[PATCH] meta: default "Rules-Requires-Root: no", make it configurable
41 views
Skip to first unread message
Badrikesh Prusty
Sep 7, 2025, 4:43:15 PMSep 7
to isar-...@googlegroups.com, badrikesh prusty
From: badrikesh prusty <badrikes...@siemens.com>
Setting "Rules-Requires-Root: no" in the debian/control file avoids
unnecessarily calling fakeroot in the build environment. Packages which
require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
with the desired value.
Debian recommends not using fakeroot to build a package if it is not
required i.e., if a package's build doesn't require any privileged
operations such as changing ownership to root, installing/modifying
files as root.
This also fixes hangs observed during fakeroot calls in
dpkg-buildpackage. References:
https://github.com/ilbers/isar/issues/113
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114644
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072521
Signed-off-by: Badrikesh Prusty <badrikes...@siemens.com>
---
meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl | 1 +
meta/recipes-bsp/optee-ftpm/optee-ftpm.inc | 3 +++
meta/recipes-bsp/optee-os/files/debian/control.tmpl | 1 +
meta/recipes-bsp/optee-os/optee-os.inc | 4 +++-
meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl | 1 +
.../trusted-firmware-a/trusted-firmware-a-custom.inc | 4 +++-
meta/recipes-bsp/u-boot/files/debian/control.tmpl | 1 +
meta/recipes-bsp/u-boot/u-boot-custom.inc | 4 +++-
meta/recipes-kernel/linux-module/files/debian/control.tmpl | 1 +
meta/recipes-kernel/linux-module/module.inc | 2 ++
meta/recipes-kernel/linux/files/debian/control.tmpl | 1 +
meta/recipes-kernel/linux/linux-custom.inc | 2 ++
12 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
index e6af7554..d4374909 100644
--- a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Maintainer: Unknown maintainer <unk...@example.com>
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: ${PN}
Architecture: any
diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
index 738b694a..257c5c4c 100644
--- a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
+++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
@@ -23,6 +23,8 @@ DEBIAN_BUILD_DEPENDS ?= " \
optee-os-tadevkit-${OPTEE_NAME} \
"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
TA_CPU ?= "unknown"
TA_DEV_KIT_DIR ?= "unknown"
OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
@@ -30,6 +32,7 @@ OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
DEBIAN_COMPAT \
+ DEBIAN_RULES_REQUIRES_ROOT \
OPTEE_FTPM_BUILD_ARGS_EXTRA \
TA_CPU \
TA_DEV_KIT_DIR"
diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
index 7bcd6edb..443578bd 100644
--- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ISAR project <isar-...@googlegroups.com>
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: ${DEBIAN_PACKAGE_NAME}
Architecture: ${DISTRO_ARCH}
diff --git a/meta/recipes-bsp/optee-os/optee-os.inc b/meta/recipes-bsp/optee-os/optee-os.inc
index eac75ae8..edd21f58 100644
--- a/meta/recipes-bsp/optee-os/optee-os.inc
+++ b/meta/recipes-bsp/optee-os/optee-os.inc
@@ -22,8 +22,10 @@ DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
+TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_PACKAGE_NAME DEBIAN_RULES_REQUIRES_ROOT OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
# split strip platform flavor, if any, from the specified platform string
OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
index cf4607e3..311b44c0 100644
--- a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ISAR project <isar-...@googlegroups.com>
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: trusted-firmware-a-${TF_A_NAME}
Architecture: ${DISTRO_ARCH}
diff --git a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
index 9f143b13..4ea7cc6c 100644
--- a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+++ b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
@@ -20,10 +20,12 @@ TF_A_BINARIES ?= "release/bl31.bin"
DEBIAN_BUILD_DEPENDS ?= ""
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
PROVIDES += "trusted-firmware-a-${TF_A_NAME}"
TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "DEBIAN_COMPAT \
+TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_RULES_REQUIRES_ROOT \
TF_A_NAME DEBIAN_BUILD_DEPENDS TF_A_PLATFORM TF_A_EXTRA_BUILDARGS"
do_prepare_build() {
diff --git a/meta/recipes-bsp/u-boot/files/debian/control.tmpl b/meta/recipes-bsp/u-boot/files/debian/control.tmpl
index 006982c2..6cbdf02c 100644
--- a/meta/recipes-bsp/u-boot/files/debian/control.tmpl
+++ b/meta/recipes-bsp/u-boot/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ISAR project <isar-...@googlegroups.com>
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: u-boot-${MACHINE}
Architecture: ${DISTRO_ARCH}
diff --git a/meta/recipes-bsp/u-boot/u-boot-custom.inc b/meta/recipes-bsp/u-boot/u-boot-custom.inc
index 2d6dd8e0..e3081ce9 100644
--- a/meta/recipes-bsp/u-boot/u-boot-custom.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-custom.inc
@@ -20,12 +20,14 @@ SRC_URI += "file://debian/"
DEBIAN_BUILD_DEPENDS ?= "bc, bison, flex, device-tree-compiler, git"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
U_BOOT_BIN_INSTALL ?= "${U_BOOT_BIN}"
U_BOOT_EXTRA_BUILDARGS ??= "BL31=${BL31} TEE=${TEE}"
TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "MACHINE DEBIAN_BUILD_DEPENDS U_BOOT_CONFIG U_BOOT_BIN \
+TEMPLATE_VARS += "MACHINE DEBIAN_BUILD_DEPENDS DEBIAN_RULES_REQUIRES_ROOT U_BOOT_CONFIG U_BOOT_BIN \
U_BOOT_EXTRA_BUILDARGS DEBIAN_COMPAT"
U_BOOT_TOOLS_PACKAGE ?= "0"
diff --git a/meta/recipes-kernel/linux-module/files/debian/control.tmpl b/meta/recipes-kernel/linux-module/files/debian/control.tmpl
index 45fcbc0e..914733d8 100644
--- a/meta/recipes-kernel/linux-module/files/debian/control.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ${MAINTAINER}
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: ${PN}
Architecture: any
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index d2a41766..b51e8965 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -34,6 +34,7 @@ KERNEL_MODULE_SIGNATURES ??= ""
DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
SRC_URI += "file://debian/"
@@ -63,6 +64,7 @@ TEMPLATE_VARS += " \
KAFLAGS \
MODULE_DIR \
DEBIAN_BUILD_DEPENDS \
+ DEBIAN_RULES_REQUIRES_ROOT \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
index a79b86c4..479f8ff0 100644
--- a/meta/recipes-kernel/linux/files/debian/control.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Maintainer: ${MAINTAINER}
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), bc, kmod, cpio, ${KBUILD_DEPENDS}
Homepage: http://www.kernel.org/
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: linux-image-${KERNEL_NAME_PROVIDED}
Build-Profiles: <kernel>
diff --git a/meta/recipes-kernel/linux/linux-custom.inc b/meta/recipes-kernel/linux/linux-custom.inc
index 01e9bff7..e073206f 100644
--- a/meta/recipes-kernel/linux/linux-custom.inc
+++ b/meta/recipes-kernel/linux/linux-custom.inc
@@ -17,6 +17,8 @@ DISTRIBUTOR ?= "ISAR"
# pinned due to known or possible issues with compat 12
DEBIAN_COMPAT:buster = "10"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
KBUILD_DEPENDS ?= "build-essential:native, \
libelf-dev:native, \
libncurses-dev:native, \
--
2.47.3
Setting "Rules-Requires-Root: no" in the debian/control file avoids
unnecessarily calling fakeroot in the build environment. Packages which
require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
with the desired value.
Debian recommends not using fakeroot to build a package if it is not
required i.e., if a package's build doesn't require any privileged
operations such as changing ownership to root, installing/modifying
files as root.
This also fixes hangs observed during fakeroot calls in
dpkg-buildpackage. References:
https://github.com/ilbers/isar/issues/113
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114644
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072521
Signed-off-by: Badrikesh Prusty <badrikes...@siemens.com>
---
meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl | 1 +
meta/recipes-bsp/optee-ftpm/optee-ftpm.inc | 3 +++
meta/recipes-bsp/optee-os/files/debian/control.tmpl | 1 +
meta/recipes-bsp/optee-os/optee-os.inc | 4 +++-
meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl | 1 +
.../trusted-firmware-a/trusted-firmware-a-custom.inc | 4 +++-
meta/recipes-bsp/u-boot/files/debian/control.tmpl | 1 +
meta/recipes-bsp/u-boot/u-boot-custom.inc | 4 +++-
meta/recipes-kernel/linux-module/files/debian/control.tmpl | 1 +
meta/recipes-kernel/linux-module/module.inc | 2 ++
meta/recipes-kernel/linux/files/debian/control.tmpl | 1 +
meta/recipes-kernel/linux/linux-custom.inc | 2 ++
12 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
index e6af7554..d4374909 100644
--- a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Maintainer: Unknown maintainer <unk...@example.com>
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: ${PN}
Architecture: any
diff --git a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
index 738b694a..257c5c4c 100644
--- a/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
+++ b/meta/recipes-bsp/optee-ftpm/optee-ftpm.inc
@@ -23,6 +23,8 @@ DEBIAN_BUILD_DEPENDS ?= " \
optee-os-tadevkit-${OPTEE_NAME} \
"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
TA_CPU ?= "unknown"
TA_DEV_KIT_DIR ?= "unknown"
OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
@@ -30,6 +32,7 @@ OPTEE_FTPM_BUILD_ARGS_EXTRA ?= " "
TEMPLATE_FILES = "debian/rules.tmpl debian/control.tmpl"
TEMPLATE_VARS += "DEBIAN_BUILD_DEPENDS \
DEBIAN_COMPAT \
+ DEBIAN_RULES_REQUIRES_ROOT \
OPTEE_FTPM_BUILD_ARGS_EXTRA \
TA_CPU \
TA_DEV_KIT_DIR"
diff --git a/meta/recipes-bsp/optee-os/files/debian/control.tmpl b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
index 7bcd6edb..443578bd 100644
--- a/meta/recipes-bsp/optee-os/files/debian/control.tmpl
+++ b/meta/recipes-bsp/optee-os/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ISAR project <isar-...@googlegroups.com>
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: ${DEBIAN_PACKAGE_NAME}
Architecture: ${DISTRO_ARCH}
diff --git a/meta/recipes-bsp/optee-os/optee-os.inc b/meta/recipes-bsp/optee-os/optee-os.inc
index eac75ae8..edd21f58 100644
--- a/meta/recipes-bsp/optee-os/optee-os.inc
+++ b/meta/recipes-bsp/optee-os/optee-os.inc
@@ -22,8 +22,10 @@ DEBIAN_PACKAGE_NAME ?= "optee-os-${OPTEE_NAME}"
DEBIAN_BUILD_DEPENDS ?= "python3-pycryptodome:native, python3-pyelftools"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_PACKAGE_NAME OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
+TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_PACKAGE_NAME DEBIAN_RULES_REQUIRES_ROOT OPTEE_NAME DEBIAN_BUILD_DEPENDS OPTEE_PLATFORM OPTEE_EXTRA_BUILDARGS"
# split strip platform flavor, if any, from the specified platform string
OPTEE_PLATFORM_BASE = "${@d.getVar('OPTEE_PLATFORM').split('-')[0]}"
diff --git a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
index cf4607e3..311b44c0 100644
--- a/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
+++ b/meta/recipes-bsp/trusted-firmware-a/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ISAR project <isar-...@googlegroups.com>
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: trusted-firmware-a-${TF_A_NAME}
Architecture: ${DISTRO_ARCH}
diff --git a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
index 9f143b13..4ea7cc6c 100644
--- a/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
+++ b/meta/recipes-bsp/trusted-firmware-a/trusted-firmware-a-custom.inc
@@ -20,10 +20,12 @@ TF_A_BINARIES ?= "release/bl31.bin"
DEBIAN_BUILD_DEPENDS ?= ""
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
PROVIDES += "trusted-firmware-a-${TF_A_NAME}"
TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "DEBIAN_COMPAT \
+TEMPLATE_VARS += "DEBIAN_COMPAT DEBIAN_RULES_REQUIRES_ROOT \
TF_A_NAME DEBIAN_BUILD_DEPENDS TF_A_PLATFORM TF_A_EXTRA_BUILDARGS"
do_prepare_build() {
diff --git a/meta/recipes-bsp/u-boot/files/debian/control.tmpl b/meta/recipes-bsp/u-boot/files/debian/control.tmpl
index 006982c2..6cbdf02c 100644
--- a/meta/recipes-bsp/u-boot/files/debian/control.tmpl
+++ b/meta/recipes-bsp/u-boot/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ISAR project <isar-...@googlegroups.com>
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: u-boot-${MACHINE}
Architecture: ${DISTRO_ARCH}
diff --git a/meta/recipes-bsp/u-boot/u-boot-custom.inc b/meta/recipes-bsp/u-boot/u-boot-custom.inc
index 2d6dd8e0..e3081ce9 100644
--- a/meta/recipes-bsp/u-boot/u-boot-custom.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-custom.inc
@@ -20,12 +20,14 @@ SRC_URI += "file://debian/"
DEBIAN_BUILD_DEPENDS ?= "bc, bison, flex, device-tree-compiler, git"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
U_BOOT_BIN_INSTALL ?= "${U_BOOT_BIN}"
U_BOOT_EXTRA_BUILDARGS ??= "BL31=${BL31} TEE=${TEE}"
TEMPLATE_FILES = "debian/control.tmpl debian/rules.tmpl"
-TEMPLATE_VARS += "MACHINE DEBIAN_BUILD_DEPENDS U_BOOT_CONFIG U_BOOT_BIN \
+TEMPLATE_VARS += "MACHINE DEBIAN_BUILD_DEPENDS DEBIAN_RULES_REQUIRES_ROOT U_BOOT_CONFIG U_BOOT_BIN \
U_BOOT_EXTRA_BUILDARGS DEBIAN_COMPAT"
U_BOOT_TOOLS_PACKAGE ?= "0"
diff --git a/meta/recipes-kernel/linux-module/files/debian/control.tmpl b/meta/recipes-kernel/linux-module/files/debian/control.tmpl
index 45fcbc0e..914733d8 100644
--- a/meta/recipes-kernel/linux-module/files/debian/control.tmpl
+++ b/meta/recipes-kernel/linux-module/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Standards-Version: 3.9.6
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
Maintainer: ${MAINTAINER}
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: ${PN}
Architecture: any
diff --git a/meta/recipes-kernel/linux-module/module.inc b/meta/recipes-kernel/linux-module/module.inc
index d2a41766..b51e8965 100644
--- a/meta/recipes-kernel/linux-module/module.inc
+++ b/meta/recipes-kernel/linux-module/module.inc
@@ -34,6 +34,7 @@ KERNEL_MODULE_SIGNATURES ??= ""
DEB_BUILD_PROFILES += "${@'pkg.signwith' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
DEPENDS += "${@'module-signer secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
DEBIAN_BUILD_DEPENDS .= "${@', module-signer, secure-boot-secrets' if bb.utils.to_boolean(d.getVar('KERNEL_MODULE_SIGNATURES')) else ''}"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
SRC_URI += "file://debian/"
@@ -63,6 +64,7 @@ TEMPLATE_VARS += " \
KAFLAGS \
MODULE_DIR \
DEBIAN_BUILD_DEPENDS \
+ DEBIAN_RULES_REQUIRES_ROOT \
SIGNATURE_KEYFILE \
SIGNATURE_CERTFILE \
SIGNATURE_HASHFN \
diff --git a/meta/recipes-kernel/linux/files/debian/control.tmpl b/meta/recipes-kernel/linux/files/debian/control.tmpl
index a79b86c4..479f8ff0 100644
--- a/meta/recipes-kernel/linux/files/debian/control.tmpl
+++ b/meta/recipes-kernel/linux/files/debian/control.tmpl
@@ -4,6 +4,7 @@ Priority: optional
Maintainer: ${MAINTAINER}
Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), bc, kmod, cpio, ${KBUILD_DEPENDS}
Homepage: http://www.kernel.org/
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Package: linux-image-${KERNEL_NAME_PROVIDED}
Build-Profiles: <kernel>
diff --git a/meta/recipes-kernel/linux/linux-custom.inc b/meta/recipes-kernel/linux/linux-custom.inc
index 01e9bff7..e073206f 100644
--- a/meta/recipes-kernel/linux/linux-custom.inc
+++ b/meta/recipes-kernel/linux/linux-custom.inc
@@ -17,6 +17,8 @@ DISTRIBUTOR ?= "ISAR"
# pinned due to known or possible issues with compat 12
DEBIAN_COMPAT:buster = "10"
+DEBIAN_RULES_REQUIRES_ROOT ?= "no"
+
KBUILD_DEPENDS ?= "build-essential:native, \
libelf-dev:native, \
libncurses-dev:native, \
--
2.47.3
Badrikesh Prusty
Sep 7, 2025, 4:54:02 PMSep 7
to isar-users
Hello,
This is follow up of the patch: https://groups.google.com/g/isar-users/c/MYQDhaHPtX0/m/2ZWf0he8CgAJ
Some recipes use a predefined control.tmpl file instead of generating it with the debianize class.
Thanks,
Badrikesh
Jan Kiszka
Sep 8, 2025, 1:29:05 AMSep 8
to Badrikesh Prusty, isar-...@googlegroups.com
meta/classes/debianize.bbclass
But not already the changes here justify a RECIPE-API-CHANGELOG.md entry.
BTW, what about meta-isar/recipes-app/snake4/files/debian/control
and meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl?
>
> diff --git a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> index e6af7554..d4374909 100644
> --- a/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> +++ b/meta/recipes-bsp/optee-ftpm/files/debian/control.tmpl
> @@ -4,6 +4,7 @@ Priority: optional
> Standards-Version: 3.9.6
> Maintainer: Unknown maintainer <unk...@example.com>
> Build-Depends: debhelper-compat (= ${DEBIAN_COMPAT}), ${DEBIAN_BUILD_DEPENDS}
> +Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}
Applies to the others as well.
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
Felix Moessbauer
Sep 8, 2025, 4:02:17 AMSep 8
to isar-...@googlegroups.com
On 9/7/25 22:42, 'Badrikesh Prusty' via isar-users wrote:
> From: badrikesh prusty <badrikes...@siemens.com>
>
> Setting "Rules-Requires-Root: no" in the debian/control file avoids
> unnecessarily calling fakeroot in the build environment. Packages which
> require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
> with the desired value.
>
> Debian recommends not using fakeroot to build a package if it is not
> required i.e., if a package's build doesn't require any privileged
> operations such as changing ownership to root, installing/modifying
> files as root.
>
> This also fixes hangs observed during fakeroot calls in
> dpkg-buildpackage. References:
> https://github.com/ilbers/isar/issues/113
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114644
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072521
Thanks for bringing this upstream as well. I hope they will backport the
> From: badrikesh prusty <badrikes...@siemens.com>
>
> Setting "Rules-Requires-Root: no" in the debian/control file avoids
> unnecessarily calling fakeroot in the build environment. Packages which
> require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
> with the desired value.
>
> Debian recommends not using fakeroot to build a package if it is not
> required i.e., if a package's build doesn't require any privileged
> operations such as changing ownership to root, installing/modifying
> files as root.
>
> This also fixes hangs observed during fakeroot calls in
> dpkg-buildpackage. References:
> https://github.com/ilbers/isar/issues/113
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114644
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072521
fakeroot fix, as indicated in 1114644. Once we have that, we can / have
to also update the kas container.
Anyways, your patch does not fix the hang, it just makes it less likely
as now more packages are build without fakeroot. It merely is an
optimization.
While debian does not recommend to set this to yes, I'm wondering if the
default is still yes (or if that changed in trixie).
Felix
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany
Prusty, Badrikesh
Sep 11, 2025, 5:43:45 AMSep 11
to Kiszka, Jan, MOESSBAUER, Felix, isar-...@googlegroups.com
Hi Jan and Felix,
Thanks for your response.
> BTW, what about meta-isar/recipes-app/snake4/files/debian/control
> and meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl?
Will check and update.
> You are missing the most important control point:
> meta/classes/debianize.bbclass
>
> But not already the changes here justify a RECIPE-API-CHANGELOG.md entry.
I saw the patch from Issac True, did the changes in debianize.bbclass: https://groups.google.com/g/isar-users/c/MYQDhaHPtX0
Avoided duplicating here.
> Why making this a variable? optee-client already hard-codes it to no.
> Applies to the others as well.
>
On salsa.debian.org, I checked some package sources like Linux, U-Boot, etc., and they build without requiring fakeroot.
Should I avoid creating a variable and setting it to no by default for all of these ?
> While debian does not recommend to set this to yes, I'm wondering if the
> default is still yes (or if that changed in trixie).
With dpkg version 1.22.13, which is present in Debian Trixie, the default value is no.
In dpkg versions used in Debian Bookworm and earlier, the default value of Rules-Requires-Root was binary-targets.
> Anyways, your patch does not fix the hang, it just makes it less likely
> as now more packages are build without fakeroot. It merely is an
> optimization.
Yes, that's true. I also noticed that it builds slightly faster on Debian Bookworm-not a significant difference, but it may become noticeable with longer tasks.
Regards,
Badrikesh
Thanks for your response.
> BTW, what about meta-isar/recipes-app/snake4/files/debian/control
> and meta-isar/recipes-bsp/optee-examples/files/debian/control.tmpl?
> You are missing the most important control point:
> meta/classes/debianize.bbclass
>
> But not already the changes here justify a RECIPE-API-CHANGELOG.md entry.
Avoided duplicating here.
> Why making this a variable? optee-client already hard-codes it to no.
> Applies to the others as well.
>
> Do we have packages in isar where we know that root is indeed needed?
Yes, I initially thought the same, but needed some suggestions. Since I didn't find any recipe requiring root permissions to build (as we're not installing anything to the system paths), I also tested building all the recipes with Rules-Requires-Root: no. The build progressed fine.
On salsa.debian.org, I checked some package sources like Linux, U-Boot, etc., and they build without requiring fakeroot.
Should I avoid creating a variable and setting it to no by default for all of these ?
> While debian does not recommend to set this to yes, I'm wondering if the
> default is still yes (or if that changed in trixie).
In dpkg versions used in Debian Bookworm and earlier, the default value of Rules-Requires-Root was binary-targets.
> Anyways, your patch does not fix the hang, it just makes it less likely
> as now more packages are build without fakeroot. It merely is an
> optimization.
Regards,
Badrikesh
Anton Mikanovich
Sep 17, 2025, 4:26:28 AM (11 days ago) Sep 17
to Jan Kiszka, Badrikesh Prusty, isar-...@googlegroups.com, Felix Moessbauer
17/09/2025 11:18, Jan Kiszka wrote:
> Hi Anton,
>
> I see this patch in your test queue but it's not ready for upstream yet
> - just to avoid that it accidentally lands in next.
>
> Jan
>
Hello Jan,
Thanks for keeping an eye on it, I'm just trying to find unbuildable patches
as early as possible, so sometimes CI is running even before looking
inside of
the patch contents or discussions. Will wait for work on it to be finished.
P.S. I hope we will went to automatic input control sometimes.
> Hi Anton,
>
> I see this patch in your test queue but it's not ready for upstream yet
> - just to avoid that it accidentally lands in next.
>
> Jan
>
Hello Jan,
Thanks for keeping an eye on it, I'm just trying to find unbuildable patches
as early as possible, so sometimes CI is running even before looking
inside of
the patch contents or discussions. Will wait for work on it to be finished.
P.S. I hope we will went to automatic input control sometimes.
Jan Kiszka
Sep 17, 2025, 4:43:19 AM (11 days ago) Sep 17
to Anton Mikanovich, Badrikesh Prusty, isar-...@googlegroups.com, Felix Moessbauer
Hi Anton,
On 07.09.25 22:42, 'Badrikesh Prusty' via isar-users wrote:
> From: badrikesh prusty <badrikes...@siemens.com>
>
> Setting "Rules-Requires-Root: no" in the debian/control file avoids
> unnecessarily calling fakeroot in the build environment. Packages which
> require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
> with the desired value.
>
> Debian recommends not using fakeroot to build a package if it is not
> required i.e., if a package's build doesn't require any privileged
> operations such as changing ownership to root, installing/modifying
> files as root.
>
> This also fixes hangs observed during fakeroot calls in
> dpkg-buildpackage. References:
> https://github.com/ilbers/isar/issues/113
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114644
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072521
>
> Signed-off-by: Badrikesh Prusty <badrikes...@siemens.com>
On 07.09.25 22:42, 'Badrikesh Prusty' via isar-users wrote:
> From: badrikesh prusty <badrikes...@siemens.com>
>
> Setting "Rules-Requires-Root: no" in the debian/control file avoids
> unnecessarily calling fakeroot in the build environment. Packages which
> require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
> with the desired value.
>
> Debian recommends not using fakeroot to build a package if it is not
> required i.e., if a package's build doesn't require any privileged
> operations such as changing ownership to root, installing/modifying
> files as root.
>
> This also fixes hangs observed during fakeroot calls in
> dpkg-buildpackage. References:
> https://github.com/ilbers/isar/issues/113
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114644
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072521
>
> Signed-off-by: Badrikesh Prusty <badrikes...@siemens.com>
I see this patch in your test queue but it's not ready for upstream yet
- just to avoid that it accidentally lands in next.
Jan
- just to avoid that it accidentally lands in next.
Jan
Jan Kiszka
Sep 17, 2025, 4:43:19 AM (11 days ago) Sep 17
to Anton Mikanovich, Badrikesh Prusty, isar-...@googlegroups.com, Felix Moessbauer
Badrikesh Prusty
Sep 19, 2025, 2:32:22 AM (9 days ago) Sep 19
to isar-users
Hi Jan,
Created a patch v2: https://groups.google.com/g/isar-users/c/S4gYxHjKqe0
Addressed the comments.
I didn't find any any snake4 recipes in isar's next branch: meta-isar/recipes-app/snake4/files/debian/control
I hardcoded "Rules-Requires-Root: no" as suggested and performed various check isar-ci-fast, isar-ci-dev tests. Also tested with upstream repositories: meta-iot2050, isar-cip-core, meta-tensorbox and the builds are progressing fine.
Thanks,
Badrikesh
Reply all
Reply to author
Forward
0 new messages