On 17.06.19 18:18, Eli Schwartz via arch-general wrote:
That being said, it's possible to configure sudo to run makechrootpkg, but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=... makechrootpkg.
I've tried several times to just launch makechrootpkg with root privileges directly. As makechrootpkg drops to a unprivileged user inside the chroot, this should be perfectly safe. But I always ran into errors saying that makepkg is not allowed to be run as root. Does your SUDO_USER=... SUDO_UID=... command line allow to directly launch as root without needing sudo at all? This is what I would need to make my autobuild work.
Yes -- do all signing locally, after the package leaves the build VM. If something goes wrong on the VM, you can remove the relevant packages without, say, revoking your key, so the security issue is less drastic.
This would also be a possible way. Sign packages where the signature is outdated, delete signatures that don't belong to packages and finally repo-add the whole stuff after deleting the db file. Is there a better tool as repo-add/repo-remove? I've been searching for some "repo-update" tool for quite a while now. A smart tool which doesn't recreate stuff and just updates a DB file would be pretty handy. Manuel