From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BC12E158017 for ; Wed, 29 Sep 2021 12:11:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CB94FE086D; Wed, 29 Sep 2021 12:11:35 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 10076E086D for ; Wed, 29 Sep 2021 12:11:35 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3F16F342CD7 for ; Wed, 29 Sep 2021 12:11:34 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9A2C1EE for ; Wed, 29 Sep 2021 12:11:32 +0000 (UTC) From: "Mart Raudsepp" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mart Raudsepp" Message-ID: <1632917473.c2a3e929650d327c5f57ec2f646b1cb749d60843.leio@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: gnome-base/gnome-keyring/ X-VCS-Repository: repo/gentoo X-VCS-Files: gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild X-VCS-Directories: gnome-base/gnome-keyring/ X-VCS-Committer: leio X-VCS-Committer-Name: Mart Raudsepp X-VCS-Revision: c2a3e929650d327c5f57ec2f646b1cb749d60843 X-VCS-Branch: master Date: Wed, 29 Sep 2021 12:11:32 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 004577b6-3bde-43e7-b39c-0049faaa9eed X-Archives-Hash: 888c2ea0390d9c04c0e384e4c48f52fc commit: c2a3e929650d327c5f57ec2f646b1cb749d60843 Author: Mart Raudsepp gentoo org> AuthorDate: Wed Sep 29 12:11:13 2021 +0000 Commit: Mart Raudsepp gentoo org> CommitDate: Wed Sep 29 12:11:13 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a3e929 gnome-base/gnome-keyring: drop IUSE=caps for compat with glib-2.70 Always disable libcap-ng dependency. Drop cap_ipc_lock capability setting that was needed for libcap-ng case, but does not work right with glib-2.70 stricter security checks. This unbreaks the dbus service when ran with glib-2.70 or later. This matches what was done in Fedora and Debian for the time being (they had always built with our equivalent of USE=caps) to fix the compatibility. There must be enough memlock limit (RLIMIT_MEMLOCK) for this to work afterwards, however when it doesn't, it fallbacks to arguably less secure malloc (the memory could be swapped out) and doesn't lose actual functionality. This was the case already with larger keyrings, and thus not a security regression in practice. If you want extra security, encrypt your swap. Further technical details were discussed in: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/77 https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/41 https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1862 https://gitlab.gnome.org/GNOME/glib/-/issues/2316 Bug: https://bugs.gentoo.org/815154 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Mart Raudsepp gentoo.org> .../gnome-keyring/gnome-keyring-40.0-r1.ebuild | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild new file mode 100644 index 00000000000..a6174f16178 --- /dev/null +++ b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild @@ -0,0 +1,79 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +PYTHON_COMPAT=( python3_{7..9} ) + +inherit gnome2 pam python-any-r1 virtualx + +DESCRIPTION="Password and keyring managing daemon" +HOMEPAGE="https://wiki.gnome.org/Projects/GnomeKeyring" + +LICENSE="GPL-2+ LGPL-2+" +SLOT="0" +IUSE="pam selinux +ssh-agent test" +RESTRICT="!test? ( test )" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x86-solaris" + +# Replace gkd gpg-agent with pinentry[gnome-keyring] one, bug #547456 +RDEPEND=" + >=app-crypt/gcr-3.27.90:=[gtk] + >=app-crypt/gnupg-2.0.28:= + >=app-eselect/eselect-pinentry-0.5 + app-misc/ca-certificates + >=dev-libs/glib-2.44:2 + >=dev-libs/libgcrypt-1.2.2:0= + pam? ( sys-libs/pam ) + selinux? ( sec-policy/selinux-gnome ) + ssh-agent? ( net-misc/openssh ) +" +DEPEND="${RDEPEND}" +BDEPEND=" + >=app-eselect/eselect-pinentry-0.5 + app-text/docbook-xml-dtd:4.3 + dev-libs/libxslt + >=sys-devel/gettext-0.19.8 + virtual/pkgconfig + test? ( ${PYTHON_DEPS} ) +" + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_prepare() { + # Disable stupid CFLAGS with debug enabled + sed -e 's/CFLAGS="$CFLAGS -g"//' \ + -e 's/CFLAGS="$CFLAGS -O0"//' \ + -i configure.ac configure || die + + gnome2_src_prepare +} + +src_configure() { + gnome2_src_configure \ + --without-libcap-ng \ + $(use_enable pam) \ + $(use_with pam pam-dir $(getpam_mod_dir)) \ + $(use_enable selinux) \ + $(use_enable ssh-agent) \ + --enable-doc +} + +src_test() { + # Needs dbus-run-session to not get: + # ERROR: test-dbus-search process failed: -6 + "${BROOT}${GLIB_COMPILE_SCHEMAS}" --allow-any-name "${S}/schema" || die + GSETTINGS_SCHEMA_DIR="${S}/schema" virtx dbus-run-session emake check +} + +pkg_postinst() { + # cap_ipc_lock only needed if building --with-libcap-ng, but that breaks with glib-2.70 + # Never install as suid root, this breaks dbus activation, see bug #513870 + gnome2_pkg_postinst + + if ! [[ $(eselect pinentry show | grep "pinentry-gnome3") ]] ; then + ewarn "Please select pinentry-gnome3 as default pinentry provider:" + ewarn " # eselect pinentry set pinentry-gnome3" + fi +}