From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 7 Dec 2017 21:26:13 +0000 (+0100)
Subject: build: `apt-get purge sudo` after using it for sudo= build field
X-Git-Tag: 1.0.0~33^2~1
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=fdroidserver.git;a=commitdiff_plain;h=bb758d3f00ba976fcf955928492f517e4b94685b

build: `apt-get purge sudo` after using it for sudo= build field

Once `sudo` has been used to execute the commands in sudo=, then it should
be removed from the build VM.  That prevents any other part of the build
from using sudo.  That means that all commands run with `sudo` must be
committed to fdroiddata.git, making them very visible.

closes #424
---

diff --git a/fdroidserver/build.py b/fdroidserver/build.py
index d83342d5..e2866fbd 100644
--- a/fdroidserver/build.py
+++ b/fdroidserver/build.py
@@ -414,6 +414,11 @@ def build_local(app, build, vcs, build_dir, output_dir, log_dir, srclib_dir, ext
                 raise BuildException("Error running sudo command for %s:%s" %
                                      (app.id, build.versionName), p.output)
 
+        p = FDroidPopen(['sudo', 'apt-get', '-y', 'purge', 'sudo'])
+        if p.returncode != 0:
+            raise BuildException("Error removing sudo for %s:%s" %
+                                 (app.id, build.versionName), p.output)
+
         log_path = os.path.join(log_dir,
                                 common.get_toolsversion_logname(app, build))
         with open(log_path, 'w') as f: