Jochen Sprickerhof:
Hi Santiago,[...]Thanks for opening that bug. Let me give some historic context first as I don't think it is written somewhere already.debrebuild uses the buildinfo files to create a chroot and those do not safe the installed fakeroot version. So initially debrebuild was not able to build any package that had not Rules-Requires-Root: no set. We discussed that back then and one option was to implement an heuristic to find a fitting fakeroot package but no one provided an implementation and it was not clear if it would actually work. At around the same time Niels worked a lot on R³ which resulted in no being the default and fixed those packages that broke by it. So I added a hack to debrebuild to assume Rules-Requires-Root: no when it was not set:https://salsa.debian.org/debian/devscripts/-/commit/4b297b8b
Historically, the `(fake)root` dependency was implicit and something the builder provided, so it is impossible for us to determine what was used as gain root command in theory. In practice it was `fakeroot` (sbuild, pbuilder, buildds) or real `root` (CI systems where the script run as root).
The safer option would be for `debrebuild` to always pull in `fakeroot` when in doubt. I would not like it personally because I want to remove `fakeroot` plus the design choice for only pulling in direct declared dependencies.
This allowed us to build a lot more packages but those with Rules- Requires-Root: binary-targets, like smartlist where still failing. Given that fakeroot was an implementation detail and that unshare -U basically provides the same needs I added a patch to sbuild to build those packages as root (inside the unshare chroot):https://salsa.debian.org/debian/sbuild/-/commit/08b79ae4 And enabled that for debrebuild: https://salsa.debian.org/debian/devscripts/-/commit/bf176207This works for most packages and my list of packages failing in trixie currently is:openpgp-applet (should be fixed with a new upload #1109426) shellia: tests for fakeroot and fails with unshare root bup: tests for fakeroot and fails with unshare root smartlist permission problem
For smartlist, I suspect the problem is:
```
override_dh_auto_install:
install -d -o ${smart} -g ${smart} -m 700 debian/tmp/var/list
```
The `-o ${smart} -g ${smart}` can likely be removed, since `dh_fixperms`
will reset all of those things later to `root:root` followed by the code
running after `dh_fixperms` that will reset owner one more time. I
suspect the `-m 700` might be redundant there, but it is less
problematic once the `-o` disappears.
The only exception is if upstream's install script checks permissions and starts erroring out messes with them.
That being said, I do not understand this weird hybrid setup where we can do chown to root but we do not actually have root permissions. A true root (or `fakeroot`) would ignore the not being the owner and not having relevant permissions. A normal user would fall at the `install -o` part. I find it scary that we somehow managed to get/invent a new failure mode where we are 50% root. Therefore, I am less sure if my fix works here or it just runs into the "50% root" problem a few lines later now.
There are also some packages that do build but produce different results due to using chmod +s:freesweep, 9mount, asciijump, dodgindiamond2
I think 9mount could be fixed by just manually doing a `chmod` with the proper `+s` post `dh_fixperms` and drop the `chown` calls. For the others, a `dh-sequence-debputy-rrr` conversion should solve them and make them fully rootless. Otherwise, perhaps the chmod/chgrp would need re-ordering.
And interestingly this also found a number of packages that encodes the fakeroot LD_LIBRARY_PATH into the package:https://reproduce.debian.net/amd64/stats/#failed-to-reproduce:-fakeroot- in-LD-path https://reproduce.debian.net/all/stats/#failed-to-reproduce:-fakeroot- in-LD-pathI think those packages with the LD_LIBRARY_PATH should get a bug report like #1104998. For shellia and bup it should be enough to disable the tests
They can also `Build-Depends: fakeroot <!nocheck>` and run the tests under `fakeroot` if it is because the tests need to run under `(fake)root`. This is the correct thing to do if the test wants to run under root since the Debian packaging system expects tests to be run without root. Blindly calling `fakeroot` from `debian/rules` without a `Build-Depends` is a bug in the package - always was, just not very visible given `fakeroot` was always there.
and the rest should be patched to use the debputy package which is able to encode file permissions without needing (fake)root during the build. I have Cced Niels who already provided patches to other packages for that. Maybe he could provide patches for smartlist and the other packages as well.
I am less sure if `smartlist` could be converted to `dh-sequence-debputy-rrr` since it seems to disable `dh_md5sums` explicitly, which is currently not supported under `debputy` currently. I would have to understand the use-case and add support for it first provided the conversion has any interest at all.
In the long run we want to deprecate the use of fakeroot and requiring root during the build in general. Once that happened and all packages where rebuild we can also remove those hacks in debrebuild and sbuild.Cheers Jochen
Best regards, Niels
OpenPGP_signature.asc
Description: OpenPGP digital signature
