From: "Mart Raudsepp" <leio@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: gnome-base/gnome-keyring/
Date: Wed, 29 Sep 2021 12:11:32 +0000 (UTC) [thread overview]
Message-ID: <1632917473.c2a3e929650d327c5f57ec2f646b1cb749d60843.leio@gentoo> (raw)
commit: c2a3e929650d327c5f57ec2f646b1cb749d60843
Author: Mart Raudsepp <leio <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 29 12:11:13 2021 +0000
Commit: Mart Raudsepp <leio <AT> gentoo <DOT> org>
CommitDate: Wed Sep 29 12:11:13 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a3e929
gnome-base/gnome-keyring: drop IUSE=caps for compat with glib-2.70
Always disable libcap-ng dependency.
Drop cap_ipc_lock capability setting that was needed for libcap-ng case,
but does not work right with glib-2.70 stricter security checks. This
unbreaks the dbus service when ran with glib-2.70 or later.
This matches what was done in Fedora and Debian for the time being (they
had always built with our equivalent of USE=caps) to fix the compatibility.
There must be enough memlock limit (RLIMIT_MEMLOCK) for this to work
afterwards, however when it doesn't, it fallbacks to arguably less secure
malloc (the memory could be swapped out) and doesn't lose actual
functionality. This was the case already with larger keyrings, and thus
not a security regression in practice. If you want extra security, encrypt
your swap.
Further technical details were discussed in:
https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/77
https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/41
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1862
https://gitlab.gnome.org/GNOME/glib/-/issues/2316
Bug: https://bugs.gentoo.org/815154
Package-Manager: Portage-3.0.20, Repoman-3.0.2
Signed-off-by: Mart Raudsepp <leio <AT> gentoo.org>
.../gnome-keyring/gnome-keyring-40.0-r1.ebuild | 79 ++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild
new file mode 100644
index 00000000000..a6174f16178
--- /dev/null
+++ b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild
@@ -0,0 +1,79 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{7..9} )
+
+inherit gnome2 pam python-any-r1 virtualx
+
+DESCRIPTION="Password and keyring managing daemon"
+HOMEPAGE="https://wiki.gnome.org/Projects/GnomeKeyring"
+
+LICENSE="GPL-2+ LGPL-2+"
+SLOT="0"
+IUSE="pam selinux +ssh-agent test"
+RESTRICT="!test? ( test )"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x86-solaris"
+
+# Replace gkd gpg-agent with pinentry[gnome-keyring] one, bug #547456
+RDEPEND="
+ >=app-crypt/gcr-3.27.90:=[gtk]
+ >=app-crypt/gnupg-2.0.28:=
+ >=app-eselect/eselect-pinentry-0.5
+ app-misc/ca-certificates
+ >=dev-libs/glib-2.44:2
+ >=dev-libs/libgcrypt-1.2.2:0=
+ pam? ( sys-libs/pam )
+ selinux? ( sec-policy/selinux-gnome )
+ ssh-agent? ( net-misc/openssh )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ >=app-eselect/eselect-pinentry-0.5
+ app-text/docbook-xml-dtd:4.3
+ dev-libs/libxslt
+ >=sys-devel/gettext-0.19.8
+ virtual/pkgconfig
+ test? ( ${PYTHON_DEPS} )
+"
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+ # Disable stupid CFLAGS with debug enabled
+ sed -e 's/CFLAGS="$CFLAGS -g"//' \
+ -e 's/CFLAGS="$CFLAGS -O0"//' \
+ -i configure.ac configure || die
+
+ gnome2_src_prepare
+}
+
+src_configure() {
+ gnome2_src_configure \
+ --without-libcap-ng \
+ $(use_enable pam) \
+ $(use_with pam pam-dir $(getpam_mod_dir)) \
+ $(use_enable selinux) \
+ $(use_enable ssh-agent) \
+ --enable-doc
+}
+
+src_test() {
+ # Needs dbus-run-session to not get:
+ # ERROR: test-dbus-search process failed: -6
+ "${BROOT}${GLIB_COMPILE_SCHEMAS}" --allow-any-name "${S}/schema" || die
+ GSETTINGS_SCHEMA_DIR="${S}/schema" virtx dbus-run-session emake check
+}
+
+pkg_postinst() {
+ # cap_ipc_lock only needed if building --with-libcap-ng, but that breaks with glib-2.70
+ # Never install as suid root, this breaks dbus activation, see bug #513870
+ gnome2_pkg_postinst
+
+ if ! [[ $(eselect pinentry show | grep "pinentry-gnome3") ]] ; then
+ ewarn "Please select pinentry-gnome3 as default pinentry provider:"
+ ewarn " # eselect pinentry set pinentry-gnome3"
+ fi
+}
next reply other threads:[~2021-09-29 12:11 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-29 12:11 Mart Raudsepp [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-12-21 17:16 [gentoo-commits] repo/gentoo:master commit in: gnome-base/gnome-keyring/ Arthur Zamarin
2024-07-17 9:24 Pacho Ramos
2024-07-17 9:24 Pacho Ramos
2024-07-17 9:24 Pacho Ramos
2024-06-06 0:45 Sam James
2024-06-06 0:45 Sam James
2023-05-14 17:11 Sam James
2023-05-14 8:12 Sam James
2022-10-30 16:34 Matt Turner
2022-10-29 17:44 Matt Turner
2022-10-01 17:16 Matt Turner
2022-07-21 0:13 Sam James
2022-07-18 23:41 Sam James
2022-07-18 17:44 Sam James
2022-05-23 19:45 Matt Turner
2022-05-23 19:45 Matt Turner
2022-05-23 19:45 Matt Turner
2022-05-18 8:00 WANG Xuerui
2022-03-25 21:47 Matt Turner
2022-01-24 19:21 Sam James
2022-01-24 14:49 Sam James
2022-01-24 14:45 Sam James
2022-01-20 9:42 Arthur Zamarin
2021-05-28 19:18 Sam James
2021-05-26 15:16 Yixun Lan
2021-04-16 3:41 Matt Turner
2021-01-18 21:10 Matt Turner
2020-11-06 15:19 Sam James
2020-11-06 6:57 Sam James
2020-11-05 16:16 Sam James
2020-09-24 14:24 Pacho Ramos
2020-09-19 19:19 Pacho Ramos
2020-09-19 15:53 Michał Górny
2020-08-31 2:52 Sam James
2020-08-30 18:28 Sam James
2020-07-29 4:49 Sam James
2020-07-27 7:22 Mart Raudsepp
2020-06-07 21:02 Mart Raudsepp
2020-04-22 14:25 Agostino Sarubbo
2020-04-22 8:44 Agostino Sarubbo
2020-04-22 8:41 Agostino Sarubbo
2020-03-17 21:32 Mart Raudsepp
2020-01-11 12:10 Mart Raudsepp
2020-01-11 12:10 Mart Raudsepp
2020-01-01 15:25 Agostino Sarubbo
2019-12-09 9:14 Agostino Sarubbo
2019-12-09 9:11 Agostino Sarubbo
2019-12-09 0:10 Aaron Bauman
2019-12-08 11:59 Mikle Kolyada
2019-12-08 11:58 Mikle Kolyada
2019-10-12 21:38 Mart Raudsepp
2019-10-12 19:30 Mikle Kolyada
2019-10-09 8:27 Agostino Sarubbo
2019-05-21 3:17 Aaron Bauman
2019-03-02 14:28 Mart Raudsepp
2019-02-17 16:01 Mikle Kolyada
2018-12-28 3:46 Matt Turner
2018-10-29 1:01 Matt Turner
2018-10-27 18:43 Sergei Trofimovich
2018-10-26 20:19 Sergei Trofimovich
2018-09-23 8:47 Mart Raudsepp
2018-09-22 19:54 Mart Raudsepp
2017-12-27 8:35 Markus Meier
2017-12-19 19:14 Thomas Deutschmann
2017-11-18 13:20 Sergei Trofimovich
2017-11-06 20:49 Tobias Klausmann
2017-11-04 13:04 Sergei Trofimovich
2017-07-09 22:14 Mart Raudsepp
2016-12-06 20:29 Markus Meier
2016-10-31 13:12 Jason Zaman
2016-07-30 10:27 Jeroen Roovers
2016-06-08 19:56 Markus Meier
2016-06-07 7:03 Tobias Klausmann
2016-05-29 12:47 Pacho Ramos
2016-05-03 20:15 Markus Meier
2016-03-06 17:23 Mikle Kolyada
2015-11-26 10:51 Gilles Dartiguelongue
2015-11-16 14:08 Agostino Sarubbo
2015-10-18 11:29 Mikle Kolyada
2015-10-03 8:35 Markus Meier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1632917473.c2a3e929650d327c5f57ec2f646b1cb749d60843.leio@gentoo \
--to=leio@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox