[PATCH] debianize: set Rules-Requires-Root in debian/control

34 views
Skip to first unread message

Isaac True

unread,
Aug 15, 2025, 8:34:46 AMAug 15
to isar-...@googlegroups.com, Isaac True
Setting "Rules-Requires-Root: no" in the debian/control file avoids
unnecessarily calling fakeroot in the build environment. Packages which
require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
with the desired value.

This is specifically useful when using dpkg-raw, as it no longer needs
fakeroot to create the packages. This provides a considerable speedup in
some environments (e.g. systems with very high open file descriptor
limits and specific versions of fakeroot).

Signed-off-by: Isaac True <it...@emlix.com>
---
meta/classes/debianize.bbclass | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/classes/debianize.bbclass b/meta/classes/debianize.bbclass
index 4989c601..eeebea69 100644
--- a/meta/classes/debianize.bbclass
+++ b/meta/classes/debianize.bbclass
@@ -16,6 +16,7 @@ DEBIAN_BREAKS ??= ""
DEBIAN_MULTI_ARCH ??= "no"
DEBIAN_COMPAT ??= "10"
DEBIAN_CHANGELOG_TIMESTAMP ??= "3600"
+DEBIAN_RULES_REQUIRES_ROOT ??= "no"
DESCRIPTION ??= "must not be empty"
MAINTAINER ??= "Unknown maintainer <unk...@example.com>"

@@ -74,7 +75,8 @@ deb_create_control[vardeps] += "DEBIANIZE_BUILD_DEPENDS \
DEBIAN_PROVIDES \
DEBIAN_REPLACES \
DEBIAN_BREAKS \
- DEBIAN_CONFLICTS"
+ DEBIAN_CONFLICTS \
+ DEBIAN_RULES_REQUIRES_ROOT"
deb_create_control() {
cat << EOF > ${S}/debian/control
Source: ${BPN}
@@ -83,6 +85,7 @@ Priority: optional
Standards-Version: 3.9.6
Maintainer: ${MAINTAINER}
Build-Depends: ${@ deb_list_beautify(d, 'DEBIANIZE_BUILD_DEPENDS')}
+Rules-Requires-Root: ${DEBIAN_RULES_REQUIRES_ROOT}

Package: ${BPN}
Architecture: ${DPKG_ARCH}

Isaac True

unread,
Aug 15, 2025, 8:34:46 AMAug 15
to isar-...@googlegroups.com, Isaac True
Setting "Rules-Requires-Root: no" in the debian/control file avoids
unnecessarily calling fakeroot in the build environment. Packages which
require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
with the desired value.

This is particularly useful when using dpkg-raw, as it no longer needs

Jan Kiszka

unread,
Aug 15, 2025, 9:01:13 AMAug 15
to Isaac True, isar-...@googlegroups.com
On 14.08.25 16:34, Isaac True wrote:
> Setting "Rules-Requires-Root: no" in the debian/control file avoids
> unnecessarily calling fakeroot in the build environment. Packages which
> require root can override the new "DEBIAN_RULES_REQUIRES_ROOT" variable
> with the desired value.

Hmm, but the Policy says it's default-no anyway:

https://www.debian.org/doc/debian-policy/ch-controlfields.html#rules-requires-root

Did that default change recently?
This is a change that first of all requires an entry in
RECIPE-API-CHANGELOG.md. But you also need to explain if this is fine
down to buster (we still support building for it, yes, it's ELTS). And
you need to ensure that it will not change anything for existing layers
- which is in conflict with the expressed intention of this change.

Jan

--
Siemens AG, Foundational Technologies
Linux Expert Center

Prusty, Badrikesh

unread,
Aug 15, 2025, 9:07:43 AMAug 15
to Isaac True, isar-...@googlegroups.com
Hi,

Thank you for the patch. I was about to send it.

We are facing intermittent freezes with build configuration:
----------------------------------------------------------------------------------
Host system: Debian Trixie
Container image for build: kas-isar 4.8.1 (Debian Bookworm based)
Target Build Distro: Debian-bookworm
----------------------------------------------------------------------------------

Intermittent freezes observed during "do_dpkg_build" task when it runs the cmd: dpkg-buildpackage ----

Debian also recommends doing non-root builds when the build process doesn't installs to system paths (e.g., /etc, /usr). That's why most packages in Debian including linux-image, firmware-nonfree use "Rules-Requires-Root: no".

May be you can update kernel and kernel module recipe files as well and it uses control.tmpl files, and observed freezes with kernel builds.
isar/meta/recipes-kernel/linux/files/debian/control.tmpl
isar/meta/recipes-kernel/linux-module/files/debian/control.tmpl
by settings this: Rules-Requires-Root: no, I successfully built it (no intermittent freezes).

Thanks,
Badrikesh
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250813084852.2503053-3-itrue%40emlix.com.

Jan Kiszka

unread,
Aug 15, 2025, 9:39:37 AMAug 15
to Isaac True, isar-...@googlegroups.com
On 15.08.25 15:09, Isaac True wrote:
>>
>> Hmm, but the Policy says it's default-no anyway:
>>
>> https://www.debian.org/doc/debian-policy/ch-controlfields.html#rules-
> requires-root
>>
>> Did that default change recently?
>
> According to the deb-src-control man page (https://www.man7.org/linux/
> man-pages/man5/deb-src-control.5.html) this only became the default with
> dpkg >= 1.22.13, which is relatively recent. Anything with a dpkg
> version earlier than that (which includes Ubuntu Jammy and Noble) uses
> `binary-targets` as the default, which calls fakeroot.
>
>> This is a change that first of all requires an entry in
>> RECIPE-API-CHANGELOG.md. But you also need to explain if this is fine
>> down to buster (we still support building for it, yes, it's ELTS). And
>> you need to ensure that it will not change anything for existing layers
>> - which is in conflict with the expressed intention of this change.
>
> Understood. Would you prefer that it doesn't add the field by default in
> order to maintain backwards-compatibility, and instead only add the
> field when the value is set?

For source-based packages, we should not change the API level's default
unless explicitly requested by the recipe. So, you could add
"Rules-Requires-Root" only if DEBIAN_RULES_REQUIRES_ROOT is set e.g.

For dpkg-prebuilt, I think we can safely go to non-root but only on
those distros that already understood "Rules-Requires-Root".

Jan Kiszka

unread,
Aug 15, 2025, 9:44:26 AMAug 15
to Prusty, Badrikesh, Isaac True, isar-...@googlegroups.com
On 15.08.25 15:07, 'Prusty, Badrikesh' via isar-users wrote:
> Hi,
>
> Thank you for the patch. I was about to send it.
>
> We are facing intermittent freezes with build configuration:
> ----------------------------------------------------------------------------------
> Host system: Debian Trixie
> Container image for build: kas-isar 4.8.1 (Debian Bookworm based)
> Target Build Distro: Debian-bookworm
> ----------------------------------------------------------------------------------
>
> Intermittent freezes observed during "do_dpkg_build" task when it runs the cmd: dpkg-buildpackage ----
>

Since when did you get those freezes? I'm not aware of any issues in any
of the many, many setups we have. There must be some additional variable
in play on your side.

> Debian also recommends doing non-root builds when the build process doesn't installs to system paths (e.g., /etc, /usr). That's why most packages in Debian including linux-image, firmware-nonfree use "Rules-Requires-Root: no".
>

If the upstream package in a specific debian version carries that
control field with "no" and our drop-in replacement recipe does not,
that should be fixed for that specific version. But we cannot globally
change things otherwise that easily (if at all).

Prusty, Badrikesh

unread,
Aug 15, 2025, 9:49:13 AMAug 15
to Kiszka, Jan, Isaac True, isar-...@googlegroups.com
Hi Jan,

Tested buster builds as well, build configuration:
----------------------------------------------------------------------------------
Host system: Debian Trixie (Debian version: 13.0, kernel: 6.12.41+deb13-amd64)
Container image for build: kas-isar 4.8.1 (Debian Bookworm based)
Target Build Distro: Debian-buster
Target machine: qemuamd64
Target image: isar-image-base
----------------------------------------------------------------------------------


The build starts to intermittently freeze starting from this point:
```
tail -f build/tmp/work/debian-buster-amd64/samefile/2.14-r0/temp/log.do_dpkg_build
-----------------

Command: dpkg-buildpackage -us -uc -b -rfakeroot
dpkg-buildpackage: info: source package samefile
dpkg-buildpackage: info: source version 2.14
dpkg-buildpackage: info: source distribution UNRELEASED
dpkg-buildpackage: info: source changed by Unknown maintainer <unk...@example.com>
dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64
fakeroot debian/rules clean
```

As a result, these can take 40–45 minutes to build.

With the changes as done here in the patch: along with other files:
meta/classes/debianize.bbclass
meta/recipes-kernel/linux-module/files/debian/control.tmpl (build freezes: as isar-image-base requires example-module-amd64)

Thanks,
Badrikesh

Prusty, Badrikesh

unread,
Aug 15, 2025, 10:15:25 AMAug 15
to Prusty, Badrikesh, Kiszka, Jan, Isaac True, isar-...@googlegroups.com
Note: The system is not that fast-just a basic workstation:
CPU: Intel(R) Core(TM) i7-6700 (4Core / 8Thread)
HDD: Gen-3 SATA SSD
RAM: 32 GB

However, I didn't observe any freezes in the following scenarios:
1. Host: Trixie, Container: kas-isar 4.8.1 (Bookworm), Target Distro: debian-trixie (native/cross builds)
2. Host: Bookworm, Container: kas-isar 4.8.1 (Bookworm), Target Distro: debian-bookworm (native/cross builds)

Freezes were only observed in the scenarios mentioned in earlier comments.

Badrikesh

-----Original Message-----
From: 'Prusty, Badrikesh' via isar-users <isar-...@googlegroups.com>
Sent: 15 August 2025 19:19
To: Kiszka, Jan (FT RPD CED) <jan.k...@siemens.com>; Isaac True <it...@emlix.com>; isar-...@googlegroups.com
Subject: RE: [PATCH] debianize: set Rules-Requires-Root in debian/control

Hi Jan,

Tested buster builds as well, build configuration:
----------------------------------------------------------------------------------
Host system: Debian Trixie (Debian version: 13.0, kernel: 6.12.41+deb13-amd64) Container image for build: kas-isar 4.8.1 (Debian Bookworm based) Target Build Distro: Debian-buster Target machine: qemuamd64 Target image: isar-image-base
----------------------------------------------------------------------------------


The build starts to intermittently freeze starting from this point:
```
tail -f build/tmp/work/debian-buster-amd64/samefile/2.14-r0/temp/log.do_dpkg_build
-----------------

Command: dpkg-buildpackage -us -uc -b -rfakeroot
dpkg-buildpackage: info: source package samefile
dpkg-buildpackage: info: source version 2.14
dpkg-buildpackage: info: source distribution UNRELEASED
dpkg-buildpackage: info: source changed by Unknown maintainer <unk...@example.com> dpkg-source --before-build .
dpkg-buildpackage: info: host architecture amd64 fakeroot debian/rules clean ```

As a result, these can take 40-45 minutes to build.
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/SG2PR06MB5107B8CF65C57DBB9950EE6E9134A%40SG2PR06MB5107.apcprd06.prod.outlook.com.

Isaac True

unread,
Aug 19, 2025, 9:27:43 AMAug 19
to Jan Kiszka, isar-...@googlegroups.com
>
> Hmm, but the Policy says it's default-no anyway:
>
>
https://www.debian.org/doc/debian-policy/ch-controlfields.html#rules-requires-root
>
> Did that default change recently?

According to the deb-src-control man page
(https://www.man7.org/linux/man-pages/man5/deb-src-control.5.html) this
only became the default with dpkg >= 1.22.13, which is relatively
recent. Anything with a dpkg version earlier than that (which includes
Ubuntu Jammy and Noble) uses `binary-targets` as the default, which
calls fakeroot.

> This is a change that first of all requires an entry in
> RECIPE-API-CHANGELOG.md. But you also need to explain if this is fine
> down to buster (we still support building for it, yes, it's ELTS). And
> you need to ensure that it will not change anything for existing layers
> - which is in conflict with the expressed intention of this change.

Understood. Would you prefer that it doesn't add the field by default in
order to maintain backwards-compatibility, and instead only add the
field when the value is set?

Cheers,
Isaac
Isaac True
emlix GmbH, https://www.emlix.com
Fon +49 228 94 77 96 94
Bachstraße 6, 53115 Bonn, Germany
Sitz der Gesellschaft: Göttingen, Amtsgericht Göttingen HR B 3160
Geschäftsfuehrung: Heike Jordan, Dr. Uwe Kracke
Ust-IdNr.: DE 205 198 055

emlix - smart embedded open source

Reply all
Reply to author
Forward
0 new messages