This script checks for various CPU-features, firmware versions and kernel features (*not* relying on the distribution/kernel version) to check the state of spectre and meltdown protection. https://github.com/speed47/spectre-meltdown-checker Since it is only a shell script, it is not that hard to package. But I lack the experience to fully audit the script that needs to be run as root and would love if someone else could also take a look.
I was too thinking about packing it, but since it changes very rapidly, probably only a masked 9999 would make sense. Maybe an easier approach is to write a script that will download it from github each time it's invoked and run it.
I'd rather not have a live-ebuild for a script run as root. Call me paranoid. :P But hopefully the frequency of updates does calm down over time. And since it is simple enough to package, I wrapped it up in an ebuild. I did skim over the 0.36 release and also saw, that Debian is packaging it, too: https://packages.debian.org/stretch-backports/spectre-meltdown-checker . So I assumed it is legit and wrapped up an eBuild. To even keyword a package on any architecture, I would have to test it at least myself on it, or? It is a shell-script and should run on any arch, but I only have a x86 and amd64 system to test. Not sure what to actually do with the ebuild now. :o
Created attachment 526696 [details] [eBuild] specture-meltdown-checker
Thanks for trying to write up an ebuild, cool! Do you wish to proxy maintain this package in Gentoo? I think you can omit the empty IUSE, DEPEND and RDEPEND if they are really not needed. Also, if we simply call the default src_prepare, is it really needed to be declared explicitly?
(In reply to Michael Gajda from comment #2) > I'd rather not have a live-ebuild for a script run as root. Call me > paranoid. :P I thought some of the places that script checks arent accessible as regular user, but Ive only ran it once (last year I think) so might remember this wrongly. > To even keyword a package on any architecture, I would have to test it at > least myself on it, or? It is a shell-script and should run on any arch, but > I only have a x86 and amd64 system to test. > > Not sure what to actually do with the ebuild now. :o If you wish to maintain it, you could try to get it Gentoo's main portage tree via proxy-maintainer project. https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers It's a bit of information to take, but well worth it if you wish to maintain this package for Gentoo :P if not, you can always use the ebuild in your local overlay and bump it when a new release is made. There are some minor errors in your ebuild though I think you need to change before submitting it, but you will be guided through when you make a pull request to Gentoo's portage tree. (take "." out from description, add -> ${P}.tar.gz to SRC_URI, perhaps remove src_prepare since it doesnt do anything, call einstalldocs). You can check screenfetch or neofetch for example. As for arches, I do believe you can only enable the arches for systems you can test the package with (~amd64 ~x86), but not sure about that.
Created attachment 526748 [details] [eBuild] spectre-meltdown-checker-0.36 Thank you for the feedback and suggestions. I removed the unnecessary empty variables. Calling 'default' in src_install was something I concluded from https://wiki.gentoo.org/wiki/Basic_guide_to_write_Gentoo_Ebuilds#Adding_support_for_user_patches_to_ebuilds - I was under the impression that this is required to enable users to use custom patch files. The ebuild docs are a bit scattered around if you ask me. :P The archive name is v<version>.tar.gz, so I do not really know how to make this more general: https://github.com/speed47/${PN}/archive/v${PV}.tar.gz I included the README.md file. If I read the docs correctly, I should *not* add keywords for any arch I did not actually test it on. It is a pity since it is a script and I see little reasons why I would not work on other arches, but I removed the other keywords. Anything else? I hopped on #gentoo-proxy-maint and will set up my own overlay on GitHub. Once I figured out all the details about metadata and such I will create a PR and happily take care of it. Despite reading the DIFF of master..v0.36 I still feel a little uncomfortable with my lack of security background to maintain a script that is usually run as root, but I'll just piggy-back on the same versions/updates Debian is using. xD
SRC_URI="https://github.com/speed47/${PN}/archive/v${PV}.tar.gz" This causes to put v${PV}.tar.gz into /usr/portage/distfiles, which can collide with other packages (given they are of the same version). SRC_URI="https://github.com/speed47/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" Instead let's download the same file but rename to the package name (along with the version). According to https://devmanual.gentoo.org/ebuild-writing/eapi/index.html the default src_prepare in EAPI 6 already contains the eapply_user part.
You can also put the docs into the DOCS variable and call einstalldocs. By the way, the package works without network access, maybe app-admin is a better category for it?
Ah, I get it. Fixed and moved. :) Since the dev-docs say that there are some 'sensible defaults' for the DOCS variable, I assumed README.md was in there… so I tried it and it just worked. The current version is in my overlay. https://github.com/dragetd/gentoo-overlay/blob/master/app-admin/spectre-meltdown-checker/spectre-meltdown-checker-0.36.ebuild
I forgot that the default src_install already does einstalldocs, so we may write it like this: src_install() { default dobin ${PN}.sh } Can it be run by non-root users? Maybe dosbin would be more appropriate if not.
Ah, I have read the part about EAPI6 and should have spotted that myself. Now using default. Thanks again for taking the time to comment, I love learning all the subtle differences. I have been talking on #gentoo-proxy-maint too. The script can also run a non-root and check kernel images. So not sure if it really belongs under sbin. Update the ebuild. :)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c048710cd14c420bb683812e19d86263fcd9ef72 commit c048710cd14c420bb683812e19d86263fcd9ef72 Author: Lucian Poston <lucianposton@pm.me> AuthorDate: 2018-08-01 23:23:35 +0000 Commit: Craig Andrews <candrews@gentoo.org> CommitDate: 2018-08-02 15:37:41 +0000 app-admin/spectre-meltdown-checker: Spectre & Meltdown checker Closes: https://bugs.gentoo.org/652550 Package-Manager: Portage-2.3.40, Repoman-2.3.9 app-admin/spectre-meltdown-checker/Manifest | 1 + app-admin/spectre-meltdown-checker/metadata.xml | 15 ++++++++++++++ .../spectre-meltdown-checker-0.37.ebuild | 23 ++++++++++++++++++++++ .../spectre-meltdown-checker-9999.ebuild | 23 ++++++++++++++++++++++ 4 files changed, 62 insertions(+)
