Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 707930

Summary: sys-apps/portage - set GIT_CEILING_DIRECTORIES during ebuild execution
Product: Portage Development Reporter: Gentookh <ghz3>
Component: Core - Ebuild SupportAssignee: Portage team <dev-portage>
Status: RESOLVED WONTFIX    
Severity: normal CC: floppym, flow, mgorny, pacho, pms
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=707922
https://bugs.gentoo.org/show_bug.cgi?id=483134
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 558556    
Bug Blocks:    

Description Gentookh 2020-02-02 14:09:22 UTC 
See examples of this issue:
- https://bugs.gentoo.org/707922
- https://bugs.gentoo.org/707882
- https://bugs.gentoo.org/483134

Suggestion:
Nothing above WORKDIR should affect sandbox configuration process.
Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev 2020-02-02 15:48:11 UTC 
It's not clear from those bugs what is your setup and why you think sandbox is not correct here. Can you elaborate?
Comment 2 Mike Gilbert gentoo-dev 2020-02-02 16:20:58 UTC 
The point of sandbox is to catch processes that try to write outside of permitted directories.

By creating a git repo in the root directory, you are inviting any ebuild that calls git to write there. There is no way sandbox can reasonably prevent this from happening.

Here are some options for you:

1. Don't put a git repo in /.
2. Disable the sandbox and usersandbox portage features.
3. Add /.git to SANDBOX_PREDICT in /etc/sandbox.conf.
Comment 3 Gentookh 2020-02-02 16:46:34 UTC 
>you are inviting any ebuild that calls git to write there.
Why not have WORKDIR/.git created for such ebuilds?
Comment 4 Mike Gilbert gentoo-dev 2020-02-02 17:03:23 UTC 
(In reply to Gentookh from comment #3)
> >you are inviting any ebuild that calls git to write there.
> Why not have WORKDIR/.git created for such ebuilds?

That may cause problems with build systems that try to detect whether they are running in a git repo.

Also, it's an unnecessary hack on most systems.
Comment 5 Mike Gilbert gentoo-dev 2020-02-02 17:17:08 UTC 
Another possible solution: add GIT_CEILING_DIRECTORIES="${PORTAGE_TMPDIR}" to make.conf.
Comment 6 Gentookh 2020-02-02 17:22:14 UTC 
>add GIT_CEILING_DIRECTORIES="${PORTAGE_TMPDIR}" to make.conf
Why not make this default?
Comment 7 Mike Gilbert gentoo-dev 2020-02-02 17:42:58 UTC 
That would require a code change in portage to set the variable after all config files have been processed.
Comment 8 Zac Medico gentoo-dev 2020-02-02 23:21:50 UTC 
PMS may want to say something about this, since an implicit GIT_CEILING_DIRECTORIES setting will effectively change the interface between the package manager and ebuilds.
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-02-03 05:40:06 UTC 
Technically speaking, you've just made your system a test case for ebuilds misbehaving.  I'd say Portage should not workaround it, if only not to prevent people from testing this kind of behavior.  If you don't want to test it and report bugs, work around it locally.
Comment 10 Gentookh 2020-02-03 08:28:38 UTC 
I already reported this bug as one that affects a couple of ebuilds and seems to be present for a long time. I've added a link to this issue in case you WONTFIX it :-)

https://wiki.gentoo.org/wiki//etc/portage/make.conf#See_also
Comment 11 Mike Gilbert gentoo-dev 2020-02-03 22:28:33 UTC 
After discussion in #gentoo-qa, it sounds like we are probably not going to implement a solution in Portage.

Please use one of the available workarounds if you absolutely insist on putting a git repo in your system root directory.