On 6/17/19 12:38 PM, Manuel Reimer wrote:
On 17.06.19 18:18, Eli Schwartz via arch-general wrote:
That being said, it's possible to configure sudo to run makechrootpkg, but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=... makechrootpkg.
I've tried several times to just launch makechrootpkg with root privileges directly. As makechrootpkg drops to a unprivileged user inside the chroot, this should be perfectly safe.
But I always ran into errors saying that makepkg is not allowed to be run as root.
Does your SUDO_USER=... SUDO_UID=... command line allow to directly launch as root without needing sudo at all? This is what I would need to make my autobuild work.
makechrootpkg uses the SUDO_USER/SUDO_UID variables to check which user it should use when dropping privileges while running makepkg --verifysource. By setting the variables, you thereby pretend to makechrootpkg that it has been run via sudo. Not doing *anything* to check which user to drop privileges to, is the reason why running makechrootpkg as root is usually not going to work.
Yes -- do all signing locally, after the package leaves the build VM. If something goes wrong on the VM, you can remove the relevant packages without, say, revoking your key, so the security issue is less drastic.
This would also be a possible way. Sign packages where the signature is outdated, delete signatures that don't belong to packages and finally repo-add the whole stuff after deleting the db file.
Is there a better tool as repo-add/repo-remove? I've been searching for some "repo-update" tool for quite a while now. A smart tool which doesn't recreate stuff and just updates a DB file would be pretty handy.
repo-add generally works pretty well, it doesn't recreate stuff anyway -- it unpacks the DB, adds the files you've specified to the DB, and then repacks the DB. If you're looking for something which scans a directory to find files which need to be updated, you can try "repose", but it has conflicting behavior as compared to repo-add, so you cannot mix and match repo-add and repose. -- Eli Schwartz Bug Wrangler and Trusted User