[Fedora-packaging] Should .so files under python site dir be 755 perms?

Mamoru TASAKA mtasaka at fedoraproject.org
Thu Sep 12 14:51:41 UTC 2013 

Hi:

Michael Schwendt wrote, at 09/12/2013 07:47 PM +9:00:
> On Thu, 12 Sep 2013 00:29:58 +0900, Mamoru TASAKA wrote:
>
>> Well, I am so long wondering about this. Actually creating debuginfo,
>> stripping shared libs and making the shared libs non executable can
>> be accomplished by using %attr, i.e.
>> - At %install, install the shared libs with 0755 as before
>> - On %files, explicitly mark the files with %attr(0644,root,root)
>>
>> http://koji.fedoraproject.org/koji/taskinfo?taskID=5923317
>>
>> Some other distros makes non-executable shared libs 0644 permission.
>> Is %attr approach for this case allowed / preferable / discouraged ?
>
> It is widely accepted practice to limit %attr usage to really special
> permissions (such as setuid, setgid) and ownership (non-root user and/or
> group), so where that is done in a spec file, it sticks out.
> In packages with many files, overusing %attr would decrease readability
> even when using spec syntax-highlighting. Ordinary file permissions should
> get fixed in %install and upstream.
>
> Is it guaranteed that %attr will set the permission _after_ debuginfo
> generation?

Yes, because debuginfo generation is done at %__spec_install_post,
and %check follows after that.

> AFAIK, the only thing that wants +x on these libs is the debuginfo
> generator, and IIRC there's support already for flipping a flag and making
> it work with non-executables, too.

Well, currently I don't know that.

> ldd still warns about non-executable libs. And the build tools are not
> specific to Fedora/Linux, so they will likely keep making .so files +x.

(While I don't know well about Debian) it seems at least Debian makes
.so files 0644 for most cases (and perhaps also Ubuntu), ref:

https://lists.fedoraproject.org/pipermail/devel/2011-March/149822.html
https://lists.fedoraproject.org/pipermail/devel/2011-March/149857.html

> How many of the libs contain special code that can be run?
Perhaps libc, libpthread and some very special exceptions

> I don't want to imagine a large configure script running a lib for
> some version check or feature list. Would packagers need to check every
> lib for whether it may be run or not?

So I think for most cases they do not (need not) run, and only quite
a few cases should be concerned.

Regards,
Mamoru

More information about the packaging mailing list