[cmake-developers] [CPackDeb][libarchive] removing use of fakeroot and supporting UID/GID/UNAME etc in libarchive

Raffi Enficiaud raffi.enficiaud at mines-paris.org
Tue Sep 15 08:15:33 EDT 2015


Le 15/09/15 11:00, Domen Vrankar a écrit :
>
> Sounds good.
> Those rules are written as guidelines and I'm not certain how often
> they are broken so could you also add a single variable for toggling
> between defaults described above and using file permissions as
> provided?
>

I think those are not really just "guidelines" if you want ever your 
source package be published with a cmake toolchain (severity "serious").

Please find attached the "feature" based onto 68dba7f. I added the 
variable CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION and its 
component counterpart for controlling strict behaviour on the files 
added to control.tar.gz .

I added a test over lintian again, as I think lintian is the official 
tool for checking those things.

Please note that I was not able to check the produced documentation 
(although I updated it). I would be happy if you can do it, otherwise I 
will do tonight.

Thanks!
Raffi

PS.: what about the other patches?
-------------- next part --------------
>From 36f273c1e07651060deaea3b576150151ed65818 Mon Sep 17 00:00:00 2001
From: Raffi Enficiaud <raffi.enficiaud at mines-paris.org>
Date: Tue, 15 Sep 2015 11:26:53 +0200
Subject: [PATCH] fixUp! permissions on control files and strict Debian rules
 variable

---
 Modules/CPackDeb.cmake                  | 30 ++++++++++++++++++++++---
 Source/CPack/cmCPackDebGenerator.cxx    | 39 ++++++++++++++++++++++++++++++---
 Tests/CPackComponentsDEB/CMakeLists.txt | 19 ++++++++++++++++
 3 files changed, 82 insertions(+), 6 deletions(-)

diff --git a/Modules/CPackDeb.cmake b/Modules/CPackDeb.cmake
index 754df91..43b49f8 100644
--- a/Modules/CPackDeb.cmake
+++ b/Modules/CPackDeb.cmake
@@ -330,9 +330,30 @@
 #  .. note::
 #
 #    The original permissions of the files will be used in the final
-#    package. In particular, the scripts should have the proper executable
+#    package unless the variable
+#    :variable:`CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION` is set.
+#    In particular, the scripts should have the proper executable
 #    flag prior to the generation of the package.
-
+#
+# .. variable:: CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION
+#               CPACK_DEBIAN_<COMPONENT>_PACKAGE_CONTROL_STRICT_PERMISSION
+#
+#  This variable indicates if the Debian policy on control files should be
+#  strictly followed.
+#
+#  * Mandatory : NO
+#  * Default   : FALSE
+#
+#  Usage::
+#
+#   set(CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION TRUE)
+#
+#  .. note::
+#
+#    This overrides the permissions on the original files, following the rules
+#    set by Debian policy
+#    https://www.debian.org/doc/debian-policy/ch-files.html#s-permissions-owners
+#
 
 #=============================================================================
 # Copyright 2007-2009 Kitware, Inc.
@@ -636,7 +657,7 @@ function(cpack_deb_prepare_package_vars)
   # Are we packaging components ?
   if(CPACK_DEB_PACKAGE_COMPONENT)
     # override values with per component version if set
-    foreach(VAR_NAME_ "PACKAGE_CONTROL_EXTRA")
+    foreach(VAR_NAME_ "PACKAGE_CONTROL_EXTRA" "PACKAGE_CONTROL_STRICT_PERMISSION")
       if(CPACK_DEBIAN_${_local_component_name}_${VAR_NAME_})
         set(CPACK_DEBIAN_${VAR_NAME_} "${CPACK_DEBIAN_${_local_component_name}_${VAR_NAME_}}")
       endif()
@@ -658,6 +679,7 @@ function(cpack_deb_prepare_package_vars)
      message("CPackDeb:Debug: CPACK_PACKAGE_FILE_NAME           = ${CPACK_PACKAGE_FILE_NAME}")
      message("CPackDeb:Debug: CPACK_PACKAGE_INSTALL_DIRECTORY   = ${CPACK_PACKAGE_INSTALL_DIRECTORY}")
      message("CPackDeb:Debug: CPACK_TEMPORARY_PACKAGE_FILE_NAME = ${CPACK_TEMPORARY_PACKAGE_FILE_NAME}")
+     message("CPackDeb:Debug: CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION = ${CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION}")
   endif()
 
   # For debian source packages:
@@ -694,6 +716,8 @@ function(cpack_deb_prepare_package_vars)
   set(GEN_CPACK_DEBIAN_PACKAGE_PROVIDES "${CPACK_DEBIAN_PACKAGE_PROVIDES}" PARENT_SCOPE)
   set(GEN_CPACK_DEBIAN_PACKAGE_REPLACES "${CPACK_DEBIAN_PACKAGE_REPLACES}" PARENT_SCOPE)
   set(GEN_CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA}" PARENT_SCOPE)
+  set(GEN_CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION
+      "${CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION}" PARENT_SCOPE)
   set(GEN_WDIR "${WDIR}" PARENT_SCOPE)
 endfunction()
 
diff --git a/Source/CPack/cmCPackDebGenerator.cxx b/Source/CPack/cmCPackDebGenerator.cxx
index 981d86d..b497b65 100644
--- a/Source/CPack/cmCPackDebGenerator.cxx
+++ b/Source/CPack/cmCPackDebGenerator.cxx
@@ -576,9 +576,18 @@ int cmCPackDebGenerator::createDeb()
     control_tar.SetUNAME("root");
     control_tar.SetGNAME("root");
 
-    // set md5sum file permissions to RW-R--R-- so that deb lintian
-    // doesn't warn about it
-    control_tar.SetPermissions(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+    // permissions are set according to
+// https://www.debian.org/doc/debian-policy/ch-files.html#s-permissions-owners
+    // and
+    // https://lintian.debian.org/tags/control-file-has-bad-permissions.html
+    const mode_t permission644 = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
+    const mode_t permissionExecute = S_IXUSR | S_IXGRP | S_IXOTH;
+    const mode_t permission755 = permission644 | permissionExecute;
+
+    // for md5sum and control (that we have generated here), we use 644
+    // (RW-R--R--)
+    // so that deb lintian doesn't warn about it
+    control_tar.SetPermissions(permission644);
 
     // adds control and md5sums
     if(   !control_tar.Add(md5filename, strGenWDIR.length(), ".")
@@ -593,12 +602,28 @@ int cmCPackDebGenerator::createDeb()
         return 0;
       }
 
+    // for the other files, we use
+    // -either the original permission on the files
+    // -either a permission strictly defined by the Debian policies
     const char* controlExtra =
       this->GetOption("GEN_CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA");
     if( controlExtra )
       {
       // permissions are now controlled by the original file permissions
+
+      const bool permissionStrictPolicy =
+        this->IsSet("GEN_CPACK_DEBIAN_PACKAGE_CONTROL_STRICT_PERMISSION");
+
+      static const char* strictFiles[] = {
+        "config", "postinst", "postrm", "preinst", "prerm"
+        };
+      std::set<std::string> setStrictFiles(
+        strictFiles,
+        strictFiles + sizeof(strictFiles)/sizeof(strictFiles[0]));
+
+      // default
       control_tar.SetPermissions(-1);
+
       std::vector<std::string> controlExtraList;
       cmSystemTools::ExpandListArgument(controlExtra, controlExtraList);
       for(std::vector<std::string>::iterator i = controlExtraList.begin();
@@ -608,6 +633,14 @@ int cmCPackDebGenerator::createDeb()
           cmsys::SystemTools::GetFilenameName(*i);
         std::string localcopy = strGenWDIR + "/" + filenamename;
 
+
+        if(permissionStrictPolicy)
+        {
+          control_tar.SetPermissions(setStrictFiles.count(filenamename) ?
+            permission755 : permission644);
+        }
+
+
         // if we can copy the file, it means it does exist, let's add it:
         if( cmsys::SystemTools::CopyFileIfDifferent(*i, localcopy) )
           {
diff --git a/Tests/CPackComponentsDEB/CMakeLists.txt b/Tests/CPackComponentsDEB/CMakeLists.txt
index 5c4eeab..5a5d626 100644
--- a/Tests/CPackComponentsDEB/CMakeLists.txt
+++ b/Tests/CPackComponentsDEB/CMakeLists.txt
@@ -80,6 +80,25 @@ set(CPACK_COMPONENT_HEADERS_DESCRIPTION
 # depend on the libraries component.
 set(CPACK_COMPONENT_HEADERS_DEPENDS libraries)
 
+# creates preinst/prerm scripts with specific permissions. Those permissions
+# (especially executable) should be in the final archive
+find_program(CHMOD_PROG chmod)
+if(CHMOD_PROG)
+  file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/preinst "echo default_preinst")
+  file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/prerm "echo default_prerm")
+
+  # Those should have 755 permission normally. We mess it up to see if
+  # CPACK_DEBIAN_APPLICATIONS_PACKAGE_CONTROL_STRICT_PERMISSION is able to fix
+  # it.
+  execute_process(COMMAND ${CHMOD_PROG} 640 ${CMAKE_CURRENT_BINARY_DIR}/preinst)
+  execute_process(COMMAND ${CHMOD_PROG} 640 ${CMAKE_CURRENT_BINARY_DIR}/prerm)
+
+  set(CPACK_DEBIAN_APPLICATIONS_PACKAGE_CONTROL_EXTRA
+      "${CMAKE_CURRENT_BINARY_DIR}/preinst;${CMAKE_CURRENT_BINARY_DIR}/prerm")
+
+  set(CPACK_DEBIAN_APPLICATIONS_PACKAGE_CONTROL_STRICT_PERMISSION TRUE)
+endif()
+
 # We may use the CPack specific config file in order
 # to tailor CPack behavior on a CPack generator specific way
 # (Behavior would be different for RPM or TGZ or DEB ...)
-- 
2.0.1



More information about the cmake-developers mailing list