[PATCH] debianize: set Rules-Requires-Root in debian/control

[Isaac True]

Setting "Rules-Requires-Root: no" in the debian/control file avoids
unnecessarily calling fakeroot in the build environment. Packages which
require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
with the desired value.

This is specifically useful when using dpkg-raw, as it no longer needs
fakeroot to create the packages. This provides a considerable speedup in
some environments (e.g. systems with very high open file descriptor
limits and specific versions of fakeroot).

Signed-off-by: Isaac True <it...@emlix.com>
---
meta/classes/debianize.bbclass | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/classes/debianize.bbclass b/meta/classes/debianize.bbclass
index 4989c601..eeebea69 100644
--- a/meta/classes/debianize.bbclass
+++ b/meta/classes/debianize.bbclass
@@ -16,6 +16,7 @@ DEBIAN_BREAKS ??= ""
DEBIAN_MULTI_ARCH ??= "no"
DEBIAN_COMPAT ??= "10"
DEBIAN_CHANGELOG_TIMESTAMP ??= "3600"
+DEBIAN_RULES_REQUIRES_ROOT ??= "no"
DESCRIPTION ??= "must not be empty"
MAINTAINER ??= "Unknown maintainer <unk...@example.com>"

@@ -74,7 +75,8 @@ deb_create_control[vardeps] += "DEBIANIZE_BUILD_DEPENDS \
DEBIAN_PROVIDES \
DEBIAN_REPLACES \
DEBIAN_BREAKS \
- DEBIAN_CONFLICTS"
+ DEBIAN_CONFLICTS \
+ DEBIAN_RULES_REQUIRES_ROOT"
deb_create_control() {
cat << EOF > ${S}/debian/control
Source: ${BPN}
@@ -83,6 +85,7 @@ Priority: optional
Standards-Version: 3.9.6
Maintainer: ${MAINTAINER}
Build-Depends: ${@ deb_list_beautify(d, 'DEBIANIZE_BUILD_DEPENDS')}
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}

Package: ${BPN}
Architecture: ${DPKG_ARCH}

[Isaac True]

Setting "Rules-Requires-Root: no" in the debian/control file avoids
unnecessarily calling fakeroot in the build environment. Packages which
require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
with the desired value.

This is particularly useful when using dpkg-raw, as it no longer needs

[Jan Kiszka]

On 14.08.25 16:34, Isaac True wrote:
> Setting "Rules-Requires-Root: no" in the debian/control file avoids
> unnecessarily calling fakeroot in the build environment. Packages which
> require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
> with the desired value.

Hmm, but the Policy says it's default-no anyway:

https://www.debian.org/doc/debian-policy/ch-controlfields.html#rules-requires-root

Did that default change recently?

This is a change that first of all requires an entry in
RECIPE-API-CHANGELOG.md. But you also need to explain if this is fine
down to buster (we still support building for it, yes, it's ELTS). And
you need to ensure that it will not change anything for existing layers
- which is in conflict with the expressed intention of this change.

Jan

--
Siemens AG, Foundational Technologies
Linux Expert Center

[Prusty, Badrikesh]

Hi,

Thank you for the patch. I was about to send it.

We are facing intermittent freezes with build configuration:
----------------------------------------------------------------------------------
Host system: Debian Trixie
Container image for build: kas-isar 4.8.1 (Debian Bookworm based)
Target Build Distro: Debian-bookworm
----------------------------------------------------------------------------------

Intermittent freezes observed during "do_dpkg_build" task when it runs the cmd: dpkg-buildpackage ----

Debian also recommends doing non-root builds when the build process doesn't installs to system paths (e.g., /etc, /usr). That's why most packages in Debian including linux-image, firmware-nonfree use "Rules-Requires-Root: no".

May be you can update kernel and kernel module recipe files as well and it uses control.tmpl files, and observed freezes with kernel builds.
isar/meta/recipes-kernel/linux/files/debian/control.tmpl
isar/meta/recipes-kernel/linux-module/files/debian/control.tmpl
by settings this: Rules-Requires-Root: no, I successfully built it (no intermittent freezes).

Thanks,
Badrikesh

--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250813084852.2503053-3-itrue%40emlix.com.

[Jan Kiszka]

On 15.08.25 15:09, Isaac True wrote:
>>
>> Hmm, but the Policy says it's default-no anyway:
>>
>> https://www.debian.org/doc/debian-policy/ch-controlfields.html#rules-
> requires-root
>>
>> Did that default change recently?
>

> According to the deb-src-control man page (https://www.man7.org/linux/
> man-pages/man5/deb-src-control.5.html) this only became the default with
> dpkg >= 1.22.13, which is relatively recent. Anything with a dpkg
> version earlier than that (which includes Ubuntu Jammy and Noble) uses
> `binary-targets` as the default, which calls fakeroot.

>
>> This is a change that first of all requires an entry in
>> RECIPE-API-CHANGELOG.md. But you also need to explain if this is fine
>> down to buster (we still support building for it, yes, it's ELTS). And
>> you need to ensure that it will not change anything for existing layers
>> - which is in conflict with the expressed intention of this change.
>

> Understood. Would you prefer that it doesn't add the field by default in
> order to maintain backwards-compatibility, and instead only add the
> field when the value is set?

For source-based packages, we should not change the API level's default
unless explicitly requested by the recipe. So, you could add
"Rules-Requires-Root" only if DEBIAN_RULES_REQUIRES_ROOT is set e.g.

For dpkg-prebuilt, I think we can safely go to non-root but only on
those distros that already understood "Rules-Requires-Root".

[Jan Kiszka]

On 15.08.25 15:07, 'Prusty, Badrikesh' via isar-users wrote:
> Hi,
>
> Thank you for the patch. I was about to send it.
>
> We are facing intermittent freezes with build configuration:
> ----------------------------------------------------------------------------------
> Host system: Debian Trixie
> Container image for build: kas-isar 4.8.1 (Debian Bookworm based)
> Target Build Distro: Debian-bookworm
> ----------------------------------------------------------------------------------
>
> Intermittent freezes observed during "do_dpkg_build" task when it runs the cmd: dpkg-buildpackage ----
>

Since when did you get those freezes? I'm not aware of any issues in any
of the many, many setups we have. There must be some additional variable
in play on your side.

> Debian also recommends doing non-root builds when the build process doesn't installs to system paths (e.g., /etc, /usr). That's why most packages in Debian including linux-image, firmware-nonfree use "Rules-Requires-Root: no".
>

If the upstream package in a specific debian version carries that
control field with "no" and our drop-in replacement recipe does not,
that should be fixed for that specific version. But we cannot globally
change things otherwise that easily (if at all).

[Prusty, Badrikesh]

Hi Jan,

Tested buster builds as well, build configuration:
----------------------------------------------------------------------------------
Host system: Debian Trixie (Debian version: 13.0, kernel: 6.12.41+deb13-amd64)

Container image for build: kas-isar 4.8.1 (Debian Bookworm based)

Target Build Distro: Debian-buster
Target machine: qemuamd64
Target image: isar-image-base
----------------------------------------------------------------------------------


The build starts to intermittently freeze starting from this point:
```
tail -f build/tmp/work/debian-buster-amd64/samefile/2.14-r0/temp/log.do_dpkg_build
-----------------

Command: dpkg-buildpackage -us -uc -b -rfakeroot
dpkg-buildpackage: info: source package samefile
dpkg-buildpackage: info: source version 2.14
dpkg-buildpackage: info: source distribution UNRELEASED
dpkg-buildpackage: info: source changed by Unknown maintainer <unk...@example.com>
dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
fakeroot debian/rules clean
```

As a result, these can take 40–45 minutes to build.

With the changes as done here in the patch: along with other files:
meta/classes/debianize.bbclass
meta/recipes-kernel/linux-module/files/debian/control.tmpl (build freezes: as isar-image-base requires example-module-amd64)

Thanks,
Badrikesh

[Prusty, Badrikesh]

Note: The system is not that fast-just a basic workstation:
CPU: Intel(R) Core(TM) i7-6700 (4Core / 8Thread)
HDD: Gen-3 SATA SSD
RAM: 32 GB

However, I didn't observe any freezes in the following scenarios:
1. Host: Trixie, Container: kas-isar 4.8.1 (Bookworm), Target Distro: debian-trixie (native/cross builds)
2. Host: Bookworm, Container: kas-isar 4.8.1 (Bookworm), Target Distro: debian-bookworm (native/cross builds)

Freezes were only observed in the scenarios mentioned in earlier comments.

Badrikesh

-----Original Message-----
From: 'Prusty, Badrikesh' via isar-users <isar-...@googlegroups.com>
Sent: 15 August 2025 19:19
To: Kiszka, Jan (FT RPD CED) <jan.k...@siemens.com>; Isaac True <it...@emlix.com>; isar-...@googlegroups.com
Subject: RE: [PATCH] debianize: set Rules-Requires-Root in debian/control

Hi Jan,

Tested buster builds as well, build configuration:
----------------------------------------------------------------------------------
Host system: Debian Trixie (Debian version: 13.0, kernel: 6.12.41+deb13-amd64) Container image for build: kas-isar 4.8.1 (Debian Bookworm based) Target Build Distro: Debian-buster Target machine: qemuamd64 Target image: isar-image-base
----------------------------------------------------------------------------------


The build starts to intermittently freeze starting from this point:
```
tail -f build/tmp/work/debian-buster-amd64/samefile/2.14-r0/temp/log.do_dpkg_build
-----------------

Command: dpkg-buildpackage -us -uc -b -rfakeroot
dpkg-buildpackage: info: source package samefile
dpkg-buildpackage: info: source version 2.14
dpkg-buildpackage: info: source distribution UNRELEASED
dpkg-buildpackage: info: source changed by Unknown maintainer <unk...@example.com> dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64 fakeroot debian/rules clean ```

As a result, these can take 40-45 minutes to build.

--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/isar-users/SG2PR06MB5107B8CF65C57DBB9950EE6E9134A%40SG2PR06MB5107.apcprd06.prod.outlook.com.

[Isaac True]

>
> Hmm, but the Policy says it's default-no anyway:
>
>
https://www.debian.org/doc/debian-policy/ch-controlfields.html#rules-requires-root
>
> Did that default change recently?

According to the deb-src-control man page

(https://www.man7.org/linux/man-pages/man5/deb-src-control.5.html) this

only became the default with dpkg >= 1.22.13, which is relatively
recent. Anything with a dpkg version earlier than that (which includes
Ubuntu Jammy and Noble) uses `binary-targets` as the default, which
calls fakeroot.

> This is a change that first of all requires an entry in
> RECIPE-API-CHANGELOG.md. But you also need to explain if this is fine
> down to buster (we still support building for it, yes, it's ELTS). And
> you need to ensure that it will not change anything for existing layers
> - which is in conflict with the expressed intention of this change.

Understood. Would you prefer that it doesn't add the field by default in
order to maintain backwards-compatibility, and instead only add the
field when the value is set?

Cheers,
Isaac

Isaac True
emlix GmbH, https://www.emlix.com
Fon +49 228 94 77 96 94
Bachstraße 6, 53115 Bonn, Germany
Sitz der Gesellschaft: Göttingen, Amtsgericht Göttingen HR B 3160
Geschäftsfuehrung: Heike Jordan, Dr. Uwe Kracke
Ust-IdNr.: DE 205 198 055

emlix - smart embedded open source

[Isaac True]

Add a new variable "DEBIAN_RULES_REQUIRES_ROOT" which can be used to
control the value of the "Rules-Requires-Root" parameter in the
debian/control file. If this variable has no value (the default
behaviour), nothing is added. Otherwise, it appends
"Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}" to the
Source section of the debian/control file.

This can be useful when using dpkg-raw, as setting this value to "no"
skips calling `fakeroot` during the package build process, which can
provide a considerable speedup in some environments (e.g. systems with

very high open file descriptor limits and specific versions of
fakeroot).

Signed-off-by: Isaac True <it...@emlix.com>
---

Changes in v2:
- Add information to RECIPE-API-CHANGELOG.md
- Only add Rules-Requires-Root if the DEBIAN_RULES_REQUIRES_ROOT
variable has been set

RECIPE-API-CHANGELOG.md | 8 ++++++++
meta/classes/debianize.bbclass | 17 ++++++++++++++++-
2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 8468717d..f0b94c2f 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -727,3 +727,11 @@ Changes in next

This was never documented and never had practical relevance. `oci-archive` is
the useful OCI image format that can be imported, e.g., by podman.
+
+### Allow setting Rules-Requires-Root
+
+Recipes based on the `debianize` class can now set the
+`DEBIAN_RULES_REQUIRES_ROOT` variable to control the value of the
+`Rules-Requires-Root` setting in the `debian/control` file. If this variable is
+unset (the default), `Rules-Requires-Root` will not be added. Otherwise,
+`Rules-Requires-Root` will be added and set to the value of the variable.
diff --git a/meta/classes/debianize.bbclass b/meta/classes/debianize.bbclass
index 4989c601..acc5a1ba 100644

--- a/meta/classes/debianize.bbclass
+++ b/meta/classes/debianize.bbclass
@@ -16,6 +16,7 @@ DEBIAN_BREAKS ??= ""
DEBIAN_MULTI_ARCH ??= "no"
DEBIAN_COMPAT ??= "10"
DEBIAN_CHANGELOG_TIMESTAMP ??= "3600"
+DEBIAN_RULES_REQUIRES_ROOT ??= ""

DESCRIPTION ??= "must not be empty"
MAINTAINER ??= "Unknown maintainer <unk...@example.com>"

@@ -74,8 +75,10 @@ deb_create_control[vardeps] += "DEBIANIZE_BUILD_DEPENDS \

DEBIAN_PROVIDES \
DEBIAN_REPLACES \
DEBIAN_BREAKS \
- DEBIAN_CONFLICTS"
+ DEBIAN_CONFLICTS \
+ DEBIAN_RULES_REQUIRES_ROOT"
deb_create_control() {

+ # Add Source section

cat << EOF > ${S}/debian/control
Source: ${BPN}

Section: misc
@@ -83,6 +86,18 @@ Priority: optional

Standards-Version: 3.9.6
Maintainer: ${MAINTAINER}
Build-Depends: ${@ deb_list_beautify(d, 'DEBIANIZE_BUILD_DEPENDS')}

+EOF
+
+ # If a value has been set, add the value of DEBIAN_RULES_REQUIRES_ROOT to
+ # the control file.
+ if [ -n "${DEBIAN_RULES_REQUIRES_ROOT}" ]; then
+ echo "Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}" >> \
+ ${S}/debian/control
+ fi
+
+ # Add Package section proceeded by an empty line to separate it from the
+ # previous section.
+ cat << EOF >> ${S}/debian/control