[opensuse-factory] requesting package review: system:snappy/snapd
Hello, zyga and me are working on the package for snaps snapd at system:snappy/snapd and want to submit it to factory soon, at which point we can also package some related softwares. If anyone has the time and inclination, we'd like some feedback on the package before we submit it, any suggestions for improvements and problems that need fixing welcome. Thank you! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 19/04/18 02:38, Rafael Kitover wrote:
Hello, zyga and me are working on the package for snaps snapd at system:snappy/snapd and want to submit it to factory soon, at which point we can also package some related softwares.
If anyone has the time and inclination, we'd like some feedback on the package before we submit it, any suggestions for improvements and problems that need fixing welcome.
Thank you!
There are a couple of things here that should be discussed more broadly, 1. you seem to be packaging stuff into /snap which is outside the FHS guidelines, On fedora [1] they are using /var/lib/snapd/snap 2. Normally on openSUSE we don't allow packages to enable there service in %post in favor of the system administrator doing it, snap is a bit different from most standard services though so maybe its worth an exception but we should discuss that on this list. 3. You have a couple of other rpmlint errors that you will need to work through with the security team if your not already. snapd.x86_64: E: permissions-unauthorized-file (Badness: 222) /etc/permissions.d/snapd snapd.x86_64: E: permissions-unauthorized-file (Badness: 222) /etc/permissions.d/snapd.paranoid If the package is intended for inclusion in any SUSE product please open a bug report to request review of the package by the security team snapd.x86_64: E: polkit-untracked-privilege (Badness: 111) io.snapcraft.snapd.login (auth_admin:auth_admin:auth_admin_keep) snapd.x86_64: E: polkit-untracked-privilege (Badness: 111) io.snapcraft.snapd.manage (auth_admin:auth_admin:auth_admin_keep) snapd.x86_64: E: polkit-untracked-privilege (Badness: 111) io.snapcraft.snapd.manage-interfaces (auth_admin:auth_admin:auth_admin_keep) The privilege is not listed in /etc/polkit-default-privs.* which makes it harder for admins to find. If the package is intended for inclusion in any SUSE product please open a bug report to request review of the package by the security team Cheers 1. https://src.fedoraproject.org/rpms/snapd/blob/master/f/snapd.spec -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On Fri, May 04, Simon Lees wrote:
There are a couple of things here that should be discussed more broadly, 1. you seem to be packaging stuff into /snap which is outside the FHS guidelines, On fedora [1] they are using /var/lib/snapd/snap
Are this files in /var/lib/snapd included in the RPM filelist, or created at runtime? In the former case, /var is a really bad idea, as this contains variable data (FHS) and if you provide something with RPM, it's clearly static and will break snapshots, rollback and transactional-update.
2. Normally on openSUSE we don't allow packages to enable there service in %post in favor of the system administrator doing it, snap is a bit different from most standard services though so maybe its worth an exception but we should discuss that on this list.
If something should be enabled by default, it belongs to the systemd-preset-branding package for that product, never into the %pre/%post installs. There is really no valid reason to do or allow that. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, May 4, 2018 at 1:52 AM Thorsten Kukuk <kukuk@suse.de> wrote:
On Fri, May 04, Simon Lees wrote:
There are a couple of things here that should be discussed more broadly, 1. you seem to be packaging stuff into /snap which is outside the FHS guidelines, On fedora [1] they are using /var/lib/snapd/snap
Are this files in /var/lib/snapd included in the RPM filelist, or created at runtime? In the former case, /var is a really bad idea, as this contains variable data (FHS) and if you provide something with RPM, it's clearly static and will break snapshots, rollback and transactional-update.
They are snaps downloaded and managed at runtime. They are not static or included in the RPM file list.
2. Normally on openSUSE we don't allow packages to enable there service in %post in favor of the system administrator doing it, snap is a bit different from most standard services though so maybe its worth an exception but we should discuss that on this list.
If something should be enabled by default, it belongs to the systemd-preset-branding package for that product, never into the %pre/%post installs. There is really no valid reason to do or allow that.
openSUSE has the same %systemd_{preun,post,postun} macros that respect presets from upstream systemd, right? So the package can be changed to use those and whatever is needed to update the branding package can be done to enable the services. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Neal Gompa -
Rafael Kitover -
Simon Lees -
Thorsten Kukuk