This repository was archived by the owner on Apr 26, 2024. It is now read-only.
Update Debian packaging#13582
Closed
behrmann wants to merge 6 commits into
Closed
Conversation
Otherwise the files of the synapse user are readable by the nobody user, which is unsafe. Signed-off-by: Jörg Behrmann <behrmann@physik.fu-berlin.de>
Don't call dh_installinit anymore, because it has been deprecated, and use dh_installsystemd instead of dh_systemd_enable for the same reason. Signed-off-by: Jörg Behrmann <behrmann@physik.fu-berlin.de>
It was used for reasons of interactions of dh_systemd_start and dh_installinit, which have both be deprecated Signed-off-by: Jörg Behrmann <behrmann@physik.fu-berlin.de>
Signed-off-by: Jörg Behrmann <behrmann@physik.fu-berlin.de>
Signed-off-by: Jörg Behrmann <behrmann@physik.fu-berlin.de>
richvdh
reviewed
Aug 22, 2022
Member
richvdh
left a comment
richvdh
left a comment
There was a problem hiding this comment.
thanks! Before we take a proper look at this, please could you split it up into several smaller PRs that aren't changing lots of things at once (eg, make the debhelper change one PR, and the removal of the init stuff another)
This was referenced Aug 23, 2022
Merged
Contributor
Author
Contributor
Contributor
Author
|
This one's not done yet and I picked up some more along the way, but I've been swamped with work the past few weeks and hadn't had time to update my PRs, sorry. I'll try to make room for them soon. |
Contributor
|
(Not to worry---just checking if there's any tidying up to do on our part.) |
Member
|
@behrmann Hello! Any chance of finishing up this pull request? |
Contributor
Author
|
I'll close this one, as it's got to many conflicts anyhow and is better done piecemeal, but I'll get back to #13696. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
This PR updates the Debian packaging to a more recent version of debhelper (within the limits of current Debian targets, judging from
scripts-dev/build_debian_packages.py). It drops stuff that is related to init scripts, since the package doesn't ship any anymore.I also added an explicit system group for the system user, as currently the files owned by the
matrix-synapseuser will belong to thenobodygroup, which is not ideal, since that group will regularly be used for unrelated things, so having data owned bymatrix-synapsepossibly readable by other system users by accident. If there is some deeper meaning behind this, I'll happily drop this commit, but since the repo that initally did the Debian packaging doesn't seem to exist anymore, I couldn't find a reasoning right away.The major reason for me wanting to touch the Debian packaging (something I generally try to avoid), was that I wanted to fold the worker config into the regular packaging. The idea is to ship the worker service file, but not enable it. This has the benefit, that the debhelper generated postinst script will restart the target, which leads to the workers being restarted, too. This is something that can bite people using workers, since only the main service unit will be restarted.
I also moved the hardening config right into the service files. While I understand the idea of wanting to have a simple, easy to read service file, I think the upside of having a really locked down service, is a great benefit. I've been running that config for over a year by now (and a similar one before that). If you'd like to hide this, there would also be the option of moving all the hardening config into
matrix-.serviceormatrix-.service.d (units have multiple namespaces, separated by dashes, somatrix-synapse.serviceactually looks for config inmatrix-synapse.service,matrix-synapse.service.d/.config,matrix-.service,matrix-.service.d/.config). This way the file itself would be simple, but systemd would still pick it up by default (and e.g. show it in the output ofsystemctl cat matrix-synapse.service`)What I haven't touched yet is the systemd readme and service file in
contrib/, but the (already now) the quality of the service file shipped in the Debian packaging is higher than the example there, so maybe they should be dropped in favour of links to the ones in the Debian packaging.EventStoretoEventWorkerStore.".code blocks.(run the linters)