Compare commits
No commits in common. "070a9cecb798791033441ebd92049d3f006302cf" and "632a9187804858e95b34aca5fe6b162b5aebaf9a" have entirely different histories.
070a9cecb7
...
632a918780
4 changed files with 18 additions and 61 deletions
|
@ -1,10 +1,3 @@
|
|||
0.8.4 (2022-02-11)
|
||||
------------------
|
||||
|
||||
- tarfilter: add --strip-components option
|
||||
- don't install essential packages in run_install()
|
||||
- remove /var/lib/dbus/machine-id
|
||||
|
||||
0.8.3 (2022-01-08)
|
||||
------------------
|
||||
|
||||
|
|
24
coverage.sh
24
coverage.sh
|
@ -180,7 +180,6 @@ export SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH
|
|||
# compared to the one chosen in debootstrap because of different installation
|
||||
# order in comparison to the systemd users
|
||||
# https://bugs.debian.org/969631
|
||||
# we cannot use useradd because passwd is not Essential:yes
|
||||
$CMD --variant=$variant --mode=$defaultmode \
|
||||
--essential-hook='if [ $variant = - ]; then echo _apt:*:100:65534::/nonexistent:/usr/sbin/nologin >> "\$1"/etc/passwd; fi' \
|
||||
$dist /tmp/debian-$dist-mm.tar $mirror
|
||||
|
@ -322,18 +321,6 @@ else
|
|||
echo no difference for /etc/shadow- on $dist $variant >&2
|
||||
fi
|
||||
|
||||
# Because of unreproducible uids (#969631) we created the _apt user ourselves
|
||||
# and because passwd is not Essential:yes we didn't use useradd. But passwd
|
||||
# since 1:4.11.1+dfsg1-1 will create empty mail files, so we create it too.
|
||||
# https://bugs.debian.org/1004710
|
||||
if [ $variant = - ]; then
|
||||
if [ -e /tmp/debian-$dist-debootstrap/var/mail/_apt ]; then
|
||||
touch /tmp/debian-$dist-mm/var/mail/_apt
|
||||
chmod 660 /tmp/debian-$dist-mm/var/mail/_apt
|
||||
chown 100:8 /tmp/debian-$dist-mm/var/mail/_apt
|
||||
fi
|
||||
fi
|
||||
|
||||
# check if the file content differs
|
||||
diff --unified --no-dereference --recursive /tmp/debian-$dist-debootstrap /tmp/debian-$dist-mm
|
||||
|
||||
|
@ -755,8 +742,9 @@ fi
|
|||
for variant in essential apt minbase buildd important standard; do
|
||||
for format in tar squashfs ext2; do
|
||||
print_header "mode=root/unshare/fakechroot,variant=$variant: check for bit-by-bit identical $format output"
|
||||
# pyc files and man index.db are not reproducible
|
||||
# See #1004557 and #1004558
|
||||
# fontconfig doesn't install reproducibly because differences
|
||||
# in /var/cache/fontconfig/. See
|
||||
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864082
|
||||
if [ "$variant" = "standard" ]; then
|
||||
echo "skipping test because of #864082" >&2
|
||||
skipped=$((skipped+1))
|
||||
|
@ -858,7 +846,6 @@ cmp /tmp/debian-chroot.tar /tmp/debian-chroot-shiftedback.tar
|
|||
# manually adjust uid/gid and compare "tar -t" output
|
||||
tar --numeric-owner -tvf /tmp/debian-chroot.tar \
|
||||
| sed 's# 100/0 # 100100/100000 #' \
|
||||
| sed 's# 100/8 # 100100/100008 #' \
|
||||
| sed 's# 0/0 # 100000/100000 #' \
|
||||
| sed 's# 0/5 # 100000/100005 #' \
|
||||
| sed 's# 0/8 # 100000/100008 #' \
|
||||
|
@ -2986,8 +2973,9 @@ fi
|
|||
# into /var/cache/apt/archives/partial
|
||||
for variant in extract custom essential apt minbase buildd important standard; do
|
||||
print_header "mode=$defaultmode,variant=$variant: compare output with pre-seeded /var/cache/apt/archives"
|
||||
# pyc files and man index.db are not reproducible
|
||||
# See #1004557 and #1004558
|
||||
# fontconfig doesn't install reproducibly because differences
|
||||
# in /var/cache/fontconfig/. See
|
||||
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864082
|
||||
if [ "$variant" = "standard" ]; then
|
||||
echo "skipping test because of #864082" >&2
|
||||
skipped=$((skipped+1))
|
||||
|
|
27
mmdebstrap
27
mmdebstrap
|
@ -23,7 +23,7 @@
|
|||
use strict;
|
||||
use warnings;
|
||||
|
||||
our $VERSION = '0.8.4';
|
||||
our $VERSION = '0.8.3';
|
||||
|
||||
use English;
|
||||
use Getopt::Long;
|
||||
|
@ -2722,18 +2722,13 @@ sub run_install() {
|
|||
any { $_ eq $options->{variant} }
|
||||
('required', 'important', 'standard', 'buildd')
|
||||
) {
|
||||
# Many of the priority:required packages are also essential:yes. We
|
||||
# make sure not to select those here to avoid useless "xxx is already
|
||||
# the newest version" messages.
|
||||
my $priority;
|
||||
if (any { $_ eq $options->{variant} } ('required', 'buildd')) {
|
||||
$priority = '?and(?priority(required),?not(?essential))';
|
||||
$priority = '?priority(required)';
|
||||
} elsif ($options->{variant} eq 'important') {
|
||||
$priority = '?and(?or(?priority(required),?priority(important)),'
|
||||
. '?not(?essential))';
|
||||
$priority = '?or(?priority(required),?priority(important))';
|
||||
} elsif ($options->{variant} eq 'standard') {
|
||||
$priority = '?and(?or(~prequired,~pimportant,~pstandard),'
|
||||
. '?not(?essential))';
|
||||
$priority = '?or(~prequired,~pimportant,~pstandard)';
|
||||
}
|
||||
$pkgs_to_install{
|
||||
"?narrow("
|
||||
|
@ -2785,9 +2780,6 @@ sub run_install() {
|
|||
#
|
||||
# - we can make use of file:// and copy://
|
||||
#
|
||||
# - we can use EDSP solvers without installing apt-utils or other
|
||||
# solvers inside the chroot
|
||||
#
|
||||
# The DPkg::Install::Recursive::force=true workaround can be
|
||||
# dropped after this issue is fixed:
|
||||
# https://salsa.debian.org/apt-team/apt/-/merge_requests/189
|
||||
|
@ -2923,8 +2915,7 @@ sub run_cleanup() {
|
|||
foreach my $fname (
|
||||
'/var/log/dpkg.log', '/var/log/apt/history.log',
|
||||
'/var/log/apt/term.log', '/var/log/alternatives.log',
|
||||
'/var/cache/ldconfig/aux-cache', '/var/log/apt/eipp.log.xz',
|
||||
'/var/lib/dbus/machine-id'
|
||||
'/var/cache/ldconfig/aux-cache', '/var/log/apt/eipp.log.xz'
|
||||
) {
|
||||
my $path = "$options->{root}$fname";
|
||||
if (!-e $path) {
|
||||
|
@ -6297,7 +6288,11 @@ needs to be able to mount and thus requires C<SYS_CAP_ADMIN>.
|
|||
This mode uses Linux user namespaces to allow unprivileged use of chroot and
|
||||
creation of files that appear to be owned by the superuser inside the unshared
|
||||
namespace. A tarball created in this mode should be bit-by-bit identical to a
|
||||
tarball created with the B<root> mode.
|
||||
tarball created with the B<root> mode. In Debian, this mode requires the sysctl
|
||||
C<kernel.unprivileged_userns_clone> being set to C<1>. The default used to be
|
||||
C<0> but was changed to C<1> with linux 5.10.1 or Debian 11 (Bullseye).
|
||||
B<SETTING THIS OPTION TO 1 HAS SECURITY IMPLICATIONS>. Refer to
|
||||
L<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446>
|
||||
|
||||
A directory chroot created with this mode will end up with wrong ownership
|
||||
information. For correct ownership information, the directory must be accessed
|
||||
|
@ -6721,7 +6716,7 @@ Performs cleanup tasks, unless B<--skip=cleanup> is used:
|
|||
|
||||
=item * Remove all files that were put into the chroot for setup purposes, like F</etc/apt/apt.conf.d/00mmdebstrap>, the temporary apt config and the qemu-user-static binary. This can be disabled using B<--skip=cleanup/mmdebstrap>.
|
||||
|
||||
=item * Remove all files that make the result unreproducible, like apt and dpkg logs and caches or F</etc/machine-id> and F</var/lib/dbus/machine-id>. This can be disabled using B<--skip=cleanup/reproducible>
|
||||
=item * Remove all files that make the result unreproducible, like apt and dpkg logs and caches or F</etc/machine-id>. This can be disabled using B<--skip=cleanup/reproducible>
|
||||
|
||||
=item * Remove everything in F</tmp> inside the chroot. This can be disabled using B<--skip=cleanup/tmp>.
|
||||
|
||||
|
|
21
tarfilter
21
tarfilter
|
@ -64,10 +64,6 @@ Both types of options use Unix shell-style wildcards:
|
|||
? matches any single character
|
||||
[seq] matches any character in seq
|
||||
[!seq] matches any character not in seq
|
||||
|
||||
Thirdly, strip leading directory components off of tar members. Just as with
|
||||
GNU tar --strip-components, tar members that have less or equal components in
|
||||
their path are not passed through.
|
||||
"""
|
||||
)
|
||||
parser.add_argument(
|
||||
|
@ -94,18 +90,8 @@ their path are not passed through.
|
|||
action=PaxFilterAction,
|
||||
help="Re-include a pax header after a previous exclusion.",
|
||||
)
|
||||
parser.add_argument(
|
||||
"--strip-components",
|
||||
metavar="number",
|
||||
type=int,
|
||||
help="Strip NUMBER leading components from file names",
|
||||
)
|
||||
args = parser.parse_args()
|
||||
if (
|
||||
not hasattr(args, "pathfilter")
|
||||
and not hasattr(args, "paxfilter")
|
||||
and not hasattr(args, "strip_components")
|
||||
):
|
||||
if not hasattr(args, "pathfilter") and not hasattr(args, "paxfilter"):
|
||||
from shutil import copyfileobj
|
||||
|
||||
copyfileobj(sys.stdin.buffer, sys.stdout.buffer)
|
||||
|
@ -155,11 +141,6 @@ their path are not passed through.
|
|||
for member in in_tar:
|
||||
if path_filter_should_skip(member):
|
||||
continue
|
||||
if args.strip_components:
|
||||
comps = member.name.split("/")
|
||||
if len(comps) <= args.strip_components:
|
||||
continue
|
||||
member.name = "/".join(comps[args.strip_components :])
|
||||
member.pax_headers = {
|
||||
k: v
|
||||
for k, v in member.pax_headers.items()
|
||||
|
|
Loading…
Reference in a new issue