Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable apparmor support by default in update_deb.sh #3450

Merged
merged 2 commits into from
Jun 12, 2020
Merged

enable apparmor support by default in update_deb.sh #3450

merged 2 commits into from
Jun 12, 2020

Conversation

glitsj16
Copy link
Collaborator

@glitsj16 glitsj16 commented Jun 4, 2020

IMO enabling apparmor support by default here ensures a git installation that is compatible with the OS repository and PPA packages (see the firejail-from-git wiki page).

One thing I'm not sure of is how we can patch firejail.config to accomodate https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916920.

@glitsj16 glitsj16 marked this pull request as draft June 4, 2020 23:15
@glitsj16 glitsj16 marked this pull request as ready for review June 5, 2020 03:29
@rusty-snake
Copy link
Collaborator

https://github.com/netblue30/firejail/blob/master/mkdeb.sh.in#L45

sed -i \
    -e "s/# restricted-network .*/restricted-network yes/" \
    -e "s/# force-nonewprivs .*/force-nonewprivs yes/" \
    debian/etc/firejail/firejail.config

@glitsj16
Copy link
Collaborator Author

glitsj16 commented Jun 5, 2020

@rusty-snake Yeah, using sed isn't the problem. I'm trying to create a script that creates deb files from the git code. https://github.com/netblue30/firejail/blob/master/mkdeb.sh is relevant for doing so with a tarball, so I'll need to dust of my Debian experience to try to integrate things nicely. I'm labelling this as WIP, my Ubuntu LTS is currently in a broken state due to 52e24db and dae3933 and I'll need some time to revive that. I use checkinstall in my regular build-firejail-from-git script on Ubuntu, and that didn't like those commits (make[1]: *** [Makefile:118: realinstall] Error 1). It wiped out all symlinks under /etc in the real filesystem, which caught me by surprise. But that's another matter entirely.

@glitsj16 glitsj16 added the WIP: DON'T MERGE A PR that is still being worked on label Jun 5, 2020
@reinerh
Copy link
Collaborator

reinerh commented Jun 6, 2020

I'm not sure if it helps, but the .gitlab-ci.yml file (the debian_ci section) contains some rough instructions how to build a Debian package from a firejail upstream commit, with the build metadata/instructions from the current Debian package (except the patches; they are removed before the build, as they sometimes no longer apply cleanly, which would cause the CI to fail).

@glitsj16
Copy link
Collaborator Author

glitsj16 commented Jun 6, 2020

@reinerh Thanks for the info, I'll look into that. While we're on the subject, I wonder how much extra work it would be to set up/maintain a PPA with daily builds or something similar? Do you think that's worth the effort? Not that I'm trying to shuffle my way out of anything, but I always considered you the best-placed collaborator for all things Debian/Ubuntu, so just asking for your input.

@reinerh
Copy link
Collaborator

reinerh commented Jun 6, 2020

It's not really much effort to set up a PPA.
But with the current mkdeb.sh it's not so easy, as you upload Debian source packages into a PPA (.dsc files, which refer to a upstream source tarball and a Debian metadata tarball), not already built .deb packages (the Launchpad servers are actually building the packages).
One challenge I see for automated uploads is that the files need to be signed (with gpg), and I don't know what's the best way to integrate that into a build pipeline (while also keeping the keys secret).
An alternative to PPAs would be a Debian repository hosted somewhere else, though this has the same signing problem.

And I'm also not sure if that many users would actually be interested in daily builds (and are not able to build it for themselves).

@glitsj16
Copy link
Collaborator Author

glitsj16 commented Jun 6, 2020

And I'm also not sure if that many users would actually be interested in daily builds (and are not able to build it for themselves).

Thanks for the feedback. I tend to agree. It's probably sufficient to provide clear instructions on how to build from git and add warnings where due, like how to avoid overwriting firejail.config and a link to the relevant bug(s).

This should bring the script in sync with packages installed from PPA.
@glitsj16 glitsj16 removed the WIP: DON'T MERGE A PR that is still being worked on label Jun 12, 2020
@glitsj16 glitsj16 merged commit 3490ba4 into netblue30:master Jun 12, 2020
@glitsj16 glitsj16 deleted the update-deb branch June 12, 2020 10:13
@matu3ba matu3ba mentioned this pull request Oct 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants