From 51f9a4128ec9461ab36ca32f66e77b760aaa31f7 Mon Sep 17 00:00:00 2001 From: Bernhard M. Wiedemann Date: Jan 17 2024 16:38:17 +0000 Subject: update --- diff --git a/.files b/.files index 0814791..e07e8ee 100644 Binary files a/.files and b/.files differ diff --git a/.rev b/.rev index c43d2f5..f1cde0f 100644 --- a/.rev +++ b/.rev @@ -594,4 +594,24 @@ - Rebase brltty-udev-dir.patch. 1105121 + + ef8af83887466d26d574a664f23626eb + 6.6 + + anag+factory + - Disable parallel build again + 1130116 + + + 1b62b8e41f9a7e478340e35312dd6fb1 + 6.6 + + anag+factory + - README.SUSE: add documentation about the state of security of the brltty + daemon (bsc#1214158). + +- Use ocaml-rpm-macros to track OCaml ABI +- Reduce amount of rpmlint warnings with brltty.rpmlintrc + 1132864 + diff --git a/README.SUSE b/README.SUSE index db67118..eae0e8c 100644 --- a/README.SUSE +++ b/README.SUSE @@ -24,3 +24,16 @@ to be able to have orca interact with the Braille display. It also disallows remote users from interacting with the display. If you would like to change this behavior, then you can edit the api-parameters directive in /etc/brltty.conf. + +Notes on Security +======================================================================== + +The brltty daemon runs as a dedicated service user and group account named +"brltty". While this looks got from afar, the daemon actually keeps a lot of +privileges, most notably among them: + +- root group membership. +- Linux capabilities CAP_SYS_ADMIN and CAP_MKNOD. + +Therefore the SUSE security team currently considers the brltty service to be +equivalent to root. diff --git a/brltty.changes b/brltty.changes index 502dc44..2f6cc86 100644 --- a/brltty.changes +++ b/brltty.changes @@ -1,4 +1,21 @@ ------------------------------------------------------------------- +Wed Dec 13 11:10:22 UTC 2023 - Matthias Gerstner + +- README.SUSE: add documentation about the state of security of the brltty + daemon (bsc#1214158). + +------------------------------------------------------------------- +Tue Dec 12 12:12:12 UTC 2023 - ohering@suse.de + +- Use ocaml-rpm-macros to track OCaml ABI +- Reduce amount of rpmlint warnings with brltty.rpmlintrc + +------------------------------------------------------------------- +Thu Nov 30 22:22:22 UTC 2023 - olaf@aepfle.de + +- Disable parallel build again + +------------------------------------------------------------------- Wed Aug 16 12:35:59 UTC 2023 - Bjørn Lie - Add e6707d5e.patch: brlapi: Fix python crash on connection error. diff --git a/brltty.rpmlintrc b/brltty.rpmlintrc new file mode 100644 index 0000000..aa5d409 --- /dev/null +++ b/brltty.rpmlintrc @@ -0,0 +1,2 @@ +addFilter("devel-file-in-non-devel-package") +addFilter("static-library-without-debuginfo") diff --git a/brltty.spec b/brltty.spec index 23b34dc..c136347 100644 --- a/brltty.spec +++ b/brltty.spec @@ -16,6 +16,7 @@ # +%global _lto_cflags %_lto_cflags -ffat-lto-objects %define api_version 0.8.5 %define sover 0_8 %define soname libbrlapi%{sover} @@ -30,6 +31,7 @@ URL: https://brltty.app/ Source0: https://brltty.app/archive/%name-%version.tar.xz Source1: README.SUSE +Source2: %name.rpmlintrc Patch0: brltty-udev-dir.patch Patch1: https://github.com/brltty/brltty/commit/e6707d5e.patch @@ -46,6 +48,7 @@ BuildRequires: jpackage-utils BuildRequires: libbraille-devel BuildRequires: ncurses-devel BuildRequires: ocaml +BuildRequires: ocaml-rpm-macros >= 20231101 BuildRequires: pkg-config BuildRequires: python-rpm-macros BuildRequires: python3 @@ -160,7 +163,7 @@ complete screen review functionality. This package contains the XWindow braille driver. %package udev-generic -Summary: BRLTTY Udev rules for braille devices that use a generic USB to serial adapter. +Summary: BRLTTY Udev rules for braille devices that use a generic USB to serial adapter Group: System/Daemons Requires: %name = %version-%release @@ -333,24 +336,28 @@ for i in -I%_libdir/jvm/java/include{,/linux}; do done export PYTHON=/usr/bin/python3 %configure CPPFLAGS="$java_inc" \ - --with-install-root="%buildroot" \ --with-tables-directory=%_datadir/%name \ - --libexecdir=%_libexecdir \ --disable-stripping -%make_build +make %install sed -i "s=/usr/libexec/brltty-systemd-wrapper=%_libexecdir/brltty-systemd-wrapper=" Autostart/Systemd/brltty@.service -%make_install install-systemd install-udev install-polkit DESTDIR="%buildroot" +%make_install install-systemd install-udev install-polkit INSTALL_ROOT="%buildroot" +for exe in %buildroot%_bindir/* +do + sed -i~ '1{s@%_bindir/env[[:blank:]]\+@%_bindir/@}' "${exe}" + diff -u "$_"~ "$_" || : + rm -f "${exe}~" +done %find_lang %name sed -i "s/#api-parameters Auth=polkit/api-parameters Auth=polkit/" Documents/brltty.conf install -D -m644 Documents/brltty.conf %buildroot%_sysconfdir/brltty.conf # ghost brlapi.key touch %buildroot%_sysconfdir/brlapi.key -# Don't include source files in binary package -rm -f %buildroot%_libdir/ocaml/brlapi/brlapi.{mli,cmxa} +# OCaml +%ocaml_create_file_list +# rm %buildroot%_libdir/libbrlapi.a -rm %buildroot%_libdir/ocaml/brlapi/libbrlapi_stubs.a rm %buildroot/etc/X11/Xsession.d/90xbrlapi # TODO: install this somewhere? # fix missing executable bits test ! -x %buildroot%_bindir/brltty-config.sh @@ -526,9 +533,7 @@ rm -f %_localstatedir/adm/update-messages/%name-%version-%release-something %{_jnidir}/libbrlapi_java.so %{_javadir}/brlapi.jar -%files -n ocaml-brlapi -%_libdir/ocaml/brlapi/ -%_libdir/ocaml/stublibs/dllbrlapi_stubs.so* +%files -n ocaml-brlapi -f %name.files.devel %files -n python3-brlapi %{python3_sitearch}/brlapi.cpython*.so