Hi:
Michael Schwendt wrote, at 09/12/2013 07:47 PM +9:00:
On Thu, 12 Sep 2013 00:29:58 +0900, Mamoru TASAKA wrote:
Well, I am so long wondering about this. Actually creating debuginfo,
stripping shared libs and making the shared libs non executable can
be accomplished by using %attr, i.e.
- At %install, install the shared libs with 0755 as before
- On %files, explicitly mark the files with %attr(0644,root,root)
http://koji.fedoraproject.org/koji/taskinfo?taskID=5923317
Some other distros makes non-executable shared libs 0644 permission.
Is %attr approach for this case allowed / preferable / discouraged ?
It is widely accepted practice to limit %attr usage to really special
permissions (such as setuid, setgid) and ownership (non-root user and/or
group), so where that is done in a spec file, it sticks out.
In packages with many files, overusing %attr would decrease readability
even when using spec syntax-highlighting. Ordinary file permissions should
get fixed in %install and upstream.
Is it guaranteed that %attr will set the permission _after_ debuginfo
generation?
Yes, because debuginfo generation is done at %__spec_install_post,
and %check follows after that.
AFAIK, the only thing that wants +x on these libs is the debuginfo
generator, and IIRC there's support already for flipping a flag and making
it work with non-executables, too.
Well, currently I don't know that.
ldd still warns about non-executable libs. And the build tools are not
specific to Fedora/Linux, so they will likely keep making .so files +x.
(While I don't know well about Debian) it seems at least Debian makes
.so files 0644 for most cases (and perhaps also Ubuntu), ref:
https://lists.fedoraproject.org/pipermail/devel/2011-March/149822.html
https://lists.fedoraproject.org/pipermail/devel/2011-March/149857.html
How many of the libs contain special code that can be run?
Perhaps libc, libpthread and some very special exceptions
I don't want to imagine a large configure script running a lib for
some version check or feature list. Would packagers need to check every
lib for whether it may be run or not?
So I think for most cases they do not (need not) run, and only quite
a few cases should be concerned.
Regards,
Mamoru
--
packaging mailing list
packaging@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/packaging