Arvados

Bug¶

On Ubuntu 14.04 and Debian 8, the .deb that fpm generates for httplib2 includes files that have 0640 permissions. This is true regardless of umask, and you can reproduce it without using any of our build code:

brinstar % docker run --rm -ti arvados/build:ubuntu1404 /bin/bash
root@ed6e37a48ab0:/# . /etc/profile.d/rvm.sh
root@ed6e37a48ab0:/# cd tmp
root@ed6e37a48ab0:/tmp# fpm -s python -t deb httplib2
Debian packaging tools generally labels all files in /etc as config files, as mandated by policy, so fpm defaults to this behavior for deb packages. You can disable this default behavior with --deb-no-default-config-files flag {:level=>:warn}
Created package {:path=>"python-httplib2_0.9.2_all.deb"}
root@ed6e37a48ab0:/tmp# dpkg-deb -c python-httplib2_0.9.2_all.deb
drwx------ 0/0               0 2015-10-16 14:58 ./
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/local/
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/local/lib/
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/local/lib/python2.7/
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/
-rw-r----- 0/0               1 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/dependency_links.txt
-rw-r----- 0/0               9 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/top_level.txt
-rw-r----- 0/0            2272 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/PKG-INFO
-rw-r----- 0/0             790 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/SOURCES.txt
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/
-rw-r----- 0/0          134862 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/cacerts.txt
-rw-r--r-- 0/0           17255 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/socks.pyc
-rw-r--r-- 0/0           71120 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/__init__.py
-rw-r--r-- 0/0           18459 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/socks.py
-rw-r--r-- 0/0            3822 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/iri2uri.pyc
-rw-r--r-- 0/0           58381 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/__init__.pyc
-rw-r--r-- 0/0            3828 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/iri2uri.py
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/share/
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/share/doc/
drwxr-xr-x 0/0               0 2015-10-16 14:58 ./usr/share/doc/python-httplib2/
-rw-r--r-- 0/0             142 2015-10-16 14:58 ./usr/share/doc/python-httplib2/changelog.Debian.gz
root@ed6e37a48ab0:/tmp# umask
0022

The fact that cacerts.txt and the .egg-info files aren't world-readable is a problem. It means that wherever this package is installed, non-root users can't use httplib2 (read: the Python Arvados API client).

If you build the package with umask 077, all the other files respect that (they have no permissions for group or world), but cacerts.txt and the .egg-info files are still 0640 exactly. Their permissions are being set explicitly.

These files have correct permissions on Ubuntu 12.04 and Debian 7.

Fix¶

• Add pip to all of the arvados/build packages.
• Teach run-build-packages to download httplib2 from pip (with install --download), make the permissions change on the fly, then build the .deb/.rpm from the downloaded+fixed source.