Proof-of-concept use of Ploutos to create RPM and DEB packages (#72)

* WIP

* WIP

* Test DEB too.

* Move package.metadata to the workspace member Cargo.toml because cargo read-manifest complains otherwise about missing package.name in the root Cargo.toml.

* Install clang for libclang needed by sudo-pam-sys build.rs.

* Add copyright needed by cargo-deb.

* Move copyright key to correct TOML table?

* Add maintainer key needed by cargo-deb.

* Install libclang for Debian/Ubuntu builds.

* Also install libpam-dev.

* Maintainer must contain an email address or else Lintian complains with error malformed-contact.

* Extended description must be defined or else Lintian complains with error extended-description-is-empty.

* Add a test script.

* Setuid in DEB as well as RPM packages.

* Should the paths be relative to the workspace root?

* Use workspace inheritance and standard Cargo settings where possible instead of custom packaging tool settings.

* Fix rpmlint warning 'invalid-license Apache-2.0' by using the correct license string.

* TOML syntax fix.

* Work around apt error 'E: Packages were downgraded and -y was used without --allow-downgrades.' presumably due to existing sudo package by same name but higher version.

* Oops, don't break Cargo workspace project relationship.

* Package conflicts with existing sudo package, but presumably test install still fails when the original sudo package is present.

* Ah cargo-deb *does* support Breaks and Replaces.

* Play nicely with the existing sudo package.

* Fix path to maintainer-scripts.

* Use the release Ploutos v7.

Author: ximon18

.github/workflows/pkg.yml

@@ -0,0 +1,23 @@
+on:
+  push:
+  workflow_dispatch:
+  
+jobs:
+  package:
+    uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v7
+    with:
+      workspace_package: sudo
+  
+      package_build_rules: |
+        pkg: sudo-rs
+        image:
+          - "rockylinux:8"
+          - "ubuntu:jammy"
+        target: x86_64
+ 
+      package_test_scripts_path: pkg/test-scripts/test-sudo-rs.sh
+
+      deb_extra_build_packages: libclang-dev libpam-dev
+
+      rpm_extra_build_packages: pam-devel clang
+      rpm_scriptlets_path: pkg/rpm/scriptlets.toml

Cargo.toml

@@ -19,6 +19,8 @@ license = "Apache-2.0 OR MIT"
 edition = "2021"
 repository = "https://github.com/memorysafety/sudo-rs"
 homepage = "https://github.com/memorysafety/sudo-rs"
+description = "A memory safe implementation of sudo and su"
+readme = "README.md"
 publish = true
 
 [workspace.dependencies]

pkg/deb/postinst

@@ -0,0 +1,2 @@
+#!/bin/bash -e
+chmod +s /usr/bin/sudo-rs

pkg/rpm/scriptlets.toml

@@ -0,0 +1,4 @@
+post_install_script = '''
+#!/bin/bash -e
+chmod +s /usr/bin/sudo-rs
+'''

pkg/test-scripts/test-sudo-rs.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+set -x
+
+case $1 in
+  post-install|post-upgrade)
+    [[ $(find /usr/bin/sudo-rs -perm -g=s -exec echo SUDO-RS-HAS-SETUID \;) == "SUDO-RS-HAS-SETUID" ]]
+    ;;
+esac

sudo/Cargo.toml

@@ -6,6 +6,8 @@ license.workspace = true
 repository.workspace = true
 homepage.workspace = true
 publish.workspace = true
+readme.workspace = true
+description.workspace = true
 categories = ["command-line-interface"]
 
 [dependencies]
@@ -14,3 +16,29 @@ sudo-system.workspace = true
 sudo-cli.workspace = true
 sudoers.workspace = true
 sudo-pam.workspace = true
+
+[package.metadata.deb]
+name = "sudo-rs"
+copyright = "Copyright (c) 2022-2023 Internet Security Research Group"
+maintainer = "Prossimo (ISRG) <[email protected]>"
+maintainer-scripts = "../pkg/deb/"
+# Until we think it is safe to actually replace the real sudo package, don't
+# mark it as breaking or replacing the real sudo package and don't attempt to
+# overwrite /usr/bin/sudo, instead explicitly via assets install it under new
+# name /usr/bin/sudo-rs
+#breaks = "sudo"
+#replaces = "sudo"
+assets = [
+  ["target/release/sudo", "/usr/bin/sudo-rs", "755"]
+]
+
+[package.metadata.generate-rpm]
+# See: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses
+license = "ASL 2.0"
+# Until we think it is safe to actually replace the real sudo package, don't
+# mark it as obsoleting the real sudo package and don't attempt to overwrite
+# /usr/bin/sudo, instead install it under new name /usr/bin/sudo-rs.
+#obsoletes = "sudo"
+assets = [
+  { source = "target/release/sudo", dest = "/usr/bin/sudo-rs", mode = "755" }
+]