WIP: run0 support

Signed-off-by: Christian Heusel <christian@heusel.eu>

contrib/completion/bash/devtools.in

@@ -150,6 +150,7 @@ _pkgctl_cmds=(
 	db
 	diff
 	issue
+	license
 	release
 	repo
 	search

doc/man/offload-build.1.asciidoc

@@ -14,7 +14,7 @@ Description
 
 Build a PKGBUILD on a remote server using makechrootpkg. Requires a remote user
 that can run archbuild in a non-interactive manner, e.g. must be able to
-elevate permissions using passwordless sudo.
+elevate permissions using passwordless run0.
 
 Options
 -------

doc/man/pkgctl-auth.1.asciidoc

@@ -3,7 +3,7 @@ pkgctl-auth(1)
 
 Name
 ----
-pkgctl-auth - Authenticate with serivces like GitLab.
+pkgctl-auth - Authenticate with services like GitLab.
 
 Synopsis
 --------

src/commitpkg.in

@@ -7,8 +7,6 @@ _DEVTOOLS_LIBRARY_DIR=${_DEVTOOLS_LIBRARY_DIR:-@pkgdatadir@}
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/common.sh
 # shellcheck source=src/lib/util/srcinfo.sh
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/util/srcinfo.sh
-# shellcheck source=src/lib/state.sh
-source "${_DEVTOOLS_LIBRARY_DIR}"/lib/state.sh
 
 source /usr/share/makepkg/util/util.sh
 
@@ -157,7 +155,7 @@ if (( ${#needsversioning[*]} )); then
 		if [[ ! -f "${file}" ]]; then
 			continue
 		fi
-		if ! git ls-files --error-unmatch "$file"; then
+		if ! git ls-files --error-unmatch "$file" >/dev/null; then
 			die "%s is not under version control" "$file"
 		fi
 	done
@@ -248,9 +246,6 @@ declare -a uploads
 declare -a commit_arches
 declare -a skip_arches
 
-BUILD_STATE_DIR=$(get_state_folder "build-state")
-state_file=
-
 for _arch in "${arch[@]}"; do
 	if [[ -n $commit_arch && ${_arch} != "$commit_arch" ]]; then
 		skip_arches+=("$_arch")
@@ -264,12 +259,6 @@ for _arch in "${arch[@]}"; do
 			skip_arches+=("$_arch")
 			continue 2
 		fi
-
-		state_file="${BUILD_STATE_DIR}/$(basename "${pkgfile}").txt"
-		if [[ -f "${state_file}" ]] && [[ $(cat "${state_file}") != "${repo}" ]]; then
-			error "%s was not built against '%s', aborting" "${pkgfile}" "${repo}"
-			exit 1
-		fi
 		uploads+=("$pkgfile")
 	done
 

src/lib/archroot.sh

@@ -15,7 +15,11 @@ check_root() {
 	local orig_argv=("$@")
 
 	(( EUID == 0 )) && return
-	if type -P sudo >/dev/null; then
+	if type -P run0 >/dev/null; then
+		keepenv=",$keepenv"
+		command="run0 ${keepenv//,/ --setenv=}"
+		exec ${command} -- "${orig_argv[@]}"
+	elif type -P sudo >/dev/null; then
 		exec sudo --preserve-env="${keepenv}" -- "${orig_argv[@]}"
 	else
 		exec su root -c "$(printf ' %q' "${orig_argv[@]}")"

src/lib/build/build.sh

@@ -12,8 +12,6 @@ source "${_DEVTOOLS_LIBRARY_DIR}"/lib/common.sh
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/db/update.sh
 # shellcheck source=src/lib/release.sh
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/release.sh
-# shellcheck source=src/lib/state.sh
-source "${_DEVTOOLS_LIBRARY_DIR}"/lib/state.sh
 # shellcheck source=src/lib/util/git.sh
 source "${_DEVTOOLS_LIBRARY_DIR}"/lib/util/git.sh
 # shellcheck source=src/lib/util/srcinfo.sh
@@ -131,7 +129,6 @@ pkgctl_build() {
 	local PKGVER=
 	local PKGREL=
 	local MESSAGE=
-	local BUILD_STATE_DIR=
 
 	local paths=()
 	local BUILD_ARCH=()
@@ -307,8 +304,6 @@ pkgctl_build() {
 		fi
 	fi
 
-	BUILD_STATE_DIR=$(get_state_folder "build-state")
-
 	# assign default worker slot
 	if [[ -z ${WORKER_SLOT} ]] && ! WORKER_SLOT="$(tty | sed 's|/dev/pts/||')"; then
 		WORKER_SLOT=$(( RANDOM % $(nproc) + 1 ))
@@ -486,26 +481,25 @@ pkgctl_build() {
 		# shellcheck disable=SC2119
 		write_srcinfo_file
 
-		# shellcheck disable=2119
+		# test-install (some of) the produced packages
-		load_makepkg_config
+		if [[ ${INSTALL_TO_HOST} == auto ]] || [[ ${INSTALL_TO_HOST} == all ]]; then
+			# shellcheck disable=2119
+			load_makepkg_config
 
-		# this is inspired by print_all_package_names from libmakepkg
+			# this is inspired by print_all_package_names from libmakepkg
-		local version pkg_architecture pkg pkgfile
+			local version pkg_architecture pkg pkgfile
-		version=$(get_full_version)
+			version=$(get_full_version)
 
-		for pkg in "${pkgname[@]}"; do
+			for pkg in "${pkgname[@]}"; do
-			pkg_architecture=$(get_pkg_arch "$pkg")
+				pkg_architecture=$(get_pkg_arch "$pkg")
-			pkgpath=$(realpath "$(printf "%s\n" "${PKGDEST:-.}")")
+				pkgfile=$(realpath "$(printf "%s/%s-%s-%s%s\n" "${PKGDEST:-.}" "$pkg" "$version" "$pkg_architecture" "$PKGEXT")")
-			pkgfile=$(printf "%s-%s-%s%s\n" "$pkg" "$version" "$pkg_architecture" "$PKGEXT")
 
-			# check if we install all packages or if the (split-)package is already installed
+				# check if we install all packages or if the (split-)package is already installed
-			if [[ ${INSTALL_TO_HOST} == all ]] || ( [[ ${INSTALL_TO_HOST} == auto ]] && pacman -Qq -- "$pkg" &>/dev/null ); then
+				if [[ ${INSTALL_TO_HOST} == all ]] || ( [[ ${INSTALL_TO_HOST} == auto ]] && pacman -Qq -- "$pkg" &>/dev/null ); then
-				INSTALL_HOST_PACKAGES+=("${pkgpath}/${pkgfile}")
+					INSTALL_HOST_PACKAGES+=("$pkgfile")
-			fi
+				fi
-
+			done
-			# save against which repo we have built the package
+		fi
-			printf "%s" "${pkgrepo}" > "${BUILD_STATE_DIR}/${pkgfile}.txt"
-		done
 
 		# release the build
 		if (( RELEASE )); then

src/lib/license/setup.sh

@@ -188,10 +188,13 @@ path = [
     "README.md",
     "keys/**",
     ".SRCINFO",
+    ".gitignore",
     ".nvchecker.toml",
     "*.install",
     "*.sysusers",
+    "*sysusers.conf",
     "*.tmpfiles",
+    "*tmpfiles.conf",
     "*.logrotate",
     "*.pam",
     "*.service",

src/lib/state.sh

@@ -1,18 +0,0 @@
-#!/hint/bash
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-[[ -z ${DEVTOOLS_INCLUDE_STATE_SH:-} ]] || return 0
-DEVTOOLS_INCLUDE_STATE_SH=1
-
-set -e
-
-readonly XDG_DEVTOOLS_STATE_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/devtools"
-
-get_state_folder() {
-	local foldername=$1
-	local path="${XDG_DEVTOOLS_STATE_DIR}/${foldername}"
-
-	mkdir --parents -- "$path"
-	printf '%s' "${path}"
-}

src/makechrootpkg.in

@@ -185,10 +185,18 @@ prepare_chroot() {
 		echo "$x" >>"$copydir/etc/makepkg.conf"
 	done
 
-	cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
+	# TODO(gromit): check if this rule is sane
-builduser ALL = NOPASSWD: /usr/bin/pacman
+	# TODO(gromit): this will require a full container
+	cat > "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules" <<EOF
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units") {
+        if (subject.isInGroup("wheel")) {
+            return polkit.Result.YES;
+        }
+    }
+});
 EOF
-	chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
+	chmod 440 "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules"
 
 	cat > "$copydir/etc/gitconfig" <<EOF
 [safe]
@@ -222,17 +230,14 @@ _chrootbuild() {
 	# shellcheck source=/dev/null
 	. /etc/profile
 
-	# Beware, there are some stupid arbitrary rules on how you can
+	run0 --setenv=SOURCE_DATE_EPOCH \
-	# use "$" in arguments to commands with "sudo -i".  ${foo} or
+		 --setenv=BUILDTOOL \
-	# ${1} is OK, but $foo or $1 isn't.
+		 --setenv=BUILDTOOLVER \
-	# https://bugzilla.sudo.ws/show_bug.cgi?id=765
+		 --via-shell --chdir='~' \
-	sudo --preserve-env=SOURCE_DATE_EPOCH \
+		 --user=builduser -- bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
-		--preserve-env=BUILDTOOL \
-		--preserve-env=BUILDTOOLVER \
-		-iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
 	ret=$?
 	case $ret in
-		0|14)
+		0)
 			return 0;;
 		*)
 			return $ret;;
@@ -243,7 +248,7 @@ _chrootnamcap() {
 	pacman -S --needed --noconfirm namcap
 	for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
 		echo "Checking ${pkgfile##*/}"
-		sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+		run0 --user=builduser -- namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
 	done
 }
 
@@ -252,8 +257,12 @@ download_sources() {
 	chown "$makepkg_user:" "$WORKDIR"
 
 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
+	run0 --user="$makepkg_user" \
-		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
+		--setenv=GNUPGHOME \
+		--setenv=SSH_AUTH_SOCK \
+		--setenv=SRCDEST="$SRCDEST" \
+		--setenv=BUILDDIR="$WORKDIR" \
+		--chdir=. -- \
 		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
 		die "Could not download sources."
 }
@@ -400,7 +409,7 @@ if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"
 then
-	mapfile -t pkgnames < <(sudo -u "$makepkg_user" bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
+	mapfile -t pkgnames < <(run0 --user="$makepkg_user" -- bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
 	move_products
 else
 	(( ret += 1 ))
@@ -453,7 +462,7 @@ else
 		done
 
 		msg2 "Checking packages"
-		sudo -u "$makepkg_user" checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
+		run0 --user="$makepkg_user" -- checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
 	fi
 	true
 fi

src/makerepropkg.in

@@ -192,7 +192,7 @@ for p in "$@"; do
         pkgfile=${pkgfile_remote#file://}
         if [[ ! -f ${pkgfile} ]]; then
             msg "Downloading package '%s' into pacman's cache" "${pkgfile}"
-            sudo pacman -Swdd --noconfirm --logfile /dev/null "${p}" || exit 1
+            run0 -- pacman -Swdd --noconfirm --logfile /dev/null "${p}" || exit 1
             pkgfile_remote=$(pacman -Sddp "${p}" 2>/dev/null)
             pkgfile="${pkgfile_remote#file://}"
         fi