[gentoo-commits] repo/gentoo:master commit in: gnome-base/gnome-keyring/ - gentoo-commits

From:	Mart Raudsepp <leio@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: gnome-base/gnome-keyring/
Date:	Wed, 29 Sep 2021 12:11:36
Message-Id:	`1632917473.c2a3e929650d327c5f57ec2f646b1cb749d60843.leio@gentoo`

1

commit:     c2a3e929650d327c5f57ec2f646b1cb749d60843

2

Author:     Mart Raudsepp <leio <AT> gentoo <DOT> org>

3

AuthorDate: Wed Sep 29 12:11:13 2021 +0000

4

Commit:     Mart Raudsepp <leio <AT> gentoo <DOT> org>

5

CommitDate: Wed Sep 29 12:11:13 2021 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a3e929

7

8

gnome-base/gnome-keyring: drop IUSE=caps for compat with glib-2.70

9

10

Always disable libcap-ng dependency.

11

Drop cap_ipc_lock capability setting that was needed for libcap-ng case,

12

but does not work right with glib-2.70 stricter security checks. This

13

unbreaks the dbus service when ran with glib-2.70 or later.

14

This matches what was done in Fedora and Debian for the time being (they

15

had always built with our equivalent of USE=caps) to fix the compatibility.

16

17

There must be enough memlock limit (RLIMIT_MEMLOCK) for this to work

18

afterwards, however when it doesn't, it fallbacks to arguably less secure

19

malloc (the memory could be swapped out) and doesn't lose actual

20

functionality. This was the case already with larger keyrings, and thus

21

not a security regression in practice. If you want extra security, encrypt

22

your swap.

23

24

Further technical details were discussed in:

25

https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/77

26

https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/41

27

https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1862

28

https://gitlab.gnome.org/GNOME/glib/-/issues/2316

29

30

Bug: https://bugs.gentoo.org/815154

31

Package-Manager: Portage-3.0.20, Repoman-3.0.2

32

Signed-off-by: Mart Raudsepp <leio <AT> gentoo.org>

33

34

 .../gnome-keyring/gnome-keyring-40.0-r1.ebuild     | 79 ++++++++++++++++++++++

35

 1 file changed, 79 insertions(+)

36

37

diff --git a/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild

38

new file mode 100644

39

index 00000000000..a6174f16178

40

--- /dev/null

41

+++ b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild

42

@@ -0,0 +1,79 @@

43

+# Copyright 1999-2021 Gentoo Authors

44

+# Distributed under the terms of the GNU General Public License v2

45

+

46

+EAPI=7

47

+PYTHON_COMPAT=( python3_{7..9} )

48

+

49

+inherit gnome2 pam python-any-r1 virtualx

50

+

51

+DESCRIPTION="Password and keyring managing daemon"

52

+HOMEPAGE="https://wiki.gnome.org/Projects/GnomeKeyring"

53

+

54

+LICENSE="GPL-2+ LGPL-2+"

55

+SLOT="0"

56

+IUSE="pam selinux +ssh-agent test"

57

+RESTRICT="!test? ( test )"

58

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x86-solaris"

59

+

60

+# Replace gkd gpg-agent with pinentry[gnome-keyring] one, bug #547456

61

+RDEPEND="

62

+	>=app-crypt/gcr-3.27.90:=[gtk]

63

+	>=app-crypt/gnupg-2.0.28:=

64

+	>=app-eselect/eselect-pinentry-0.5

65

+	app-misc/ca-certificates

66

+	>=dev-libs/glib-2.44:2

67

+	>=dev-libs/libgcrypt-1.2.2:0=

68

+	pam? ( sys-libs/pam )

69

+	selinux? ( sec-policy/selinux-gnome )

70

+	ssh-agent? ( net-misc/openssh )

71

+"

72

+DEPEND="${RDEPEND}"

73

+BDEPEND="

74

+	>=app-eselect/eselect-pinentry-0.5

75

+	app-text/docbook-xml-dtd:4.3

76

+	dev-libs/libxslt

77

+	>=sys-devel/gettext-0.19.8

78

+	virtual/pkgconfig

79

+	test? ( ${PYTHON_DEPS} )

80

+"

81

+

82

+pkg_setup() {

83

+	use test && python-any-r1_pkg_setup

84

+}

85

+

86

+src_prepare() {

87

+	# Disable stupid CFLAGS with debug enabled

88

+	sed -e 's/CFLAGS="$CFLAGS -g"//' \

89

+		-e 's/CFLAGS="$CFLAGS -O0"//' \

90

+		-i configure.ac configure || die

91

+

92

+	gnome2_src_prepare

93

+}

94

+

95

+src_configure() {

96

+	gnome2_src_configure \

97

+		--without-libcap-ng \

98

+		$(use_enable pam) \

99

+		$(use_with pam pam-dir $(getpam_mod_dir)) \

100

+		$(use_enable selinux) \

101

+		$(use_enable ssh-agent) \

102

+		--enable-doc

103

+}

104

+

105

+src_test() {

106

+	# Needs dbus-run-session to not get:

107

+	# ERROR: test-dbus-search process failed: -6

108

+	"${BROOT}${GLIB_COMPILE_SCHEMAS}" --allow-any-name "${S}/schema" || die

109

+	GSETTINGS_SCHEMA_DIR="${S}/schema" virtx dbus-run-session emake check

110

+}

111

+

112

+pkg_postinst() {

113

+	# cap_ipc_lock only needed if building --with-libcap-ng, but that breaks with glib-2.70

114

+	# Never install as suid root, this breaks dbus activation, see bug #513870

115

+	gnome2_pkg_postinst

116

+

117

+	if ! [[ $(eselect pinentry show | grep "pinentry-gnome3") ]] ; then

118

+		ewarn "Please select pinentry-gnome3 as default pinentry provider:"

119

+		ewarn " # eselect pinentry set pinentry-gnome3"

120

+	fi

121

+}

1	commit: c2a3e929650d327c5f57ec2f646b1cb749d60843
2	Author: Mart Raudsepp <leio <AT> gentoo <DOT> org>
3	AuthorDate: Wed Sep 29 12:11:13 2021 +0000
4	Commit: Mart Raudsepp <leio <AT> gentoo <DOT> org>
5	CommitDate: Wed Sep 29 12:11:13 2021 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a3e929
7
8	gnome-base/gnome-keyring: drop IUSE=caps for compat with glib-2.70
9
10	Always disable libcap-ng dependency.
11	Drop cap_ipc_lock capability setting that was needed for libcap-ng case,
12	but does not work right with glib-2.70 stricter security checks. This
13	unbreaks the dbus service when ran with glib-2.70 or later.
14	This matches what was done in Fedora and Debian for the time being (they
15	had always built with our equivalent of USE=caps) to fix the compatibility.
16
17	There must be enough memlock limit (RLIMIT_MEMLOCK) for this to work
18	afterwards, however when it doesn't, it fallbacks to arguably less secure
19	malloc (the memory could be swapped out) and doesn't lose actual
20	functionality. This was the case already with larger keyrings, and thus
21	not a security regression in practice. If you want extra security, encrypt
22	your swap.
23
24	Further technical details were discussed in:
25	https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/77
26	https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/41
27	https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1862
28	https://gitlab.gnome.org/GNOME/glib/-/issues/2316
29
30	Bug: https://bugs.gentoo.org/815154
31	Package-Manager: Portage-3.0.20, Repoman-3.0.2
32	Signed-off-by: Mart Raudsepp <leio <AT> gentoo.org>
33
34	.../gnome-keyring/gnome-keyring-40.0-r1.ebuild \| 79 ++++++++++++++++++++++
35	1 file changed, 79 insertions(+)
36
37	diff --git a/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild
38	new file mode 100644
39	index 00000000000..a6174f16178
40	--- /dev/null
41	+++ b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild
42	@@ -0,0 +1,79 @@
43	+# Copyright 1999-2021 Gentoo Authors
44	+# Distributed under the terms of the GNU General Public License v2
45	+
46	+EAPI=7
47	+PYTHON_COMPAT=( python3_{7..9} )
48	+
49	+inherit gnome2 pam python-any-r1 virtualx
50	+
51	+DESCRIPTION="Password and keyring managing daemon"
52	+HOMEPAGE="https://wiki.gnome.org/Projects/GnomeKeyring"
53	+
54	+LICENSE="GPL-2+ LGPL-2+"
55	+SLOT="0"
56	+IUSE="pam selinux +ssh-agent test"
57	+RESTRICT="!test? ( test )"
58	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x86-solaris"
59	+
60	+# Replace gkd gpg-agent with pinentry[gnome-keyring] one, bug #547456
61	+RDEPEND="
62	+ >=app-crypt/gcr-3.27.90:=[gtk]
63	+ >=app-crypt/gnupg-2.0.28:=
64	+ >=app-eselect/eselect-pinentry-0.5
65	+ app-misc/ca-certificates
66	+ >=dev-libs/glib-2.44:2
67	+ >=dev-libs/libgcrypt-1.2.2:0=
68	+ pam? ( sys-libs/pam )
69	+ selinux? ( sec-policy/selinux-gnome )
70	+ ssh-agent? ( net-misc/openssh )
71	+"
72	+DEPEND="${RDEPEND}"
73	+BDEPEND="
74	+ >=app-eselect/eselect-pinentry-0.5
75	+ app-text/docbook-xml-dtd:4.3
76	+ dev-libs/libxslt
77	+ >=sys-devel/gettext-0.19.8
78	+ virtual/pkgconfig
79	+ test? ( ${PYTHON_DEPS} )
80	+"
81	+
82	+pkg_setup() {
83	+ use test && python-any-r1_pkg_setup
84	+}
85	+
86	+src_prepare() {
87	+ # Disable stupid CFLAGS with debug enabled
88	+ sed -e 's/CFLAGS="$CFLAGS -g"//' \
89	+ -e 's/CFLAGS="$CFLAGS -O0"//' \
90	+ -i configure.ac configure \|\| die
91	+
92	+ gnome2_src_prepare
93	+}
94	+
95	+src_configure() {
96	+ gnome2_src_configure \
97	+ --without-libcap-ng \
98	+ $(use_enable pam) \
99	+ $(use_with pam pam-dir $(getpam_mod_dir)) \
100	+ $(use_enable selinux) \
101	+ $(use_enable ssh-agent) \
102	+ --enable-doc
103	+}
104	+
105	+src_test() {
106	+ # Needs dbus-run-session to not get:
107	+ # ERROR: test-dbus-search process failed: -6
108	+ "${BROOT}${GLIB_COMPILE_SCHEMAS}" --allow-any-name "${S}/schema" \|\| die
109	+ GSETTINGS_SCHEMA_DIR="${S}/schema" virtx dbus-run-session emake check
110	+}
111	+
112	+pkg_postinst() {
113	+ # cap_ipc_lock only needed if building --with-libcap-ng, but that breaks with glib-2.70
114	+ # Never install as suid root, this breaks dbus activation, see bug #513870
115	+ gnome2_pkg_postinst
116	+
117	+ if ! [[ $(eselect pinentry show \| grep "pinentry-gnome3") ]] ; then
118	+ ewarn "Please select pinentry-gnome3 as default pinentry provider:"
119	+ ewarn " # eselect pinentry set pinentry-gnome3"
120	+ fi
121	+}

Gentoo Archives: gentoo-commits