On 16/04/14 21:36, Thomas Bächler wrote:
Am 16.04.2014 12:21, schrieb Allan McRae:
Just submitted a patch to pacman that will allow setting capabilites in the package() function.
Since we want PAX support to remain optional, we'd still need hooks so that after each upgrade, a script can adjust the flags appropriately.
Sure... I really don't care about PAX (and think it should just be packaged in a separate repo...). I just wanted pacman to support setting capabilities during packaging.
I am not sure that your patch will work at all due to limitations of fakeroot. I just tested this shortly, and fakeroot supports setting file capabilities using setcap, but not setting ACLs using setfacl.
So, support for extended attributes in fakeroot is incomplete at best.
A further look indicates that this may simply be stupidity on the side of fakeroot: it explicitly hardcodes ENOTSUP for acl_{s,g}et_f{ile,d}, while the now implemented f{s,g}etxattr support should be sufficient in order to support ACLs entirely. I guess these acl overrides are remnants of the days when xattr support was missing.
Anyway, we need to fix fakeroot before this makepkg feature can be useful.
Getting off-topic... but only one package in our repos uses setfacl (systemd on the journal directory) in its install script, and seven use setcap. Getting the majority case fixed is still worth including this in my opinion. We can deal with get/setfacl when fakeroot does properly. Any chance you can take that upstream? Also, I really thought setcap would be used in more install scripts! A