Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP5:Update
apt-cacher-ng
apt-cacher-ng.spec
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apt-cacher-ng.spec of Package apt-cacher-ng
# # spec file for package apt-cacher-ng # # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define debian_release 1 Name: apt-cacher-ng Version: 3.1 Release: 0 Summary: A caching proxy specialized for Linux distribution packages License: BSD-4-Clause AND MIT Group: Productivity/Networking/Web/Proxy Url: http://www.unix-ag.uni-kl.de/~bloch/acng/ Source0: http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/%{name}_%{version}.orig.tar.xz Source1: http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/%{name}_%{version}-%{debian_release}.debian.tar.xz Patch0: CVE-2020-5202.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: pkgconfig BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(bzip2) BuildRequires: pkgconfig(fuse) BuildRequires: pkgconfig(liblzma) BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(zlib) Requires(pre): pwdutils Suggests: cron Suggests: logrotate %{?systemd_requires} %description Apt-Cacher NG is a caching proxy for downloading packages from Debian-style software repositories (or possibly from other types). The main principle is that a central machine hosts the proxy for a local network, and clients configure their APT setup to download through it. Apt-Cacher NG keeps a copy of all useful data that passes through it, and when a similar request is made, the cached copy of the data is delivered without being re-downloaded. Apt-Cacher NG has been designed from scratch as a replacement for apt-cacher, but with a focus on maximizing throughput with low system resource requirements. It can also be used as replacement for apt-proxy and approx with no need to modify clients' sources.list files. %prep %setup -qa1 %patch0 -p1 # systemd in openSUSE is at /usr/lib/ sed -i 's@lib/systemd@usr/&@' systemd/CMakeLists.txt %build %cmake -DDOCDIR=%{_docdir}/%{name} -DSDINSTALL:BOOL=ON -DSYSCONFDIR=%{_sysconfdir} %make_jobs %install %cmake_install # Add the service symlink ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} # Debian file to control daemon options install -m 644 -D debian/%{name}.default %{buildroot}%{_sysconfdir}/default/%{name} # Debian logrotate file install -m 644 -D debian/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name} # Debian cron file install -m 755 -D debian/%{name}.cron.daily %{buildroot}%{_sysconfdir}/cron.daily/%{name} # default configuration for dir in log cache; do mkdir -p %{buildroot}%{_localstatedir}/$dir/%{name} done %pre %{_sbindir}/groupadd -r apt-cacher-ng &>/dev/null || : %{_sbindir}/useradd -r -M -g apt-cacher-ng -s /sbin/nologin \ -c "apt-cacher-ng proxy" apt-cacher-ng &> /dev/null || : %service_add_pre apt-cacher-ng.service # fix the mess caused by CVE-2019-18899 fix_cve=false restart_service=false # we need a place to carry on status information to the %post section %define cve_restart_state_file %{_localstatedir}/cache/%{name}/.zypper_update_restart_service # These dirs have been owned by root before the CVE fix, now we need to change # ownership to the unprivileged user. Doing this as root in the scriptlet # context is rather uncritical security wise, since we're only dropping # privileges. # However we need to shutdown a possibly already running service, to avoid # inconsistencties (the daemon writes out cache data during shutdown as root, # for example). # Do this in %pre, because otherwise during RPM install the ownership of these # dirs will be unknowingly changed, opening further attack vector for # apt-cacher-ng. for root_owned_dir in %{_localstatedir}/log/%{name} %{_localstatedir}/cache/%{name}; do owner=`/usr/bin/stat --format "%u" "${root_owned_dir}" 2>/dev/null` || continue # not owned by root, nothing to do [ "$owner" != "0" ] && continue if ! ${fix_cve}; then # remember that we're in the CVE fix situation fix_cve=true # if we need to apply changes then stop a possibly running instance, # otherwise the daemon will later on write out files as root, breaking # things again. if $(/usr/bin/systemctl -q is-active %{name}); then restart_service=true /usr/bin/systemctl -q stop %{name} fi fi # using chown here is sufficiently safe, it uses the f*at() APIs /usr/bin/chown -R --no-dereference apt-cacher-ng:apt-cacher-ng "${root_owned_dir}" done $restart_service && touch "%{cve_restart_state_file}" true %post # second part of fixing the mess caused by CVE-2019-18899 # # /run/apt-cacher-ng was already owned by the unprivileged user before the CVE # fix, because of the systemd-tmpfiles config file setup below. But the # contents are owned by root, *if* the service was running since the last # reboot. # # This is difficult to fix in a safe manner when operating as root. But # luckily the package already has a systemd-tmpfiles configuration that is # going to help us fixing the permissions in a safe way. # # so as a side-effect of this directive all files in /run/apt-cacher-ng will # be fixed. In the CVE fix case this will happen while the service is stopped, # avoiding any further security issues or inconsistencies. %tmpfiles_create %{_tmpfilesdir}/%{name}.conf %service_add_post %{name}.service restart_service_state_file="%{cve_restart_state_file}" if [ -e "${restart_service_state_file}" ]; then # restart the service after fixing the CVE, now running under # apt-cacher-ng user rm "${restart_service_state_file}" /usr/bin/systemctl -q start %{name} fi %preun %service_del_preun %{name}.service %postun %service_del_postun %{name}.service %files %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/acng.conf %config(noreplace) %{_sysconfdir}/%{name}/security.conf %dir %{_sysconfdir}/default %config(noreplace) %{_sysconfdir}/default/%{name} %dir %{_sysconfdir}/avahi/services %dir %{_sysconfdir}/avahi %config %{_sysconfdir}/avahi/services/%{name}.service %config %{_sysconfdir}/logrotate.d/%{name} %config %{_sysconfdir}/cron.daily/%{name} %{_sbindir}/%{name} %{_sbindir}/rc%{name} %{_libexecdir}/%{name}/ %{_docdir}/%{name}/ %{_mandir}/man8/*.8%{ext_man} %dir %{_unitdir} %{_unitdir}/%{name}.service %dir %{_tmpfilesdir} %{_tmpfilesdir}/%{name}.conf %dir %ghost /run/%{name} %attr(-,apt-cacher-ng,apt-cacher-ng) %dir %{_localstatedir}/log/%{name} %attr(-,apt-cacher-ng,apt-cacher-ng) %dir %{_localstatedir}/cache/%{name} %changelog
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor