking (see attached solutions.md). However, in a pinch, you can
just set `Rules-Requires-Root: binary-targets` to get off the list
of blockers and come back to it later.
3) Packages that were deemed at risk of misbuilding in a manual review,
but FTBFS for an unrelated reason when we did the test rebuild.
The "all-affected.dd-list" and "all-affected.list" contains packages
from all groups and defines the list of packages that we will file
bugs against. The "static-ownership.dd-list" (and
"static-ownership.list") only contains the packages with static
non-`root:root` ownership.
The packages in "static-ownership.list" should just be uploaded with `Rules-Requires-Root: binary-targets` added to the source stanza of `debian/control`. For all other packages, it should be possible to convert it to use `Rules-Requires-Root: no` if the maintainer has the capacity to do so. See solutions.md for common issues and how to solve them.Finally, the packages in the "maybe-builds.dd-list" and "maybe-misbuilds.list" are the packages in group 3. We are filing a bug against these packages as a precaution rather than a confirmed problem. See "Findings of manual review" below for details.
# Background, context, and other details
This section is for people that want more details on what we are doing,
why I am pushing for it, the testing method using, etc. You can skip
this if you are already convinced.
## Motivation for the change
Changing the default is a major undertaking and the change should have
long term benefits that should outweigh the short term costs. To that
effect, my motivation for removing `fakeroot` is that the tool is a
fragile liability that costs us unnecessary complexity and resources.
* Assembling debian packages should not require `root` in the first
place. What we need is to assemble some archives with correct
metadata; nothing more. This is possible to do with userspace tools
as a normal user and for over 99% of the archive, `dpkg-deb` can
now this without needing `fakeroot`.
- Reminder: While my argument is for the 100% case, this MBF is
aimed at optimizing for the common case rather than the 1% case.
* Like many other `LD_PRELOAD` hacks, `fakeroot` plays a game of
whack-a-mole to intercept all the library calls relevant for its
task. When it loses the whack-a-mole game, we end up with silent
misbuilds, where installing the deb package potentially becomes
a security issue since "random" paths on the system is now owned
by a non-root user. The wrong file/dir with incorrect ownership
is a freebie "local-user to root" security bug.
A recent example being #1023286 which caused -dbgsym packages to
have a directory owned by a non-root user. The `fakeroot` fix
was then blocked for months due to FTBFS on mipsel (#1024544).
The primary reason why this was such a small issue where:
1) Wide-spread use of `Rules-Requires-Root: no` to limit which
packages could be affected (about 50% of the archive had
migrated away from `fakeroot`).
2) A quick fix to `debhelper` to remove the reliance on
`fakeroot` when assembling `-dbgsym` packages.
* The use of the `fakeroot` tool is not transparent even when
it fails to intercept critical library calls:
- #534879 (chmod race with tcp engine from 2009; unfixed)
- #606064 (segfault in i386 chroot on amd64 host)
- #948522 (`file` with sandbox enabled broke under `fakeroot`)
- #239057 (setgid directories are not correctly emulated)
- #799858 (SELinux labels are not initialized properly)
- #802612 (fakeroot fails in user namespaces)
This a small curated list of some of the open issues we have had
with fakeroot in the Debian bug tracker. These are basically
technical debt plus upkeep to have `fakeroot` match the changing
Linux landscape.
These are my primary arguments for us moving away from `fakeroot` in
general. With this MBF, we would change the default to "no fakeroot"
rather than "with fakeroot".
Note, despite my arguments against `fakeroot`, its maintainers
have my respect and sympathy. The tool has been instrumental
to Debian being where it is today (this is our version of the
Python's GIL problem), and `fakeroot` cannot have been easy
to maintain.
## Cost of the change / Key results
217 packages will FTBFS with the change. 2 will misbuild (bugs already
filed for these) and 10078 will "just work(tm)".
645 packages failed during the build testing for unrelated reasons
(including OOM on the build host).
Note that `debftbfs` (devscripts) identified existing FTBFS bugs for
422 packages in the "to be tested set".
## What happens after the bugs are fixed and the default is changed?
The endgame (from the Motivation part) is migrating all packages away
from `Rules-Requires-Root: binary-targets`. There will be two fronts
to work on:
* Packages with all `root/root` ownerships in their debs that would
need its root cause fixed, so they can build without `fakeroot`
(this is usually removing unnecessary chown'ing).
* Packages with static non-`root/root` ownerships in their debs.
There is no rootless workflow for these with `dpkg-deb` supported
features.
Note: Packages will still be able to Build-Depends on `fakeroot`,
which might be relevant for running some testsuites (etc.). This
targeted use of `fakeroot` is a lot more palatable, since it
reduces the scope for problems and makes us immune to wrong
ownership problems.
## Method and failure modes
This section is only relevant if you are curious about how we found
these packages, or you are concerned we missed something. If you agree
with the premise and just want to fix your packages, feel free to skip
this section.
While planning this default change, Guillem and I considered different
possible failure scenarios for how changing the default could
break. Based on our thoughts on this topic, we devised a testing plan
to identify these potential problems and how to resolve them.
### Failure modes
We identified the following likely outcomes of building a package
without root despite it not opting into `Rules-Requires-Root: no`:
1) Successful build. This is the most common case due to widespread
use of `dh` and its ability to enable rootless builds
automatically when available.
2) FTBFS. Any manual `chown`'ing (or `install -o/-g`) will generally
cause the build to fail, since both requires root user privileges.
Any legacy `checkroot` targets will also fall into this, since
they check the current user is root and abort otherwise. Though,
it is important to note here that `dh_testroot` does not fail here
(since it expects the `debhelper` stack to react accordingly).
3) Silent misbuild. Basically, anything in group 2) where the error
code of the command/systemcall is ignored leading to a
"successful" build as far as exit code goes, but incorrect content
in the package.
This comes in two subgroups:
a) Non-root owned paths in the package.
b) All `root:root` owned paths in the package, when at least
one path should have been non-`root:root` (like `root:bin`)
The primary concern here was the "Silent misbuild", since they would
go unnoticed in a mass-rebuild and likely hide among successful
builds.
### Risky packages
Secondly, we looked at which kind of packages were most likely to have
this kind of failure. These are grouped:
pg1) Packages with no standardized build system (The `other` on
trends.d.n). We considered this group to be very likely to have
problems with misbuilds if that would occur at all.
pg2) Packages with non-`root:root` static ownership.
We considered this group to be possible to have problems, since
one way of implementing static ownership is letting upstream's
build system do the `chown`'ing and then doing `dh_fixperms -X` to
keep the special ownership/mode. If the upstream build system
ignores errors, this style could cause a problem.
pg3) Packages using `classic debhelper`. These were originally
classified as unlikely. However, a codesearch.d.n on `dpkg(-deb)`
in `debian/rules` usage was done in the end just to be safe.
pg4) Packages using `cdbs` or `dh`. These have been assumed to be fine.
In theory, they can be made unsafe, but the maintainer would have
to go out of their way to replace the `dh_builddeb` with
`dpkg-deb --build`. Though, obvious uses of that command would
have been caught be the codesearch done as part of `pg3)`.
All the packages in `pg1)` plus `pg2)` plus the packages matched by the
codesearch listed in `pg3)` were manually reviewed for failure modes.
Note that the codesearch is not flawless, since packages can include
their packaging from other files in the `debian` directory. When the
included file does not start with `debian/rules` (such as
`include debian/implicit`), then the codesearch will have missed its
contents.
### Findings of manual review
Two cases of "successful misbuilds" have been identified:
* libjama (#1086841). This is from the `other` build system list.
* binutils-mipsen (#1082298). This was mentioned by (I think) Helmut
during our analysis discussions in #dpkg-devel and not found
directly. Note this one is technically a "false-positive", since
the package already has `Rules-Requires-Root: no` (that is, this
is bug is not about the default changing, but an uploader applying
`Rules-Requires-Root: no` without confirming it worked correctly)
Additionally, the following packages were found to be suspected of
silent misbuilds, but failed for unrelated reasons in our build
testing:
* cross-toolchain-base{,-mipsen,-ports}
* gcc-*-cross{,-mipsen,-ports}
Their packaging is non-trivial and was not fully analyzed, so they may
be safe. One of these groups chains into a `dpkg-buildpackage` (as in
`debian/rules` calls `dpkg-buildpackage` and the other group seems to
manually pack or repack debs via `dpkg-deb`. This was deemed too unusual
to spend the non-trivial effort to analyze fully given they could not be
build in the test infrastructure for unrelated reasons.
### What was rebuild on debusine.d.n
When we did the rebuild, the following packages were rebuild:
1) All packages from pg1
2) All packages from pg2
3) All packages tagged by `lintian` with
`silent-on-rules-requiring-root`
The first two groups were rebuilt mostly confirm the manual review and
to validate the rebuild setup. This also weeded out a few
false-positives in the manual review.
All the builds was done on arm64 (it had more capacity available).
### The modified dpkg
The rebuild was done with `dpkg` from this branch
https://git.hadrons.org/cgit/debian/dpkg/dpkg.git/commit/?h=next/rrr-default-no
(HEAD being 82cafddd936946b88f67b1e76601b04ca8a81586 with a `gbp dch -S`
on top)
### Full build results
A total of 10940 source packages were rebuild.
* 10078 build successful.
- Of these, 2 misbuild successfully (both noted above)
* 862 failures
- Of these 217 failed with an error related to this change
- The remaining failed for other reasons (including running
out of memory on the host, etc.)
The `check-logs` script (attached) has the regexes used for classifying
the logs for the curious.
# Thanks
Thanks to the Debusine team for providing the test infrastructure.
Thanks to Stefano for his rebuild tooling stack, which easily saved me a
week of work.
Thanks to Helmut for making us aware of Debusine being able to help with this purpose and helping with discussions in #dpkg-devel.
Best regards, Guillem and Niels
Cross Toolchain Base Team <cross-toolchain-base-d...@lists.launchpad.net> cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports Debian GCC Maintainers <debian-...@lists.debian.org> gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports Dimitri John Ledkov <x...@debian.org> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) Matthias Klose <d...@debian.org> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) gcc-11-cross (U) gcc-11-cross-mipsen (U) gcc-11-cross-ports (U) gcc-12-cross (U) gcc-12-cross-ports (U) gcc-13-cross (U) gcc-13-cross-ports (U) gcc-14-cross (U) gcc-14-cross-ports (U) YunQiang Su <s...@debian.org> cross-toolchain-base-mipsen (U) gcc-11-cross-mipsen (U) gcc-12-cross-mipsen (U) gcc-13-cross-mipsen (U) gcc-14-cross-mipsen (U)
cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports
A Mennucc1 <mennu...@debian.org> debdelta Adam Majer <ad...@zombino.com> lpr Alberto Fuentes <paj...@gmail.com> animals Alberto Gonzalez Iniesta <a...@inittab.org> modsecurity-apache tripwire Alen Zekulic <a...@nms.hr> the Alex Myczko <t...@debian.org> bchunk (U) Alexander Zangerl <a...@debian.org> exmh glimpse intel2gas nmh Alexandre Dantas <e...@alexdantas.net> snake4 xbomb Alexandre Detiste <alexandre.deti...@gmail.com> angband (U) Alexandre Raymond <alexandre.j.raym...@gmail.com> restartd Andre Noll <m...@tuebingen.mpg.de> liblopsub Andreas Barth <a...@ayous.org> mgetty Andreas Franzen <an...@debian.org> wzip Andree Leidenfrost <and...@debian.org> petris Andrej Shadura <andre...@debian.org> 9mount Andrius Merkys <mer...@debian.org> epics-base (U) Anibal Monsalve Salazar <ani...@debian.org> liblockfile (U) nfs4-acl-tools xfsdump (U) Ansgar Burchardt <ans...@43-1.org> freesweep (U) Antoine Le Gonidec <deb...@dotslashplay.it> mono Anton Gladky <gl...@debian.org> freeimage (U) Anton Zinoviev <zinov...@debian.org> fortunes-bg Arne Wichmann <a...@saar.de> xpat2 Axel Beckert <a...@debian.org> blosxom (U) Barry deFreese <bdefre...@debian.org> ketm (U) Ben Armstrong <sy...@sanctuary.nslug.ns.ca> xletters (U) Benda Xu <o...@debian.org> quickml Benjamin Mako Hill <m...@debian.org> most Boyuan Yang <by...@debian.org> taglib (U) Bradley A. Bosch <b...@debian.org> id-utils Brandon Barnes <winterkni...@nerdshack.com> komi Brian Pellin <bpel...@debian.org> genders Charles Plessy <ple...@debian.org> umegaya Chris Carr <ranting...@gmail.com> angband (U) Chris Taylor <ctay...@debian.org> iptstate Christian T. Steigies <c...@debian.org> bugsquish gemdropx madbomber Christoph Biedl <debian.a...@manchmal.in-ulm.de> pptp-linux schroot Christoph Haas <h...@debian.org> oggfwd (U) Christoph Martin <mar...@uni-mainz.de> postfixadmin (U) ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org> tomsfastmath Clint Byrum <cl...@ubuntu.com> mysql-8.0 (U) Craig Small <csm...@debian.org> wordpress Cross Toolchain Base Team <cross-toolchain-base-d...@lists.launchpad.net> cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports Cédric Boutillier <bou...@debian.org> ruby-soap4r (U) David Bremner <brem...@debian.org> gitolite3 nullmailer Davide G. M. Salvetti <sa...@debian.org> statnews witalian Debian EFI team <debian-...@lists.debian.org> shim shim-helpers-arm64-signed Debian Electronics Packaging Team <pkg-electronics-de...@alioth-lists.debian.net> sdcc Debian FreeIPA Team <pkg-freeipa-de...@alioth-lists.debian.net> freeipa libmozilla-ldap-perl Debian Games Team <pkg-games-de...@lists.alioth.debian.org> angband freesweep ketm slashem supertransball2 xletters Debian GCC Maintainers <debian-...@lists.debian.org> gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports Debian HA Maintainers <debian-ha-maintain...@lists.alioth.debian.org> heartbeat Debian Hamradio Maintainers <debian-h...@lists.debian.org> z8530-utils2 Debian HPC Team <debian-...@lists.debian.org> slurm-wlm Debian Multimedia Maintainers <debian-multime...@lists.debian.org> taglib Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org> mysql-8.0 Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> libdevel-callparser-perl libinline-java-perl libmarpa-r2-perl libperlx-maybe-xs-perl libtrycatch-perl libuniversal-ref-perl Debian QA Group <packa...@qa.debian.org> dbview gcpegg ipsvd libdigest-whirlpool-perl libranlip ns2 nslint omega-rpg pppconfig sendmail ssmtp stfl suck sup swedish tetrinetx Debian rsbackup maintainers <rsbackup-ma...@lists.alioth.debian.org> rsbackup Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> ruby-soap4r Debian Science Maintainers <debian-science-maintain...@lists.alioth.debian.org> auto-07p epics-base freeimage Debian Security Tools <team+pkg-secur...@tracker.debian.org> samdump2 Debian Tcl/Tk Packagers <pkg-tcltk-de...@lists.alioth.debian.org> itcl3 Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> homer-api Debian X Strike Force <debia...@lists.debian.org> xorg xserver-xorg-video-qxl Dimitri John Ledkov <x...@debian.org> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) Dmitry E. Oboukhov <un...@debian.org> libdata-streamdeserializer-perl libdata-streamserializer-perl Dominic Hargreaves <d...@earth.li> ircd-hybrid openguides Drew Parsons <dpars...@debian.org> mirrormagic Eduard Bloch <bl...@debian.org> durep Emil Mikulic <emiku...@gmail.com> darkstat (U) Erik Schanze <er...@debian.org> mpgtx Erinn Clark <er...@double-helix.org> icheck Ervin Hegedus <airw...@gmail.com> modsecurity-apache (U) Florian Roscher <f...@debian.org> dlint Francisco Manuel Garcia Claramonte <franci...@debian.org> tiger (U) Frederic Peters <fpet...@debian.org> lasso Fredrik Hallenberg <hal...@debian.org> xcolors Gaudenz Steinlin <gaud...@debian.org> postfixadmin (U) Gennaro Oliva <ol...@debian.org> slurm-wlm (U) Ghislain Antony Vaillant <ghisv...@gmail.com> freeimage (U) Gilmar dos Reis Queiroz <gilmardosreis...@gmail.com> phpwebcounter Giuseppe Sacco <eppes...@debian.org> hylafax Gleydson Mazioli da Silva <gleyd...@debian.org> focalinux Gudjon I. Gudjonsson <gud...@gudjon.org> sdcc (U) Guido Günther <a...@sigxcpu.org> libpam-ccreds wmwave Hakan Ardo <ha...@debian.org> ftpwatch libcompface xfaces Hector Romojaro <hector.romoj...@gmail.com> tdom (U) Holger Levsen <hol...@debian.org> tuxtype Håkon Nessjøen <haakon.nessj...@gmail.com> mactelnet Ian Jackson <ijack...@chiark.greenend.org.uk> chiark-utils sauce vm xfonts-traditional Jaime Robles <ja...@debian.org> z8530-utils2 (U) Jakob Haufe <su...@debian.org> schroot (U) James Bromberger <j...@debian.org> i810switch James Damour (Suvarov454) <suvarov...@users.sourceforge.net> filler James Page <jamesp...@debian.org> mysql-8.0 (U) Jan Dittberner <ja...@debian.org> sniproxy Javier Fernandez-Sanguino Pen~a <j...@debian.org> libpam-chroot Javier Fernandez-Sanguino Peña <j...@debian.org> compartment Javier Fernández-Sanguino Peña <j...@computer.org> checksecurity Javier Fernández-Sanguino Peña <j...@debian.org> netselect openuniverse tiger Jeff Epler <jep...@gmail.com> mesaflash (U) Jeremy Bicha <jbi...@ubuntu.com> murrine-themes (U) Joachim Wiedorn <joodeb...@joonet.de> hylafax (U) Joachim Zobel <jz-2...@heute-morgen.de> gap-nq John Goerzen <jgoer...@complete.org> netmaze John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de> gkrellm2-cpufreq Jonas Smedegaard <d...@jones.dk> libdevel-callparser-perl (U) libinline-java-perl (U) libmarpa-r2-perl (U) libperlx-maybe-xs-perl (U) libtrycatch-perl (U) libuniversal-ref-perl (U) poppass-cgi rmagic Jonathan McDowell <nood...@earth.li> sdcc (U) Jose G. López <josg...@jglopez.name> phalanx scid Jose M Calhariz <calha...@debian.org> amanda Josip Rodin <joy-packa...@debian.org> joe Juan Cespedes <cespe...@debian.org> linux86 Junichi Uekawa <dan...@debian.org> binfmtc dsh Jörg Frings-Fürst <debian@jff.email> cil Kari Pahula <k...@debian.org> crossfire Ken McDonell <k...@kenj.id.au> pcp (U) Kevin Zambrano <kevin...@gmail.com> falselogin Kilian Krause <kil...@debian.org> ircd-irc2 (U) Konstantin S. Vishnivetsky <kvishnivet...@sipcapture.org> homer-api (U) Kumar Appaiah <aku...@debian.org> logapp taggrepper Kurt Roeckx <k...@roeckx.be> ircd-irc2 Lars Tangvald <lars.tangv...@oracle.com> mysql-8.0 (U) Laszlo Boszormenyi (GCS) <g...@debian.org> sidplay-libs Lena Voytek <l...@voytek.dev> mysql-8.0 (U) Linaro Packagers <linaro-...@lists.launchpad.net> rt-app LinuxCNC Developers <emc-develop...@lists.sourceforge.net> mesaflash Ludovic Drolez <ldro...@debian.org> swish-e Magnus Holmgren <holmg...@debian.org> libspf2 uw-imap Manoj Srivastava <sriva...@debian.org> dist mailagent ucf wm-icons Marcin Owsiany <porri...@debian.org> bambam Marcio de Souza Oliveira <m.desouz...@gmail.com> ethstatus Marcos Fouces <mar...@debian.org> ganglia-web Mark Brown <broo...@debian.org> clc-intercal ftnchek tua xemacs21 Markus Koschany <a...@debian.org> supertransball2 (U) Martin A. Godisch <godi...@debian.org> lrzsz pachi rockdodger Martin Quinson <mquin...@debian.org> flexml Martin Zobel-Helas <zo...@debian.org> tcptraceroute Mateusz Łukasik <mat...@linuxmint.pl> udevil Mats Erik Andersson <mats.anders...@gisladisker.se> durep (U) Matthew Vernon <matt...@debian.org> bible-kjv rsbackup (U) Matthias Klose <d...@debian.org> cross-toolchain-base (U) cross-toolchain-base-mipsen (U) cross-toolchain-base-ports (U) gcc-11-cross (U) gcc-11-cross-mipsen (U) gcc-11-cross-ports (U) gcc-12-cross (U) gcc-12-cross-ports (U) gcc-13-cross (U) gcc-13-cross-ports (U) gcc-14-cross (U) gcc-14-cross-ports (U) pillow Mattias Ellert <mattias.ell...@physics.uu.se> gridsite Maximiliano Curia <m...@debian.org> backup-manager Mehdi Dogguy <me...@debian.org> slurm-wlm (U) Michael Grünewald <michip...@gmail.com> bsdowl Michael Meskes <mes...@debian.org> memstat Michael Prokop <m...@debian.org> physlock Michael Stone <mst...@debian.org> argus Miquel van Smoorenburg <miqu...@cistron.nl> liblockfile Miriam Ruiz <mir...@debian.org> xmlindent Moritz Muehlenhoff <j...@debian.org> leafnode slrn Nathan Scott <nath...@debian.org> pcp (U) xfsdump Neil Roeth <n...@debian.org> openjade Neutron Soutmun <neo.neut...@gmail.com> xiterm+thai Nicolas Schier <nico...@fjasle.eu> sleepenh Nobuhiro Iwamatsu <iwama...@debian.org> dv4l Norbert Tretkowski <norb...@tretkowski.de> mysql-8.0 (U) Norbert Veber <nve...@debian.org> rig Norman Messtorff <nor...@normes.org> postfixadmin Patrick Ouellette <poue...@debian.org> z8530-utils2 (U) PCP Development Team <p...@groups.io> pcp Peter S Galbraith <p...@debian.org> xcolmix xplot xwatch Petr Čech <c...@debian.org> ispell-czech Petter Reinholdtsen <p...@debian.org> wp2x Phil Brooke <p...@debian.org> moria searchandrescue searchandrescue-data Picca Frédéric-Emmanuel <pi...@debian.org> epics-base (U) Praveen Arimbrathodiyil <prav...@gmail.com> bchunk Raphaël Hertzog <hert...@debian.org> samdump2 (U) Rene Mayorga <rmayo...@debian.org> darkstat Rhonda D'Vine <rho...@debian.org> blosxom gitolite3 (U) rungetty RISKO Gergely <ri...@debian.org> bombardier Ritesh Raj Sarraf <r...@debian.org> dict-gcide mergerfs Rob Browning <r...@defaultvalue.org> lockfile-progs Robie Basak <ro...@justgohome.co.uk> mysql-8.0 (U) Rodrigo Carvalho <rodrigor...@gmail.com> vtun Roger Shimizu <r...@debian.org> wide-dhcpv6 Roland Mas <lola...@debian.org> epics-base (U) Ryan Kavanagh <r...@debian.org> opensmtpd-filter-dkimsign Rémi Palancher <r...@rezib.org> slurm-wlm (U) Sam Hocevar (Debian packages) <sam+...@zoy.org> beav Santiago García Mantiñán <ma...@debian.org> bridge-utils Sebastian Andrzej Siewior <sebast...@breakpoint.cc> tomsfastmath (U) Sebastian Kuzminsky <s...@highlab.com> mesaflash (U) Sergei Golovan <sgolo...@debian.org> itcl3 (U) Sergey B Kirpichev <skirpic...@gmail.com> auto-07p (U) Simon Kelley <si...@thekelleys.org.uk> dhcp-helper Stefan Sobernig <stefan.sober...@wu-wien.ac.at> tdom (U) xotcl (U) Stefan Völkel <b...@bc-bd.org> dtach Steinar H. Gunderson <se...@debian.org> bmusb cubemap Stephen Gelman <ssg...@debian.org> checkinstall Steve Kowalik <stev...@debian.org> xringd Steve Langasek <vor...@debian.org> shim (U) Steve McIntyre <93...@debian.org> shim (U) Steve Meliza <s...@swm1.com> avr-libc Takuo Kitame <kit...@debian.org> stone TANIGUCHI Takaki <tak...@debian.org> haci Tcl/Tk Debian Packagers <pkg-tcltk-de...@lists.alioth.debian.org> tdom xotcl Thorsten Alteholz <deb...@alteholz.de> astronomical-almanac setserial texify Timo Aaltonen <tjaal...@debian.org> freeipa (U) libmozilla-ldap-perl (U) Tollef Fog Heen <tfh...@debian.org> pam-tmpdir Tomas Pospisek <tpo_...@sourcepole.ch> mailsync tony mancill <tmanc...@debian.org> genders (U) Valentin Vidic <vvi...@debian.org> heartbeat (U) Victor Seva <linuxman...@torreviejawireless.org> homer-api (U) Vincent Cheng <vch...@debian.org> slashem (U) Wookey <woo...@debian.org> rt-app (U) Wouter Verhelst <wou...@debian.org> extrepo logtool sreview Ying-Chun Liu (PaulLiu) <paul...@debian.org> oggfwd YunQiang Su <s...@debian.org> binutils-mipsen cross-toolchain-base-mipsen (U) gcc-11-cross-mipsen (U) gcc-12-cross-mipsen (U) gcc-13-cross-mipsen (U) gcc-14-cross-mipsen (U) Yves-Alexis Perez <cor...@debian.org> murrine-themes
9mount amanda angband animals argus astronomical-almanac auto-07p avr-libc backup-manager bambam bchunk beav bible-kjv binfmtc binutils-mipsen blosxom bmusb bombardier bridge-utils bsdowl bugsquish checkinstall checksecurity chiark-utils cil clc-intercal compartment crossfire cross-toolchain-base cross-toolchain-base-mipsen cross-toolchain-base-ports cubemap darkstat dbview debdelta dhcp-helper dict-gcide dist dlint dsh dtach durep dv4l epics-base ethstatus exmh extrepo falselogin filler flexml focalinux fortunes-bg freeimage freeipa freesweep ftnchek ftpwatch ganglia-web gap-nq gcc-11-cross gcc-11-cross-mipsen gcc-11-cross-ports gcc-12-cross gcc-12-cross-mipsen gcc-12-cross-ports gcc-13-cross gcc-13-cross-mipsen gcc-13-cross-ports gcc-14-cross gcc-14-cross-mipsen gcc-14-cross-ports gcpegg gemdropx genders gitolite3 gkrellm2-cpufreq glimpse gridsite haci heartbeat homer-api hylafax i810switch icheck id-utils intel2gas ipsvd iptstate ircd-hybrid ircd-irc2 ispell-czech itcl3 joe ketm komi lasso leafnode libcompface libdata-streamdeserializer-perl libdata-streamserializer-perl libdevel-callparser-perl libdigest-whirlpool-perl libinline-java-perl liblockfile liblopsub libmarpa-r2-perl libmozilla-ldap-perl libpam-ccreds libpam-chroot libperlx-maybe-xs-perl libranlip libspf2 libtrycatch-perl libuniversal-ref-perl linux86 lockfile-progs logapp logtool lpr lrzsz mactelnet madbomber mailagent mailsync memstat mergerfs mesaflash mgetty mirrormagic modsecurity-apache mono moria most mpgtx murrine-themes mysql-8.0 netmaze netselect nfs4-acl-tools nmh ns2 nslint nullmailer oggfwd omega-rpg openguides openjade opensmtpd-filter-dkimsign openuniverse pachi pam-tmpdir pcp petris phalanx phpwebcounter physlock pillow poppass-cgi postfixadmin pppconfig pptp-linux quickml restartd rig rmagic rockdodger rsbackup rt-app ruby-soap4r rungetty samdump2 sauce schroot scid sdcc searchandrescue searchandrescue-data sendmail setserial shim shim-helpers-arm64-signed sidplay-libs slashem sleepenh slrn slurm-wlm snake4 sniproxy sreview ssmtp statnews stfl stone suck sup supertransball2 swedish swish-e taggrepper taglib tcptraceroute tdom tetrinetx texify the tiger tomsfastmath tripwire tua tuxtype ucf udevil umegaya uw-imap vm vtun wide-dhcpv6 witalian wm-icons wmwave wordpress wp2x wzip xbomb xcolmix xcolors xemacs21 xfaces xfonts-traditional xfsdump xiterm+thai xletters xmlindent xorg xotcl xpat2 xplot xringd xserver-xorg-video-qxl xwatch z8530-utils2
Adam Majer <ad...@zombino.com> lpr Alberto Fuentes <paj...@gmail.com> animals Alberto Gonzalez Iniesta <a...@inittab.org> modsecurity-apache Alexandre Dantas <e...@alexdantas.net> snake4 xbomb Andree Leidenfrost <and...@debian.org> petris Anibal Monsalve Salazar <ani...@debian.org> liblockfile (U) Ansgar Burchardt <ans...@43-1.org> freesweep (U) Arne Wichmann <a...@saar.de> xpat2 Ben Armstrong <sy...@sanctuary.nslug.ns.ca> xletters (U) Benda Xu <o...@debian.org> quickml Charles Plessy <ple...@debian.org> umegaya Christoph Martin <mar...@uni-mainz.de> postfixadmin (U) Craig Small <csm...@debian.org> wordpress David Bremner <brem...@debian.org> nullmailer Debian Games Team <pkg-games-de...@lists.alioth.debian.org> freesweep slashem xletters Debian QA Group <packa...@qa.debian.org> omega-rpg sendmail ssmtp suck tetrinetx Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> homer-api Dominic Hargreaves <d...@earth.li> ircd-hybrid openguides Drew Parsons <dpars...@debian.org> mirrormagic Ervin Hegedus <airw...@gmail.com> modsecurity-apache (U) Gaudenz Steinlin <gaud...@debian.org> postfixadmin (U) Gilmar dos Reis Queiroz <gilmardosreis...@gmail.com> phpwebcounter Giuseppe Sacco <eppes...@debian.org> hylafax Ian Jackson <ijack...@chiark.greenend.org.uk> sauce James Bromberger <j...@debian.org> i810switch Javier Fernández-Sanguino Peña <j...@debian.org> openuniverse Joachim Wiedorn <joodeb...@joonet.de> hylafax (U) Jose G. López <josg...@jglopez.name> phalanx Jose M Calhariz <calha...@debian.org> amanda Kari Pahula <k...@debian.org> crossfire Kilian Krause <kil...@debian.org> ircd-irc2 (U) Konstantin S. Vishnivetsky <kvishnivet...@sipcapture.org> homer-api (U) Kurt Roeckx <k...@roeckx.be> ircd-irc2 Magnus Holmgren <holmg...@debian.org> uw-imap Mark Brown <broo...@debian.org> xemacs21 Martin A. Godisch <godi...@debian.org> pachi rockdodger Mattias Ellert <mattias.ell...@physics.uu.se> gridsite Michael Stone <mst...@debian.org> argus Miquel van Smoorenburg <miqu...@cistron.nl> liblockfile Neutron Soutmun <neo.neut...@gmail.com> xiterm+thai Norman Messtorff <nor...@normes.org> postfixadmin Phil Brooke <p...@debian.org> moria RISKO Gergely <ri...@debian.org> bombardier Rob Browning <r...@defaultvalue.org> lockfile-progs TANIGUCHI Takaki <tak...@debian.org> haci Victor Seva <linuxman...@torreviejawireless.org> homer-api (U) Vincent Cheng <vch...@debian.org> slashem (U) YunQiang Su <s...@debian.org> binutils-mipsen
amanda animals argus binutils-mipsen bombardier crossfire freesweep gridsite haci homer-api hylafax i810switch ircd-hybrid ircd-irc2 liblockfile lockfile-progs lpr mirrormagic modsecurity-apache moria nullmailer omega-rpg openguides openuniverse pachi petris phalanx phpwebcounter postfixadmin quickml rockdodger sauce sendmail slashem snake4 ssmtp suck tetrinetx umegaya uw-imap wordpress xbomb xemacs21 xiterm+thai xletters xpat2
# How to handle my package when ...
## Package uses static ownership
Example:
chown root:www-data /some/path
chgrp bin debian/tmp/usr/bin/binary
install -o root -g bin build/some/binary debian/pkg/usr/bin/binary
Note: The deciding factor is whether any of the debs has a
non-`root/root` path in the data.tar. If all the paths are normalized
to `root/root` before the `.deb` is assembled, you can choose the
"Package explicit chown things as root (and does not use
non-`root/root` static ownership)" option below
This case only applies to users and groups provided by `base-passwd`,
as these are the only users and groups that can be used reliably with
static ownership. For dynamically created users (such as, `adduser` or
`systemd-sysusers`), the paths should be `root/root` with the relevant
chown'ing is done after the installation (either in `postinst` or via
`systemd-tmpfiles`).
The solution:
* Set `Rules-Requires-Root: binary-targets` in the source stanza
## I do not have time to fix the root problem and just want to get off the list
Example:
You have 5 minutes to work on Debian, and this is not the problem you
had planned to work on.
Solution (work around):
* Set `Rules-Requires-Root: binary-targets` in the source stanza, upload
to close the bug and move on for now.
## Package has explicit check for running as root, but it only ships `root/root` paths in the deb
Example:
test x`whoami` = xroot
if [ $(id -u) != 0 ]; then echo "Must be run as root" >&2; exit 1 ; fi
Solution (dh):
1) Remove the check. The `dh` tool handle everything from there.
2) Optionally, set `Rules-Requires-Root: no` in the source stanza
Solution (classic debhelper):
1) Ensure dh_builddeb is being used to assemble the deb.
2) Either remove the check for running as root *or* replace it with `dh_testroot`.
3) Remove all chown/chgrp and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
4) Ensure `dh_fixperms` is invoked before `dh_builddeb`.
5) Optionally, set `Rules-Requires-Root: no` in the source stanza
Solution (non-debhelper):
1) Ensure `dpkg-deb --root-owner-group --build` is used for assembling the deb.
2) Either remove the check for running as root *or* replace it with `dh_testroot`.
3) Remove all chown/chgrp and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
4) Optionally, set `Rules-Requires-Root: no` in the source stanza
## Package explicit chown things as root to `root:root`
Example:
chown -R root:root debian/pkg
install -d -o root -g root -m 755 debian/tmp/usr/bin
install -o root -g root -m 644 binary debian/tmp/usr/bin/binary
Bug#1087626 (debian-policy; package was using `dh`)
Solution (dh):
1) Remove all the chown code (incl. `-o/-g` passed to `install`). Since all paths end up
being `root/root`, the `chown` is redundant when `dh_fixperms` + `dh_builddeb` is used.
2) Optionally, set `Rules-Requires-Root: no` in the source stanza
Example of this solution: Bug#1087626 (debian-policy)
Solution (classic debhelper):
1) Ensure `dh_builddeb` is being used to assemble the deb.
2) Remove all the chown checks. Since they are `root/root` they are redundant
with `dh`.
3) Remove all `chown`/`chgrp` and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
4) Ensure `dh_fixperms` is invoked before `dh_builddeb`.
5) Optionally, set `Rules-Requires-Root: no` in the source stanza
Solution (non-debhelper):
1) Ensure `dpkg-deb --root-owner-group --build` is used for assembling the deb.
2) Remove all chown/chgrp and other ownership changing calls (such as `-o/-g` passed to `install`).
Note: some of these may appear in upstream's build system.
3) Optionally, set `Rules-Requires-Root: no` in the source stanza
## Package provides setuid/setgid `root:root` binaries
Example:
chmod u+s usr/sbin/sudo
Normally, chmod +s is undone when the binary is chown'ed. However,
when the deb is assembled with the `dpkg-deb --root-owner-group`
option, no `chown`'ing is done. Instead, the ownership is overwritten
with no regards to the mode. This happens to work out
perfectly. Accordingly, the `sudo` and other setuid/setgid providing
packages are already `Rules-Requires-Root: no`.
The only counter example here is when the setuid or setgid is for a
non-root user or group. However, this case is covered by the "Package
uses static ownership" scenario above.
## Package FTBFS with a weird "permission denied"
Example:
```
chrpath -d .../perl5/5.40/auto/Lasso/Lasso.s
open: Permssion denied
elf_open: Invalid argument
```
(this three-line example is taken from `lasso`)
What happens here is that upstream's install routine installs that
file *without* minimal permissions (usually u+rw). Under `fakeroot`
emulating "true root", this permission problem is ignored and the
operation continues anyway (not sure exactly how `fakeroot` emulates
it).
Solution (quick fix):
* Apply `chmod u+rwX -R debian/tmp` after running the upstream
installation step, but before the command that fails.
* Undo the `u+wX` bit later **if relevant** (in most cases, it will
not be relevant).
I am considering fixing this in `dh_auto_install` for `debhelper` in a
later compat level. But it cannot be done retroactively since it might
break the intended mode. There are cases where paths must not have
`u+w`, such as `etc/sudoers.d` and `*.ali` files. This can be implemented
by a `dh_fixperms -X <path>`, which means it would be unsafe to ad-hoc
throw into an existing compat level.
## Package provides paths to be owned by dynamic created users or groups
Examples:
Use of `adduser` in maintscripts
Use of `systemd-sysusers` in maintscripts (or `debian/package.sysusers`)
The package should already be using `root/root` for the paths in the
`deb`, since the dynamic user/group does not have a static
uid/gid. Accordingly, this case works the same as a regular
`root/root` deb as far as this MBF is concerned.
Should your package use the dynamic user information in the deb, then
that is a bug on its own that should be fixed as well. This is because
the uid/gid for the dynamic users/groups are not stable. Consider using
`systemd-tmpfiles` for setting up ownership as needed.
# General remarks on the solutions
* All `dh` based solutions described here assumes `dh_fixperms` and `dh_builddeb` are
active for the package. If your package overrides either to replace them with a
different tool, then you may need to mix and match with the "classic debhelper"
or "non-debhelper" solution (or tag the bug with help).
* The "non-debhelper" solution relies on `--root-owner-group` from `dpkg` 1.19.0.
This is satisfied in "oldoldstable", so it should be a non-issue. Though if you
are backporting to older releases for some reason (such as various Ubuntu LTS
releases) and you want 1:1 packaging, then you would need to make the
`--root-owner-group` conditional. See /usr/share/doc/dpkg/spec/rootless-builds.txt
from `dpkg-dev` for details.
For `debhelper` (and `dh`), the feature is basically "feature negotiated"
transparently for you, and you do not have to think about this problem.
#!/usr/bin/sh
set -xe
# NOTE: Order is important; first match wins by default.
# Error patterns caused by the transition or seem related to the transition.
python3 -m rebuilds --silent log-search select '(?:ch(?:own|grp)|install): .*:
Operation not permitted'
python3 -m rebuilds --silent log-search select ': unable to copy file .*
Permission denied'
python3 -m rebuilds --silent log-search select ': cannot (create|access) .*
Permission denied'
python3 -m rebuilds --silent log-search select 'test (?:[$][(]|[`])id -u[`)] =
0'
python3 -m rebuilds --silent log-search select '\[\s+(?:[$][(]|[`])id
-u[`)]\s*[!=]?=\s*0\s+\]'
python3 -m rebuilds --silent log-search select 'test root =
"([$][(]|[`])whoami[`)]"'
python3 -m rebuilds --silent log-search select 'test x`whoami` = xroot'
python3 -m rebuilds --silent log-search select 'make(\[.*\])?: [*][*][*]
\[debian/rules:\d+: checkroot\] Error \d+'
python3 -m rebuilds --silent log-search select 'install
(.*\s)?-o\s+root\s+-g\s+root'
python3 -m rebuilds --silent log-search select 'Password: su: Authentication
failure'
python3 -m rebuilds --silent log-search select 'need root privileges'
python3 -m rebuilds --silent log-search select 'Error: not super-user'
python3 -m rebuilds --silent log-search select 'dh_\S+: error: .*: Permission
denied'
# THis is chrpath, but the error is awkwardly multi-line
python3 -m rebuilds --silent log-search select 'elf_open: Invalid argument'
# Error patterns that seem unrelated to the transition.
python3 -m rebuilds --silent log-search ignore ' error: .* \[-W\S+\]'
python3 -m rebuilds --silent log-search ignore 'make(\[.*\])?: [*][*][*]
\[debian/rules:\d+: override_dh_auto_(?:configure|build|test)\] Error \d+'
python3 -m rebuilds --silent log-search ignore 'make(\[.*\])?: [*][*][*] No
rule to make target .*[.]\s+Stop[.]'
python3 -m rebuilds --silent log-search ignore
'(configure|dh_auto_build|dh_auto_configure|dh_auto_test): error: .*'
python3 -m rebuilds --silent log-search ignore '==> CMakeCache.txt <=='
python3 -m rebuilds --silent log-search ignore '/bin/\S+: \d+: .+: not found'
python3 -m rebuilds --silent log-search ignore '(?:cp|mv|install|cat|touch):
.*: No such file or directory'
python3 -m rebuilds --silent log-search ignore 'cannot find package ".*" in any
of:'
python3 -m rebuilds --silent log-search ignore 'collect2: error: ld returned
\d+ exit status'
python3 -m rebuilds --silent log-search ignore
'(?:Import|Attribute|Assertion|ModuleNotFound|Type)Error:'
python3 -m rebuilds --silent log-search ignore 'cc1plus: all warnings being
treated as errors'
python3 -m rebuilds --silent log-search ignore ' invalid suffix .* on
.*constant'
python3 -m rebuilds --silent log-search ignore ' error: impossible constraint
in'
python3 -m rebuilds --silent log-search ignore ' error: assignment .* read-only
object'
python3 -m rebuilds --silent log-search ignore 'Errors while running CTest'
python3 -m rebuilds --silent log-search ignore 'error: Multiple top-level
packages discovered in a flat-layout: '
python3 -m rebuilds --silent log-search ignore 'E: Package build dependencies
not satisfied; skipping'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: missing
files, aborting'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: .* is missing'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: .*: No such
file or directory'
python3 -m rebuilds --silent log-search ignore '^dh_[^:]+: error: Cannot find
[(]any matches for[)] .*'
python3 -m rebuilds --silent log-search ignore '^dh_elpa_test: error: .*
returned exit code'
python3 -m rebuilds --silent log-search ignore 'error: unrecognized
command-line option .*'
python3 -m rebuilds --silent log-search ignore '(?:dpkg-|dh_)gencontrol: error:'
python3 -m rebuilds --silent log-search ignore 'E: Build killed with signal
TERM after 150 minutes of inactivity'
python3 -m rebuilds --silent log-search ignore 'jh_build: error: find .*
returned exit code 123'
python3 -m rebuilds --silent log-search ignore 'texi2dvi: Your TeX installation
appears to be broken - texi2dvi'
python3 -m rebuilds --silent log-search ignore 'Error: .*: Encountered missing
or private dependencies:'
python3 -m rebuilds --silent log-search ignore '[Ss]egmentation fault'
python3 -m rebuilds --silent log-search ignore '/dists/\S+/Release.gpg: Scheme
missing.'
python3 -m rebuilds --silent log-search ignore 'dpkg-deb: error: parsing file'
python3 -m rebuilds --silent log-search ignore 'E: Minimal version requirement
not satisfied for'
python3 -m rebuilds --silent log-search ignore 'error: \[GHC-\d+\]'
python3 -m rebuilds --silent log-search ignore 'error: (?:.*/)?hlibrary.setup
build .+ returned exit code \d+'
python3 -m rebuilds --silent log-search ignore 'Error: build of pdf failed with
error code \d+'
python3 -m rebuilds --silent log-search ignore '[.]rb:\d+:in `.*'\'': .*:\d+:
.* [(]SyntaxError[)]'
python3 -m rebuilds --silent log-search ignore 'Extension error
[(]pydata_sphinx_theme[)]:'
python3 -m rebuilds --silent log-search ignore 'E: py3versions failed at
/usr/share/perl5/Debian/Debhelper/Buildsystem/pybuild[.]pm line \d+[.]'
python3 -m rebuilds --silent log-search ignore 'make(\[.*\])?: [*][*][*]
\[Makefile:\d+: (readme|html)\] Error \d+'
python3 -m rebuilds --silent log-search ignore 'ERROR: Test ".*" failed.
Exiting.'
python3 -m rebuilds --silent log-search ignore 'error: no match for .*'
# This is just a( non-obvious) way to finding all unmatched logs.
python3 -m rebuilds --silent log-search select '(?:(?:ch(?:own|grp)|install):
.*: Operation not permitted)|(?:mkdir.*Permission denied)' --dry-run -L >
logs-to-check
set +x
LINES="$(wc -l logs-to-check)"
echo "There are ${LINES} logs to check"
OpenPGP_signature.asc
Description: OpenPGP digital signature
