Bug#1092625: RFS: xchpst/0.2.1-1 [ITP] -- eXtended CHange Process STate

Fri Jan 10 19:04:32 GMT 2025

On Fri, 10 Jan 2025 02:32, Andrew Bower <andrew at bower.uk> wrote:
>Package: sponsorship-requests
>Severity: wishlist
>X-Debbugs-CC: debian-init-diversity at chiark.greenend.org.uk
>
>Dear mentors,
>
>I am looking for a sponsor for my package "xchpst".
>
>xchpst unlocks modern hardening options for system services supervised
>by runit. This new tool is backwards compatible with runit's chpst,
>adding options to set up Linux namespaces, control capabilities
>and various other process control options, in a single invocation.
>
> * Package name     : xchpst
>   Version          : 0.2.1-1
>   Upstream contact : Andrew Bower <andrew at bower.uk>
> * URL              : https://gitlab.com/abower/xchpst
> * License          : Expat
> * Vcs              : https://salsa.debian.org/abower/xchpst
>   Section          : admin
>
>The source builds the following binary packages:
>
>  xchpst - eXtended CHange Process STate
>
>The proposed package is available on mentors:
>
>  https://mentors.debian.net/package/xchpst/
>  dget -x https://mentors.debian.net/debian/pool/main/x/xchpst/xchpst_0.2.1-1.dsc
>
>Changes for the initial release:
>
> xchpst (0.2.1-1) unstable; urgency=medium
> .
>   * Initial release (Closes: #1092288)
>
>There is plenty of scope to expand the range of hardening options
>upstream. Uploading this version will enable service runscripts to
>benefit now and close the feedback loop to help direct priorities.
>
>For an example of how xchpst could be applied, please see the head commit
>on this proof-of-concept branch:
>
>https://salsa.debian.org/abower/runit-services/-/commits/xchpst-poc
>
>This feature is developed separately from the runit package to avoid
>bloating lean runit. In order to allow runscripts to benefit without
>introducing avoidable dependencies and be able to fallback to just the
>options supported by chpst, I will suggest the addition of a simple
>script and man page there that xchpst will divert away:
>
>https://salsa.debian.org/abower/runit/-/commits/xchpst-compat
>
Hi Andrew,

the package builds fine for me, but its autopkgtest fails for me with 
unshare sbuild:

autopkgtest [20:04:19]: Setting up user "unshare" to sudo without password...
enable-sudo: 28: usermod: not found
pid-ns               SKIP Failed to enable needs-sudo restriction: exit status 127
autopkgtest [20:04:19]: @@@@@@@@@@@@@@@@@@@@ summary
ro-sys               FAIL non-zero exit status 111
private-tmp          FAIL non-zero exit status 111
pid-ns               SKIP Failed to enable needs-sudo restriction: exit status 127

I think unshare (the new default) prohibits some priviledges; but I am 
not the expert here. Maybe someone else can shed more light on this. I 
don't know if debci has switched to unshare yet either.

Once the autopkgtest is fixed I'll sponsor it to NEW.

best,

werdahias