dpkg-buildpackage: Add support for rootless builds

Implement the rootless-builds specification, by honoring the Rules-Requires-Root (R³) field.
author: Guillem Jover <guillem@debian.org> 2017-09-17 12:18:15 +0200
committer: Guillem Jover <guillem@debian.org> 2017-09-24 21:03:10 +0200
commit: fca1bfe8406898105d1d724fb808f0cbcf985ae4 (patch)
tree: 7fc20ba945977bb370d3762f21c84fa1830ee93d /scripts
parent: b3608a01a8ac1416f0620bdf03d497c5b761b244 (diff)
download: dpkg-fca1bfe8406898105d1d724fb808f0cbcf985ae4.tar.gz
2 files changed, 92 insertions, 13 deletions
diff --git a/scripts/Dpkg/Control/FieldsCore.pm b/scripts/Dpkg/Control/FieldsCore.pm
index f5c38d635..8f5d7f34a 100644
--- a/scripts/Dpkg/Control/FieldsCore.pm
+++ b/scripts/Dpkg/Control/FieldsCore.pm
@@ -416,6 +416,11 @@ our %FIELDS = (
         allowed => CTRL_TESTS,
         separator => FIELD_SEP_SPACE,
     },
+    'rules-requires-root' => {
+        name => 'Rules-Requires-Root',
+        allowed => CTRL_INFO_SRC,
+        separator => FIELD_SEP_SPACE,
+    },
     'section' => {
         name => 'Section',
         allowed => CTRL_INFO_SRC | CTRL_INDEX_SRC | ALL_PKG,
diff --git a/scripts/dpkg-buildpackage.pl b/scripts/dpkg-buildpackage.pl
index 2bdae7b18..affcca8d0 100755
--- a/scripts/dpkg-buildpackage.pl
+++ b/scripts/dpkg-buildpackage.pl
@@ -178,6 +178,12 @@ my $changedby;
 my $desc;
 my @buildinfo_opts;
 my @changes_opts;
+my %target_legacy_root = map { $_ => 1 } qw(
+    clean binary binary-arch binary-indep
+);
+my %target_official =  map { $_ => 1 } qw(
+    clean build build-arch build-indep binary binary-arch binary-indep
+);
 my @hook_names = qw(
     init preclean source build binary buildinfo changes postclean check sign done
 );
@@ -431,6 +437,7 @@ my $cwd = cwd();
 my $dir = basename($cwd);
 
 my $changelog = changelog_parse();
+my $ctrl = Dpkg::Control::Info->new();
 
 my $pkg = mustsetvar($changelog->{source}, g_('source package'));
 my $version = mustsetvar($changelog->{version}, g_('source version'));
@@ -455,6 +462,10 @@ if ($changedby) {
 # <https://reproducible-builds.org/specs/source-date-epoch/>
 $ENV{SOURCE_DATE_EPOCH} ||= $changelog->{timestamp} || time;
 
+# Check whether we are doing some kind of rootless build, and sanity check
+# the fields values.
+my %rules_requires_root = parse_rules_requires_root($ctrl);
+
 my @arch_opts;
 push @arch_opts, ('--host-arch', $host_arch) if $host_arch;
 push @arch_opts, ('--host-type', $host_type) if $host_type;
@@ -538,20 +549,14 @@ if ($checkbuilddep) {
 }
 
 foreach my $call_target (@call_target) {
-    if ($call_target_as_root or
-        $call_target =~ /^(clean|binary(|-arch|-indep))$/)
-    {
-        run_cmd(@rootcommand, @debian_rules, $call_target);
-    } else {
-        run_cmd(@debian_rules, $call_target);
-    }
+    run_rules_cond_root($call_target);
 }
 exit 0 if scalar @call_target;
 
 run_hook('preclean', ! $noclean);
 
 unless ($noclean) {
-    run_cmd(@rootcommand, @debian_rules, 'clean');
+    run_rules_cond_root('clean');
 }
 
 run_hook('source', build_has_any(BUILD_SOURCE));
@@ -568,14 +573,16 @@ run_hook('build', build_has_any(BUILD_BINARY));
 
 # XXX Use some heuristics to decide whether to use build-{arch,indep} targets.
 # This is a temporary measure to not break too many packages on a flag day.
-build_target_fallback();
+build_target_fallback($ctrl);
 
 my $build_types = get_build_options_from_type();
 
 if (build_has_any(BUILD_BINARY)) {
-    run_cmd(@debian_rules, $buildtarget);
+    # If we are building rootless, there is no need to call the build target
+    # independently as non-root.
+    run_cmd(@debian_rules, $buildtarget) if rules_requires_root($buildtarget);
     run_hook('binary', 1);
-    run_cmd(@rootcommand, @debian_rules, $binarytarget);
+    run_rules_cond_root($binarytarget);
 }
 
 run_hook('buildinfo', 1);
@@ -607,7 +614,7 @@ close $changes_fh or subprocerr(g_('dpkg-genchanges'));
 run_hook('postclean', $cleansource);
 
 if ($cleansource) {
-    run_cmd(@rootcommand, @debian_rules, 'clean');
+    run_rules_cond_root('clean');
 }
 
 chdir('..') or syserr('chdir ..');
@@ -678,11 +685,73 @@ sub mustsetvar {
     return $var;
 }
 
+sub parse_rules_requires_root {
+    my $ctrl = shift;
+
+    my %rrr;
+    my $rrr = $ctrl->{'Rules-Requires-Root'} // 'binary-targets';
+    my $keywords_base;
+    my $keywords_impl;
+
+    foreach my $keyword (split ' ', $rrr) {
+        if ($keyword =~ m{/}) {
+            if ($keyword =~ m{^dpkg/target/(.*)$}p and $target_official{$1}) {
+                error(g_('disallowed target in %s field keyword %s'),
+                      'Rules-Requires-Root', $keyword);
+            } elsif ($keyword ne 'dpkg/target-subcommand') {
+                error(g_('unknown %s field keyword %s in dpkg namespace'),
+                      'Rules-Requires-Root', $keyword);
+            }
+            $keywords_impl++;
+        } else {
+            if ($keyword ne 'no' and $keyword ne 'binary-targets') {
+                warning(g_('unknown %s field keyword %s'),
+                        'Rules-Requires-Root', $keyword);
+            }
+            $keywords_base++;
+        }
+
+        if ($rrr{$keyword}++) {
+            error(g_('field %s contains duplicate keyword %s'),
+                        'Rules-Requires-Root', $keyword);
+        }
+    }
+
+    if ($keywords_base > 1 or $keywords_base and $keywords_impl) {
+        error(g_('%s field contains both global and implementation specific keywords'),
+              'Rules-Requires-Root');
+    } elsif ($keywords_impl) {
+        # Set only on <implementations-keywords>.
+        $ENV{DPKG_GAIN_ROOT_CMD} = join ' ', @rootcommand;
+    }
+
+    return %rrr;
+}
+
 sub run_cmd {
     printcmd(@_);
     system @_ and subprocerr("@_");
 }
 
+sub rules_requires_root {
+    my $target = shift;
+
+    return 1 if $call_target_as_root;
+    return 1 if $rules_requires_root{"dpkg/target/$target"};
+    return 1 if $rules_requires_root{'binary-targets'} and $target_legacy_root{$target};
+    return 0;
+}
+
+sub run_rules_cond_root {
+    my $target = shift;
+
+    my @cmd;
+    push @cmd, @rootcommand if rules_requires_root($target);
+    push @cmd, @debian_rules, $target;
+
+    run_cmd(@cmd);
+}
+
 sub run_hook {
     my ($name, $enabled) = @_;
     my $cmd = $hook{$name};
@@ -787,13 +856,18 @@ sub describe_build {
 }
 
 sub build_target_fallback {
+    my $ctrl = shift;
+
+    # If we are building rootless, there is no need to call the build target
+    # independently as non-root.
+    return if not rules_requires_root($buildtarget);
+
     return if $buildtarget eq 'build';
     return if scalar @debian_rules != 1;
 
     # Check if we are building both arch:all and arch:any packages, in which
     # case we now require working build-indep and build-arch targets.
     my $pkg_arch = 0;
-    my $ctrl = Dpkg::Control::Info->new();
 
     foreach my $bin ($ctrl->get_packages()) {
         if ($bin->{Architecture} eq 'all') {
author	Guillem Jover <guillem@debian.org>	2017-09-17 12:18:15 +0200
committer	Guillem Jover <guillem@debian.org>	2017-09-24 21:03:10 +0200
commit	fca1bfe8406898105d1d724fb808f0cbcf985ae4 (patch)
tree	7fc20ba945977bb370d3762f21c84fa1830ee93d /scripts
parent	b3608a01a8ac1416f0620bdf03d497c5b761b244 (diff)
download	dpkg-fca1bfe8406898105d1d724fb808f0cbcf985ae4.tar.gz