1 |
commit: c2a3e929650d327c5f57ec2f646b1cb749d60843 |
2 |
Author: Mart Raudsepp <leio <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Sep 29 12:11:13 2021 +0000 |
4 |
Commit: Mart Raudsepp <leio <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Sep 29 12:11:13 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a3e929 |
7 |
|
8 |
gnome-base/gnome-keyring: drop IUSE=caps for compat with glib-2.70 |
9 |
|
10 |
Always disable libcap-ng dependency. |
11 |
Drop cap_ipc_lock capability setting that was needed for libcap-ng case, |
12 |
but does not work right with glib-2.70 stricter security checks. This |
13 |
unbreaks the dbus service when ran with glib-2.70 or later. |
14 |
This matches what was done in Fedora and Debian for the time being (they |
15 |
had always built with our equivalent of USE=caps) to fix the compatibility. |
16 |
|
17 |
There must be enough memlock limit (RLIMIT_MEMLOCK) for this to work |
18 |
afterwards, however when it doesn't, it fallbacks to arguably less secure |
19 |
malloc (the memory could be swapped out) and doesn't lose actual |
20 |
functionality. This was the case already with larger keyrings, and thus |
21 |
not a security regression in practice. If you want extra security, encrypt |
22 |
your swap. |
23 |
|
24 |
Further technical details were discussed in: |
25 |
https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/77 |
26 |
https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/41 |
27 |
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1862 |
28 |
https://gitlab.gnome.org/GNOME/glib/-/issues/2316 |
29 |
|
30 |
Bug: https://bugs.gentoo.org/815154 |
31 |
Package-Manager: Portage-3.0.20, Repoman-3.0.2 |
32 |
Signed-off-by: Mart Raudsepp <leio <AT> gentoo.org> |
33 |
|
34 |
.../gnome-keyring/gnome-keyring-40.0-r1.ebuild | 79 ++++++++++++++++++++++ |
35 |
1 file changed, 79 insertions(+) |
36 |
|
37 |
diff --git a/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild |
38 |
new file mode 100644 |
39 |
index 00000000000..a6174f16178 |
40 |
--- /dev/null |
41 |
+++ b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild |
42 |
@@ -0,0 +1,79 @@ |
43 |
+# Copyright 1999-2021 Gentoo Authors |
44 |
+# Distributed under the terms of the GNU General Public License v2 |
45 |
+ |
46 |
+EAPI=7 |
47 |
+PYTHON_COMPAT=( python3_{7..9} ) |
48 |
+ |
49 |
+inherit gnome2 pam python-any-r1 virtualx |
50 |
+ |
51 |
+DESCRIPTION="Password and keyring managing daemon" |
52 |
+HOMEPAGE="https://wiki.gnome.org/Projects/GnomeKeyring" |
53 |
+ |
54 |
+LICENSE="GPL-2+ LGPL-2+" |
55 |
+SLOT="0" |
56 |
+IUSE="pam selinux +ssh-agent test" |
57 |
+RESTRICT="!test? ( test )" |
58 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x86-solaris" |
59 |
+ |
60 |
+# Replace gkd gpg-agent with pinentry[gnome-keyring] one, bug #547456 |
61 |
+RDEPEND=" |
62 |
+ >=app-crypt/gcr-3.27.90:=[gtk] |
63 |
+ >=app-crypt/gnupg-2.0.28:= |
64 |
+ >=app-eselect/eselect-pinentry-0.5 |
65 |
+ app-misc/ca-certificates |
66 |
+ >=dev-libs/glib-2.44:2 |
67 |
+ >=dev-libs/libgcrypt-1.2.2:0= |
68 |
+ pam? ( sys-libs/pam ) |
69 |
+ selinux? ( sec-policy/selinux-gnome ) |
70 |
+ ssh-agent? ( net-misc/openssh ) |
71 |
+" |
72 |
+DEPEND="${RDEPEND}" |
73 |
+BDEPEND=" |
74 |
+ >=app-eselect/eselect-pinentry-0.5 |
75 |
+ app-text/docbook-xml-dtd:4.3 |
76 |
+ dev-libs/libxslt |
77 |
+ >=sys-devel/gettext-0.19.8 |
78 |
+ virtual/pkgconfig |
79 |
+ test? ( ${PYTHON_DEPS} ) |
80 |
+" |
81 |
+ |
82 |
+pkg_setup() { |
83 |
+ use test && python-any-r1_pkg_setup |
84 |
+} |
85 |
+ |
86 |
+src_prepare() { |
87 |
+ # Disable stupid CFLAGS with debug enabled |
88 |
+ sed -e 's/CFLAGS="$CFLAGS -g"//' \ |
89 |
+ -e 's/CFLAGS="$CFLAGS -O0"//' \ |
90 |
+ -i configure.ac configure || die |
91 |
+ |
92 |
+ gnome2_src_prepare |
93 |
+} |
94 |
+ |
95 |
+src_configure() { |
96 |
+ gnome2_src_configure \ |
97 |
+ --without-libcap-ng \ |
98 |
+ $(use_enable pam) \ |
99 |
+ $(use_with pam pam-dir $(getpam_mod_dir)) \ |
100 |
+ $(use_enable selinux) \ |
101 |
+ $(use_enable ssh-agent) \ |
102 |
+ --enable-doc |
103 |
+} |
104 |
+ |
105 |
+src_test() { |
106 |
+ # Needs dbus-run-session to not get: |
107 |
+ # ERROR: test-dbus-search process failed: -6 |
108 |
+ "${BROOT}${GLIB_COMPILE_SCHEMAS}" --allow-any-name "${S}/schema" || die |
109 |
+ GSETTINGS_SCHEMA_DIR="${S}/schema" virtx dbus-run-session emake check |
110 |
+} |
111 |
+ |
112 |
+pkg_postinst() { |
113 |
+ # cap_ipc_lock only needed if building --with-libcap-ng, but that breaks with glib-2.70 |
114 |
+ # Never install as suid root, this breaks dbus activation, see bug #513870 |
115 |
+ gnome2_pkg_postinst |
116 |
+ |
117 |
+ if ! [[ $(eselect pinentry show | grep "pinentry-gnome3") ]] ; then |
118 |
+ ewarn "Please select pinentry-gnome3 as default pinentry provider:" |
119 |
+ ewarn " # eselect pinentry set pinentry-gnome3" |
120 |
+ fi |
121 |
+} |