[sorry for the dupe, hit send by mistake :(]
On 2019-11-24 12:13:20, Antoine Beaupré wrote:
> On 2019-11-23 18:34:25, Julien Cristau wrote:
>> On Mon, Nov 11, 2019 at 10:40:58AM -0500, Antoine Beaupre wrote:
>>> diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog
>>> ganeti-instance-debootstrap-0.16/debian/changelog
>>> --- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20
>>> 06:57:18.000000000 -0400
>>> +++ ganeti-instance-debootstrap-0.16/debian/changelog 2019-11-01
>>> 19:01:50.000000000 -0400
>>> @@ -1,3 +1,10 @@
>>> +ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium
>>
>> Version number and distribution don't look right.
>
> Ah yes, that would be 0.16-6+deb10u1, right?
Attached a better debdiff with the right version number. I'm now part of
the ganeti team so this is actually a team upload now, and the patch has
been merged in the salsa repo.
[...]
>>
>> I'm a bit uneasy about a blanket "include all", to be honest. It's
>> probably harmless since it's all coming straight out of debootstrap, but
>> I'd have been happier with something like "include security.*" if that's
>> what we expect to see.
>
> What kind of problems would you expect with including too many ACLs?
I'm still curious to hear what kind of problems you expect here. I've
been running this patch in production for months now and would really
like to see this land in buster (and hopefully stretch next).
Can I upload the package now?
Thanks!
--
Men are taught to apologize for their weaknesses, women for their
strengths.
- Lois Wyse
diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog ganeti-instance-debootstrap-0.16/debian/changelog
--- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20 06:57:18.000000000 -0400
+++ ganeti-instance-debootstrap-0.16/debian/changelog 2020-02-07 17:11:06.000000000 -0500
@@ -1,3 +1,10 @@
+ganeti-instance-debootstrap (0.16-6+deb10u1) buster; urgency=medium
+
+ * Team upload.
+ * add patch to respect linux caps (Closes: #942114)
+
+ -- Antoine Beaupré <anar...@debian.org> Fri, 07 Feb 2020 17:11:06 -0500
+
ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium
* Bump Standards-Version to 4.1.4; no changes needed
diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch
--- ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch 1969-12-31 19:00:00.000000000 -0500
+++ ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch 2020-02-07 17:11:06.000000000 -0500
@@ -0,0 +1,48 @@
+From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org>
+Date: Thu, 10 Oct 2019 11:07:51 -0400
+Subject: [PATCH] respect Linux capabilities(7) in cache
+
+The default GNU tar configuration does not carry fancy extended
+attributes and that is where, among other things, stuff like Linux
+capabilities(7) are stored. This is kind of important because that's
+how ping(8) works for regular users.
+
+We shove --selinux and --acls in there while we're at it, because why
+not. We never know what the future might bring, and it seems
+silly *not* to create a complete archive.
+
+Note that --xattrs-include='*' is important because, by default, GNU
+tar will not include capabilities /even/ if --xattrs is specified on
+the commandline, see this bug report for details:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=771927
+---
+ create | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/create b/create
+index 607bab2..7526e71 100755
+--- a/create
++++ b/create
+@@ -83,7 +83,7 @@ if [ "$CLEAN_CACHE" -a -d "$CACHE_DIR" ]; then
+ fi
+
+ if [ -f "$CACHE_FILE" ]; then
+- tar xf "$CACHE_FILE" -C $TMPDIR
++ tar --acls --selinux --xattrs --xattrs-include='*' -x -f "$CACHE_FILE" -C $TMPDIR
+ else
+ if [ "$PROXY" ]; then
+ export http_proxy="$PROXY"
+@@ -109,7 +109,7 @@ else
+
+ if [ "$GENERATE_CACHE" = "yes" ]; then
+ TMP_CACHE=`mktemp "${CACHE_FILE}.XXXXXX"`
+- tar cf "$TMP_CACHE" -C $TMPDIR .
++ tar --acls --selinux --xattrs --xattrs-include='*' -c -f "$TMP_CACHE" -C $TMPDIR .
+ mv -f "$TMP_CACHE" "$CACHE_FILE"
+ fi
+ fi
+--
+2.20.1
+
diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/series ganeti-instance-debootstrap-0.16/debian/patches/series
--- ganeti-instance-debootstrap-0.16/debian/patches/series 2018-06-20 06:57:18.000000000 -0400
+++ ganeti-instance-debootstrap-0.16/debian/patches/series 2020-02-07 17:11:06.000000000 -0500
@@ -1 +1,2 @@
+respect-Linux-capabilities-7-in-cache.patch
fix-sfdisk-BLKRRPART.patch
