On 6/17/19 12:38 PM, Manuel Reimer wrote: > On 17.06.19 18:18, Eli Schwartz via arch-general wrote: >> That being said, it's possible to configure sudo to run makechrootpkg, >> but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=... >> makechrootpkg. > > I've tried several times to just launch makechrootpkg with root > privileges directly. As makechrootpkg drops to a unprivileged user > inside the chroot, this should be perfectly safe. > > But I always ran into errors saying that makepkg is not allowed to be > run as root. > > Does your SUDO_USER=... SUDO_UID=... command line allow to directly > launch as root without needing sudo at all? This is what I would need to > make my autobuild work. makechrootpkg uses the SUDO_USER/SUDO_UID variables to check which user it should use when dropping privileges while running makepkg --verifysource. By setting the variables, you thereby pretend to makechrootpkg that it has been run via sudo. Not doing *anything* to check which user to drop privileges to, is the reason why running makechrootpkg as root is usually not going to work. >> Yes -- do all signing locally, after the package leaves the build VM. If >> something goes wrong on the VM, you can remove the relevant packages >> without, say, revoking your key, so the security issue is less drastic. > > This would also be a possible way. Sign packages where the signature is > outdated, delete signatures that don't belong to packages and finally > repo-add the whole stuff after deleting the db file. > > Is there a better tool as repo-add/repo-remove? I've been searching for > some "repo-update" tool for quite a while now. A smart tool which > doesn't recreate stuff and just updates a DB file would be pretty handy. repo-add generally works pretty well, it doesn't recreate stuff anyway -- it unpacks the DB, adds the files you've specified to the DB, and then repacks the DB. If you're looking for something which scans a directory to find files which need to be updated, you can try "repose", but it has conflicting behavior as compared to repo-add, so you cannot mix and match repo-add and repose. -- Eli Schwartz Bug Wrangler and Trusted User
Attachment:
signature.asc
Description: OpenPGP digital signature