|
|
|
|
@@ -19,7 +19,7 @@ shopt -s nullglob
|
|
|
|
|
|
|
|
|
|
default_makepkg_args=(--syncdeps --noconfirm --log --holdver --skipinteg)
|
|
|
|
|
makepkg_args=("${default_makepkg_args[@]}")
|
|
|
|
|
verifysource_args=(--syncdeps --noconfirm --log)
|
|
|
|
|
verifysource_args=()
|
|
|
|
|
chrootdir=
|
|
|
|
|
passeddir=
|
|
|
|
|
makepkg_user=
|
|
|
|
|
@@ -175,7 +175,7 @@ prepare_chroot() {
|
|
|
|
|
printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid"
|
|
|
|
|
printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))"
|
|
|
|
|
|
|
|
|
|
$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest,verify/{gnupg,ssh}}
|
|
|
|
|
$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest}
|
|
|
|
|
|
|
|
|
|
sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
|
|
|
|
|
for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \
|
|
|
|
|
@@ -185,10 +185,18 @@ prepare_chroot() {
|
|
|
|
|
echo "$x" >>"$copydir/etc/makepkg.conf"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
|
|
|
|
|
builduser ALL = NOPASSWD: /usr/bin/pacman
|
|
|
|
|
# TODO(gromit): check if this rule is sane
|
|
|
|
|
# TODO(gromit): this will require a full container
|
|
|
|
|
cat > "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules" <<EOF
|
|
|
|
|
polkit.addRule(function(action, subject) {
|
|
|
|
|
if (action.id == "org.freedesktop.systemd1.manage-units") {
|
|
|
|
|
if (subject.isInGroup("wheel")) {
|
|
|
|
|
return polkit.Result.YES;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
EOF
|
|
|
|
|
chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
|
|
|
|
|
chmod 440 "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules"
|
|
|
|
|
|
|
|
|
|
cat > "$copydir/etc/gitconfig" <<EOF
|
|
|
|
|
[safe]
|
|
|
|
|
@@ -222,17 +230,14 @@ _chrootbuild() {
|
|
|
|
|
# shellcheck source=/dev/null
|
|
|
|
|
. /etc/profile
|
|
|
|
|
|
|
|
|
|
# Beware, there are some stupid arbitrary rules on how you can
|
|
|
|
|
# use "$" in arguments to commands with "sudo -i". ${foo} or
|
|
|
|
|
# ${1} is OK, but $foo or $1 isn't.
|
|
|
|
|
# https://bugzilla.sudo.ws/show_bug.cgi?id=765
|
|
|
|
|
sudo --preserve-env=SOURCE_DATE_EPOCH \
|
|
|
|
|
--preserve-env=BUILDTOOL \
|
|
|
|
|
--preserve-env=BUILDTOOLVER \
|
|
|
|
|
-iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
|
|
|
|
|
run0 --setenv=SOURCE_DATE_EPOCH \
|
|
|
|
|
--setenv=BUILDTOOL \
|
|
|
|
|
--setenv=BUILDTOOLVER \
|
|
|
|
|
--via-shell --chdir='~' \
|
|
|
|
|
--user=builduser -- bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
|
|
|
|
|
ret=$?
|
|
|
|
|
case $ret in
|
|
|
|
|
0|14)
|
|
|
|
|
0)
|
|
|
|
|
return 0;;
|
|
|
|
|
*)
|
|
|
|
|
return $ret;;
|
|
|
|
|
@@ -243,14 +248,23 @@ _chrootnamcap() {
|
|
|
|
|
pacman -S --needed --noconfirm namcap
|
|
|
|
|
for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
|
|
|
|
|
echo "Checking ${pkgfile##*/}"
|
|
|
|
|
sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
|
|
|
|
|
run0 --user=builduser -- namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_download_sources() {
|
|
|
|
|
download_sources() {
|
|
|
|
|
setup_workdir
|
|
|
|
|
chown "$makepkg_user:" "$WORKDIR"
|
|
|
|
|
|
|
|
|
|
# Ensure sources are downloaded
|
|
|
|
|
sudo -u builduser env SRCDEST="/srcdest" GNUPGHOME="/verify/gnupg" SSH_AUTH_SOCK="/verify/ssh" \
|
|
|
|
|
bash -c "cd /startdir; makepkg --config=/etc/makepkg.conf --verifysource -o ${verifysource_args[*]}"
|
|
|
|
|
run0 --user="$makepkg_user" \
|
|
|
|
|
--setenv=GNUPGHOME \
|
|
|
|
|
--setenv=SSH_AUTH_SOCK \
|
|
|
|
|
--setenv=SRCDEST="$SRCDEST" \
|
|
|
|
|
--setenv=BUILDDIR="$WORKDIR" \
|
|
|
|
|
--chdir=. -- \
|
|
|
|
|
makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
|
|
|
|
|
die "Could not download sources."
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
move_logfiles() {
|
|
|
|
|
@@ -347,7 +361,6 @@ umask 0022
|
|
|
|
|
ORIG_HOME=$HOME
|
|
|
|
|
IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}")
|
|
|
|
|
load_makepkg_config
|
|
|
|
|
DEVTOOLS_GNUPGHOME="${GNUPGHOME:-$HOME/.gnupg}"
|
|
|
|
|
HOME=$ORIG_HOME
|
|
|
|
|
|
|
|
|
|
# Use PKGBUILD directory if these don't exist
|
|
|
|
|
@@ -379,6 +392,8 @@ if [[ "$(id -u "$makepkg_user")" == 0 ]]; then
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
download_sources
|
|
|
|
|
|
|
|
|
|
prepare_chroot
|
|
|
|
|
|
|
|
|
|
nspawn_build_args=(
|
|
|
|
|
@@ -390,16 +405,11 @@ nspawn_build_args=(
|
|
|
|
|
"${bindmounts_tmpfs[@]}"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
arch-nspawn "$copydir" \
|
|
|
|
|
"${nspawn_build_args[@]}" --bind-ro="${DEVTOOLS_GNUPGHOME//:/\\:}:/verify/gnupg" --bind-ro="${SSH_AUTH_SOCK//:/\\:}:/verify/ssh" \
|
|
|
|
|
bash -c "$(declare -f _download_sources); verifysource_args=(${verifysource_args[*]}); _download_sources" ||
|
|
|
|
|
die "Could not download sources."
|
|
|
|
|
|
|
|
|
|
if arch-nspawn "$copydir" \
|
|
|
|
|
"${nspawn_build_args[@]}" \
|
|
|
|
|
/chrootbuild "${makepkg_args[@]}"
|
|
|
|
|
then
|
|
|
|
|
mapfile -t pkgnames < <(sudo -u "$makepkg_user" bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
|
|
|
|
|
mapfile -t pkgnames < <(run0 --user="$makepkg_user" -- bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
|
|
|
|
|
move_products
|
|
|
|
|
else
|
|
|
|
|
(( ret += 1 ))
|
|
|
|
|
@@ -452,7 +462,7 @@ else
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
msg2 "Checking packages"
|
|
|
|
|
sudo -u "$makepkg_user" checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
|
|
|
|
|
run0 --user="$makepkg_user" -- checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
|
|
|
|
|
fi
|
|
|
|
|
true
|
|
|
|
|
fi
|
|
|
|
|
|
