Review of AUR pacakge before submission

IrvineHimself · 2016-10-02 17:02:24

I have built the latest Firejail, (0.9.42,) with Apparmor support enabled and would like to submit it to the AUR. Since this is my first attempt at building a package, (it works fine on my custom kernel,) would anyone care to review the package build?

# Maintainer: Irvine <irvinemcminn_at_that gmail_place>
pkgname=firejail-apparmor
pkgver=0.9.42
pkgrel=1
pkgdesc="Apparmor support for Firejail"
arch=('i686' 'x86_64')
url="https://firejail.wordpress.com/"
license=('GPL2')
depends=('apparmor-profiles' 'apparmor-utils')
provides=('firejail=0.9.42')
conflicts=('firejail')
source=("https://sourceforge.net/projects/firejail/files/firejail/firejail-0.9.42.tar.xz/download")
sha1sums=('f6ec8198a08c3fffed681c03c3b591b4d9da8d57')



build() {
	cd ${srcdir}/firejail-0.9.42
	./configure --prefix=/usr --enable-apparmor
	make
}


package() {
	cd ${srcdir}/firejail-0.9.42
	make DESTDIR="$pkgdir/" install
}

Also, is it neceassary to remind people they either need to reboot, (or reload the apparmor profiles and run "sudo aa-enforce firejail-default",) to enable the feature?

Irvine

escondida · 2016-10-02 21:57:17

Hi, Irvine. Overall, there are no big issues with the PKGBUILD itself, though there are a couple nits:

- build(), package(), prepare(), and pkgver() always cd to $srcdir to start with, though you do still need to cd to the dir of the unpacked or version controlled source.
- You can use $pkgver after it's defined for ease of maintenance later--in this case, the source array and cds would be good places for it. You can use any of the other variables in the script, too, if you need (though, personally, I'd advise against using $pkgname, because it just adds a level of indirection to a constant that's perfectly clear without the use of a variable name).
- Precisely-versioned provides are mostly useful in cases where you're worried about other programs linking against the wrong version, when there's more than one available--for instance, the two major gstreamer generations.

Other than that, the PKGBUILD itself looks good! Rock on.

There is one other thing I'll say, though: from the AUR wiki page's rules for contributing: "Check the official package database for the package. If any version of it exists, do not submit the package. If the official package is out-of-date, flag it as such. If the official package is broken or is lacking a feature, then please file a bug report." The reason for that is simply to avoid further cluttering the AUR with soon-to-be-outdated packages made by enthusiastic users who happened to get a chance to update something before the maintainer did. Thanks for making the effort to contribute, but in this case it's really best to hand off the information to the maintainer, if the bug report hasn't already been filed. (-:

IrvineHimself · 2016-10-03 03:17:38

Thanks, I was using the variables you mentioned, but changed to explicit naming because of the confusion betweeen the package-name, (firejail-apparmor,) and the actual package being compiled, (firejail).

Yes, I did read those rules, they are the main reason why I submitted the package for review. The AUR pcakaging standards page caveats the warning with:

Exception to this strict rule may only be packages having extra features enabled and/or patches in comparison to the official ones. In such an occasion, the pkgname array should be different

The PKBUILD Wiki, (in the section on the 'provides' array,) gives further required versioning/naming standards for AUR versions of officialy supported packages.

In this case, the package enables Firejail to integrate directly with Apparmor thus providing "advanced Grsecurity like features". Since Arch does not officialy support Apparmor, (and this feature requires an /etc/apparmor.d/ driectory,) the feature will never be enabled in the official Firejail package.

I should add that, after a great deal of research, this seems like the most promising method to provide Apparmor noobs like me with profiles that actually work. Using the feature, most of the vulnerable front facing applications, (Firefox, Transmission, Vlc,...) should recieve Apparmor protection. By the way, while researching this topic, I was shocked to discover that this is not currently the case in Ubuntu. The previously mentioned applications either do not have Apparmor profiles or the profiles are disabled by default.

Last edited by IrvineHimself (2016-10-03 03:22:08)

IrvineHimself · 2016-10-04 03:08:27

Well, if anyone is interested, I just added my package to the AUR.

By the way escondida, thanks for putting my mind to rest about the 'correctness' of the PKBUILD

Irvine

Arch Linux

#1 2016-10-02 17:02:24

Review of AUR pacakge before submission

#2 2016-10-02 21:57:17

Re: Review of AUR pacakge before submission

#3 2016-10-03 03:17:38

Re: Review of AUR pacakge before submission

#4 2016-10-04 03:08:27

Re: Review of AUR pacakge before submission

Board footer