Commit a951e0b9efcb ("conf: Add --runas option, changing to given UID and GID if started as root") dropped the call to initgroups() that used to add supplementary groups corresponding to the user we'll eventually run as -- we don't need those. However, if the original user belongs to supplementary groups (usually not the case, if started as root), we don't drop those, now, and rpmlint says: passt.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/passt passt.x86_64: E: missing-call-to-setgroups-before-setuid /usr/bin/passt.avx2 Add a call to setgroups() with an empty set, to drop any supplementary group we might currently have, before changing GID and UID. Reported-by: Daniel P. Berrangé Signed-off-by: Stefano Brivio --- util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util.c b/util.c index 9b87b65..7e10deb 100644 --- a/util.c +++ b/util.c @@ -525,7 +525,7 @@ void check_root(struct ctx *c) #endif } - if (!setgid(c->gid) && !setuid(c->uid)) + if (!setgroups(0, NULL) && !setgid(c->gid) && !setuid(c->uid)) return; fprintf(stderr, "Can't change user/group, exiting"); -- 2.35.1

The "Simple versioning" scheme: https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simpl... probably doesn't apply to passt, given that upstream git tags are not really releases. Switch to the "Snapshots" versioning scheme: https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/#_simpl... Suggested-by: Daniel P. Berrangé Signed-off-by: Stefano Brivio --- contrib/fedora/rpkg.macros | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/contrib/fedora/rpkg.macros b/contrib/fedora/rpkg.macros index 2032034..df9dfc5 100644 --- a/contrib/fedora/rpkg.macros +++ b/contrib/fedora/rpkg.macros @@ -12,7 +12,10 @@ # Author: Stefano Brivio function git_version { - printf "0.git.%s.%s" "$(date -u -I | tr - _)" "$(git rev-parse --short HEAD)" + __commit="$(git rev-parse --short "${1:-HEAD}")" + __date="$(git log --pretty="format:%cI" "${__commit}" -1)" + + printf "0^%s.g%s" "$(date -uI -d "${__date}" | tr -d -)" "${__commit}" } function git_head { @@ -28,7 +31,7 @@ function passt_git_changelog_entry { __date="$(git log --pretty="format:%cI" "${__to}" -1)" __author="$(git log -1 --pretty="format:%an <%ae>" ${__to} -- contrib/fedora)" - printf "* %s %s - %s\n" "$(date "+%a %b %e %Y" -d "${__date}")" "${__author}" "0.git.${1}-0" + printf "* %s %s - %s\n" "$(date "+%a %b %e %Y" -d "${__date}")" "${__author}" "$(git_version "${__to}")-1" IFS=' ' -- 2.35.1

...which makes it fall under MIT licensing terms. Daniel reports that it's very unusual for spec files to contain explicit licensing terms and might cause minor inconveniences later on, on mass changes to spec files. I originally added licensing information using SPDX identifiers to make the project fully compliant with the REUSE Specification 3.0 (https://reuse.software/spec/), but there are anyway a few more files not including explicit licensing information. It might be worth to fix that later on, in any case. Suggested-by: Daniel P. Berrangé Signed-off-by: Stefano Brivio --- contrib/fedora/passt.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 87c3e93..4f9be34 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -1,5 +1,3 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later -# # PASST - Plug A Simple Socket Transport # for qemu/UNIX domain socket mode # -- 2.35.1

...as it's used twice. The short version, however, appears hardcoded only once in the output, and it comes straight from the rpkg macro building the version string -- leave that macro as it is. Suggested-by: Daniel P. Berrangé Signed-off-by: Stefano Brivio --- contrib/fedora/passt.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 9356858..6125a3b 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -7,6 +7,8 @@ # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio +%global git_hash {{{ git_head }}} + Name: passt Version: {{{ git_version }}} Release: 1%{?dist} @@ -14,7 +16,7 @@ Summary: User-mode networking daemons for virtual machines and namespaces License: AGPLv3+ and BSD Group: System Environment/Daemons URL: https://passt.top/ -Source: https://passt.top/passt/snapshot/passt-{{{ git_head }}}.tar.xz +Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz BuildRequires: gcc, make, checkpolicy, selinux-policy-devel @@ -40,7 +42,7 @@ Requires(preun): policycoreutils, %{name} This package adds SELinux enforcement to passt(1) and pasta(1). %prep -%setup -q -n passt-{{{ git_head }}} +%setup -q -n passt-%{git_hash} %build %set_build_flags -- 2.35.1

Fedora's parameters currently match the ones from the Makefile (which is based on GNU recommendations), but that's not necessarily guaranteed. This should make the OpenSUSE Tumbleweed override for docdir unnecessary: drop it. Suggested-by: Daniel P. Berrangé Signed-off-by: Stefano Brivio --- contrib/fedora/passt.spec | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index a8af326..ca22d38 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -49,10 +49,8 @@ This package adds SELinux enforcement to passt(1) and pasta(1). %make_build %install -%if 0%{?suse_version} > 910 -%make_install DESTDIR=%{buildroot} prefix=%{_prefix} docdir=%{_prefix}/share/doc/packages/passt -%else -%make_install DESTDIR=%{buildroot} prefix=%{_prefix} +%make_install DESTDIR=%{buildroot} prefix=%{_prefix} bindir=%{_bindir} mandir=%{_mandir} docdir=%{_docdir}/passt + %endif %ifarch x86_64 ln -sr %{buildroot}%{_mandir}/man1/passt.1 %{buildroot}%{_mandir}/man1/passt.avx2.1 -- 2.35.1