[Rpm-maint] [rpm-software-management/rpm] Add support for generating buildinfo file as subpackage (#1532)

Demi Marie Obenour notifications at github.com
Mon Mar 29 13:05:25 UTC 2021


@DemiMarie requested changes on this pull request.

Avoid using “whitelist” and properly quote variables containing special characters

> +cat > "$BUILDINFO" <<EOF
+Format: 1.0-rpm
+Build-Architecture: $(uname -m)
+Source: $RPM_PACKAGE_NAME
+Epoch: $RPM_PACKAGE_EPOCH
+Version: ${RPM_PACKAGE_VERSION}
+Release: ${RPM_PACKAGE_RELEASE}
+Architecture: $RPM_ARCH
+Build-Origin: $(getos)
+Build-Path: $RPM_BUILD_DIR
+EOF

```suggestion
os=$(getos)
arch=$(uname -m)
printf %s "\
Format: 1.0-rpm
Build-Architecture: $arch
Source: $RPM_PACKAGE_NAME
Epoch: $RPM_PACKAGE_EPOCH
Version: ${RPM_PACKAGE_VERSION}
Release: ${RPM_PACKAGE_RELEASE}
Architecture: $RPM_ARCH
Build-Origin: $os
Build-Path: $RPM_BUILD_DIR
" > "$BUILDINFO"
```

This ensures that we properly abort on errors.

> +rpm -qa --queryformat '%{epoch}:%{name}-%{version}-%{release}.%{arch}\n' \
+    | LC_ALL=C sort -t: -k2 \
+    | sed -e 's/^(none)://; /\.(none)$/d; s/^/ /' >> "$BUILDINFO"

Sadly this requires `-o pipefail` if we want to handle errors robustly.

> +Epoch: $RPM_PACKAGE_EPOCH
+Version: ${RPM_PACKAGE_VERSION}
+Release: ${RPM_PACKAGE_RELEASE}
+Architecture: $RPM_ARCH
+Build-Origin: $(getos)
+Build-Path: $RPM_BUILD_DIR
+EOF
+
+printf 'Installed-Build-Depends:\n' >> "$BUILDINFO"
+rpm -qa --queryformat '%{epoch}:%{name}-%{version}-%{release}.%{arch}\n' \
+    | LC_ALL=C sort -t: -k2 \
+    | sed -e 's/^(none)://; /\.(none)$/d; s/^/ /' >> "$BUILDINFO"
+
+printf 'Environment:\n' >> "$BUILDINFO"
+
+# Whitelist from Debian's Dpkg:

```suggestion
# Allowlist from Debian's Dpkg:
```

The terms “whitelist” and “blacklist” are offensive and should not be used.

> +# https://anonscm.debian.org/git/dpkg/dpkg.git/tree/scripts/Dpkg/Build/Info.pm#n50
+ENV_WHITELIST=
+
+# Toolchain.
+ENV_WHITELIST="$ENV_WHITELIST CC CPP CXX OBJC OBJCXX PC FC M2C AS LD AR RANLIB MAKE AWK LEX YACC"
+# Toolchain flags.
+ENV_WHITELIST="$ENV_WHITELIST CFLAGS CPPFLAGS CXXFLAGS OBJCFLAGS OBJCXXFLAGS GCJFLAGS FFLAGS LDFLAGS ARFLAGS MAKEFLAGS"
+# Dynamic linker, see ld(1).
+ENV_WHITELIST="$ENV_WHITELIST LD_LIBRARY_PATH"
+# Locale, see locale(1).
+ENV_WHITELIST="$ENV_WHITELIST LANG LC_ALL LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION"
+ENV_WHITELIST="$ENV_WHITELIST SOURCE_DATE_EPOCH"
+for var in $ENV_WHITELIST
+do
+    eval value="\$$var"
+    # shellcheck disable=SC2154
+    test -n "$value" && printf ' %s="%s"\n' "$var" "$value" >> "$BUILDINFO"
+done

```suggestion
# https://anonscm.debian.org/git/dpkg/dpkg.git/tree/scripts/Dpkg/Build/Info.pm#n50
ENV_ALLOWLIST=

# Toolchain.
ENV_ALLOWLIST="$ENV_ALLOWLIST CC CPP CXX OBJC OBJCXX PC FC M2C AS LD AR RANLIB MAKE AWK LEX YACC"
# Toolchain flags.
ENV_ALLOWLIST="$ENV_ALLOWLIST CFLAGS CPPFLAGS CXXFLAGS OBJCFLAGS OBJCXXFLAGS GCJFLAGS FFLAGS LDFLAGS ARFLAGS MAKEFLAGS"
# Dynamic linker, see ld(1).
ENV_ALLOWLIST="$ENV_ALLOWLIST LD_LIBRARY_PATH"
# Locale, see locale(1).
ENV_ALLOWLIST="$ENV_ALLOWLIST LANG LC_ALL LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION"
ENV_ALLOWLIST="$ENV_ALLOWLIST SOURCE_DATE_EPOCH"
for var in $ENV_ALLOWLIST
do
    eval value="\$$var"
    # shellcheck disable=SC2154
    test -n "$value" && printf ' %s=%q\n' "$var" "$value" >> "$BUILDINFO"
done
```

replace “whitelist” with “allowlist” and properly quote variables with special characters (including newline)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1532#pullrequestreview-623199227
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210329/0454a54b/attachment.html>


More information about the Rpm-maint mailing list