https://sourceforge.net/p/fink/patches/161/Recent changes to 161: add sandboxing support to fink (revised approach)enFri, 11 Nov 2016 13:21:29 -0000https://sourceforge.net/p/fink/patches/161/?limit=25#08ec<div class="markdown_content"><p>The changes from the fink 0.41.0 release.are..</p> <div class="codehilite"><pre><span class="gh">diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST</span> <span class="gd">--- fink-0.41.0.orig/MANIFEST 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/MANIFEST 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -24,6 +24,8 @@</span> fink.8.in fink.conf.5.in fink.csh <span class="gi">+fink.sb</span> <span class="gi">+fink.sb.5.in</span> fink.sh images/finkDoneFailed.png images/finkDonePassed.png <span class="gh">diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in</span> <span class="gd">--- fink-0.41.0.orig/fink.8.in 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/fink.8.in 2016-11-11 08:09:00.000000000 -0500</span> <span class="gu">@@ -103,6 +103,21 @@</span> .It Cm --no-build-as-nobody Force the the unpack, patch, compile, and install phases to be performed as root. <span class="gi">+.It Cm --build-in-sandbox</span> <span class="gi">+Execute packaging within a sandbox which blacklists read access to </span> <span class="gi">+those directories listed in</span> <span class="gi">+.Pa @PREFIX@/etc/fink.sb.</span> <span class="gi">+\ This is the default behavior unless overridden by a</span> <span class="gi">+.Pa NoSandbox: true</span> <span class="gi">+directive in a .info file, the</span> <span class="gi">+.Cm --no-build-in-sandbox</span> <span class="gi">+flag is used, or if the</span> <span class="gi">+.Pa @PREFIX@/etc/fink.sb</span> <span class="gi">+file is empty.</span> <span class="gi">+.It Cm --no-build-in-sandbox</span> <span class="gi">+Don't execute within a sandbox, opposite of the</span> <span class="gi">+.Cm --build-in-sandbox</span> <span class="gi">+flag.</span> .It Cm -m, --maintainer Perform actions useful to package maintainers: run validation on the .info file before building and on the .deb after building a <span class="gh">diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb</span> <span class="gd">--- fink-0.41.0.orig/fink.sb 1969-12-31 19:00:00.000000000 -0500</span> <span class="gi">+++ fink-0.41.0/fink.sb 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -0,0 +1,2 @@</span> <span class="gi">+/usr/local</span> <span class="gi">+/opt/local</span> <span class="gh">diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in</span> <span class="gd">--- fink-0.41.0.orig/fink.sb.5.in 1969-12-31 19:00:00.000000000 -0500</span> <span class="gi">+++ fink-0.41.0/fink.sb.5.in 2016-11-10 09:24:50.000000000 -0500</span> <span class="gu">@@ -0,0 +1,60 @@</span> <span class="gi">+.\" -*- nroff -*-</span> <span class="gi">+.Dd November 2011</span> <span class="gi">+.Dt FINK.SB 5</span> <span class="gi">+.Sh NAME</span> <span class="gi">+.Nm fink.sb</span> <span class="gi">+.Nd sandboxing configuration file for</span> <span class="gi">+.Xr fink 8</span> <span class="gi">+.Sh SYNOPSIS</span> <span class="gi">+@PREFIX@/etc/fink.sb</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" DESCRIPTION</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh DESCRIPTION</span> <span class="gi">+The</span> <span class="gi">+.Xr fink 8</span> <span class="gi">+packaging system defaults to compiling packages within a protected sandbox that blacklists </span> <span class="gi">+access to directories listed in</span> <span class="gi">+.Nm</span> <span class="gi">+In general, modifying the list of blacklisted directories meant for advanced users only.</span> <span class="gi">+.Pp</span> <span class="gi">+The default</span> <span class="gi">+.Nm</span> <span class="gi">+blacklists the following directories</span> <span class="gi">+</span> <span class="gi">+.Bl -tag -width flag -offset indent -compact</span> <span class="gi">+.It /usr/local</span> <span class="gi">+.It /opt/local</span> <span class="gi">+.El</span> <span class="gi">+.Pp</span> <span class="gi">+The blacklisted directories appear one per line in the file.</span> <span class="gi">+</span> <span class="gi">+Note that an empty</span> <span class="gi">+.Nm</span> <span class="gi">+file disables the automatic sandboxing in the fink program.</span> <span class="gi">+.El</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" AUTHOR</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh AUTHOR</span> <span class="gi">+This manpage is maintained by the Fink Core Group &lt;fink-core@lists.sourceforge.net&gt;.</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" ACKNOWLEDGEMENTS</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh ACKNOWLEDGEMENTS</span> <span class="gi">+.Nm fink</span> <span class="gi">+is developed and maintained by The Fink Project (http://www.finkproject.org).</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" SEE ALSO</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh "SEE ALSO"</span> <span class="gi">+.Xr apt-get 8 ,</span> <span class="gi">+.Xr fink 8</span> <span class="gh">diff -uNr fink-0.41.0.orig/install.sh fink-0.41.0/install.sh</span> <span class="gd">--- fink-0.41.0.orig/install.sh 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/install.sh 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -70,8 +70,10 @@</span> install -c -p -m 755 postinstall.pl "$basepath/lib/fink/" install -c -p -m 644 shlibs.default "$basepath/etc/dpkg/" <span class="gi">+install -c -p -m 644 fink.sb "$basepath/etc/"</span> install -c -p -m 644 fink.8 "$basepath/share/man/man8/" install -c -p -m 644 fink.conf.5 "$basepath/share/man/man5/" <span class="gi">+install -c -p -m 644 fink.sb.5 "$basepath/share/man/man5/"</span> install -c -p -m 644 images/*.png "$basepath/share/fink/images/" # copy executables <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Bootstrap.pm fink-0.41.0/perlmod/Fink/Bootstrap.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Bootstrap.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Bootstrap.pm 2016-11-06 18:58:41.000000000 -0500</span> <span class="gu">@@ -500,6 +500,8 @@</span> Fink::Config::set_options( { 'use_binary' =&gt; -1 }); # bootstrap as root Fink::Config::set_options( { 'build_as_nobody' =&gt; 0 }); <span class="gi">+ # don't use sandbox during bootstrap</span> <span class="gi">+ Fink::Config::set_options( { 'build_in_sandbox' =&gt; 0 });</span> # make sure we have the package descriptions Fink::Package-&gt;require_packages(); <span class="gu">@@ -581,6 +583,8 @@</span> # bootstrap as root Fink::Config::set_options( { 'build_as_nobody' =&gt; 0 }); <span class="gi">+ # don't use sandbox during bootstrap</span> <span class="gi">+ Fink::Config::set_options( { 'build_in_sandbox' =&gt; 0 });</span> # use normal install routines, but do not use buildlocks Fink::Config::set_options( { 'no_buildlock' =&gt; 1 } ); Fink::Engine::cmd_install(@elist, @addlist); <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Config.pm fink-0.41.0/perlmod/Fink/Config.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Config.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Config.pm 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -219,6 +219,7 @@</span> map( { $_ =&gt; 0 } qw(dontask interactive verbosity keep_build keep_root maintainermode showversion use_binary) ), map( { $_ =&gt; 1 } qw(build_as_nobody) ), <span class="gi">+ map( { $_ =&gt; -1 } qw(build_in_sandbox) ),</span> map( { $_ =&gt; "" } qw(tests validate) ), map ( { $_ =&gt; [] } qw(include_trees exclude_trees) ), map( { $_ =&gt; -1 } qw(use_binary) ), <span class="gu">@@ -272,6 +273,7 @@</span> 'download pre-compiled packages from the binary distribution ' . 'if available' ], [ 'build-as-nobody!' =&gt; \$opts{build_as_nobody}, 'see man page' ], <span class="gi">+ [ 'build-in-sandbox!' =&gt; \$opts{build_in_sandbox}, 'see man page' ],</span> [ 'maintainer|m' =&gt; sub {set_checking_opts(\%opts, @_);}, 'see man page' ], [ 'tests:s' =&gt; sub {set_checking_opts(\%opts, @_);}, 'see man page' ], [ 'validate:s' =&gt; sub {set_checking_opts(\%opts, @_);}, 'see man page' ], <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/PkgVersion.pm fink-0.41.0/perlmod/Fink/PkgVersion.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/PkgVersion.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/PkgVersion.pm 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -4036,6 +4036,9 @@</span> } } <span class="gi">+ # switch everything back to sandbox builds if we were --build-in-sandbox</span> <span class="gi">+ my $build_wo_sandbox = $self-&gt;get_family_parent()-&gt;param_boolean("NoSandbox", 0);</span> <span class="gi">+</span> # put the info file into the debian directory if (-d "$destdir/DEBIAN") { my $infofile = $self-&gt;get_filename(); <span class="gu">@@ -5218,6 +5221,7 @@</span> my $phase = shift; my $no_expand = shift || 0; my $nonroot_okay = shift || 0; <span class="gi">+ my $no_sandbox_okay = shift || 0;</span> my $ignore_result = shift || 0; # Expand percent shortcuts <span class="gu">@@ -5227,10 +5231,13 @@</span> my $result; # Don't build as nobody if BuildAsNobody: false my $build_as_nobody = $self-&gt;get_family_parent()-&gt;param_boolean("BuildAsNobody", 1); <span class="gi">+ # Build in sandbox if NoSandbox: false</span> <span class="gi">+ my $build_wo_sandbox = $self-&gt;get_family_parent()-&gt;param_boolean("NoSandbox", 0);</span> $nonroot_okay = $nonroot_okay &amp;&amp; $build_as_nobody; <span class="gi">+ $no_sandbox_okay = $build_wo_sandbox;</span> { local %ENV = %{$self-&gt;get_env($phase)}; <span class="gd">- $result = &amp;execute($script, nonroot_okay=&gt;$nonroot_okay);</span> <span class="gi">+ $result = &amp;execute($script, nonroot_okay=&gt;$nonroot_okay, no_sandbox_okay=&gt;$no_sandbox_okay);</span> } if ($result and !$ignore_result) { $self-&gt;package_error( phase =&gt; $phase ); <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Services.pm fink-0.41.0/perlmod/Fink/Services.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Services.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Services.pm 2016-11-11 08:15:48.000000000 -0500</span> <span class="gu">@@ -514,6 +514,11 @@</span> the --build-as-nobody flag, drop to user=nobody when running the actual commands. <span class="gi">+=item no_sandbox_okay</span> <span class="gi">+</span> <span class="gi">+If the value of the option 'no_sandbox_okay' is true, fink was run with</span> <span class="gi">+the --no-build-in-sandbox flag.</span> <span class="gi">+</span> =item delete_tempfile Whether to delete temp-files that are created. The following values <span class="gu">@@ -594,6 +599,32 @@</span> @wrap = map "$_=$ENV{$_}", sort keys %ENV; push @wrap, "__CFPREFERENCES_AVOID_DAEMON=1"; unshift @wrap, 'env' if @wrap; <span class="gi">+ my $runtime_request = Fink::Config::get_option("build_in_sandbox");</span> <span class="gi">+ my $sandbox_request;</span> <span class="gi">+ if ($runtime_request == 1) { # --build-in-sandbox </span> <span class="gi">+ $sandbox_request = 1;</span> <span class="gi">+ } elsif ($runtime_request == 0) { # -no-build-in-sandbox </span> <span class="gi">+ $sandbox_request = 0;</span> <span class="gi">+ } elsif ($options{'no_sandbox_okay'}) { # NoSandbox: true in info file</span> <span class="gi">+ $sandbox_request = 0;</span> <span class="gi">+ } else {</span> <span class="gi">+ $sandbox_request = 1;</span> <span class="gi">+ }</span> <span class="gi">+ if ( !-z "$Fink::Config::basepath/etc/fink.sb" &amp;&amp; $sandbox_request ) {</span> <span class="gi">+ my $sandbox = "$Fink::Config::basepath/etc/fink.sb";</span> <span class="gi">+ if (open my $info, $sandbox) {</span> <span class="gi">+ my $sandbox_profile = "(version 1) \n";</span> <span class="gi">+ $sandbox_profile .= "(allow default) \n";</span> <span class="gi">+ $sandbox_profile .= "(deny file* \n";</span> <span class="gi">+ while( my $line = &lt;$info&gt;) {</span> <span class="gi">+ chomp $line;</span> <span class="gi">+ $sandbox_profile .= "\t(subpath \"".$line."\"\)\n";</span> <span class="gi">+ }</span> <span class="gi">+ $sandbox_profile .= "\)\n";</span> <span class="gi">+ close $info;</span> <span class="gi">+ @wrap = (qw| sandbox-exec -p |, $sandbox_profile, @wrap) if -f $sandbox;</span> <span class="gi">+ }</span> <span class="gi">+ }</span> my $sudo_cmd = "sudo -u " . Fink::Config::build_as_user_group()-&gt;{'user'}; @wrap = (split(' ', $sudo_cmd), @wrap, qw/ sh -c /); $wrap_token = "$sudo_cmd [ENV] sh -c "; <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Validation.pm fink-0.41.0/perlmod/Fink/Validation.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Validation.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Validation.pm 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -66,7 +66,7 @@</span> # All fields that expect a boolean value our %boolean_fields = map {$_, 1} ( <span class="gd">- qw(builddependsonly essential nosourcedirectory updateconfigguess updatelibtool updatepod noperltests usemaxbuildjobs buildasnobody),</span> <span class="gi">+ qw(builddependsonly essential nosourcedirectory updateconfigguess updatelibtool updatepod noperltests usemaxbuildjobs buildasnobody nosandbox),</span> map {"noset".$_} @set_vars ); <span class="gu">@@ -198,6 +198,7 @@</span> 'noperltests', 'usemaxbuildjobs', 'buildasnobody', <span class="gi">+ 'nosandbox',</span> # install phase: 'updatepod', 'installscript', <span class="gh">diff -uNr fink-0.41.0.orig/setup.sh fink-0.41.0/setup.sh</span> <span class="gd">--- fink-0.41.0.orig/setup.sh 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/setup.sh 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -70,6 +70,10 @@</span> | perl -MTime::Local -MPOSIX=strftime -p -e '$d="Date:";if (s/(\.Dd \$$d) (\d+)\/(\d+)\/(\d+) (\d+):(\d+):(\d+) \$/\1/) {$epochtime = timegm($7,$6,$5,$4,$3-1,$2-1900);$datestr = strftime "%B %e, %Y", localtime($epochtime); s/(\.Dd )\$$d/$1$datestr/;}' \ &gt;fink.conf.5 <span class="gi">+sed "s|@PREFIX@|$basepath|g" &lt;fink.sb.5.in \</span> <span class="gi">+ | perl -MTime::Local -MPOSIX=strftime -p -e '$d="Date:";if (s/(\.Dd \$$d) (\d+)\/(\d+)\/(\d+) (\d+):(\d+):(\d+) \$/\1/) {$epochtime = timegm($7,$6,$5,$4,$3-1,$2-1900);$datestr = strftime "%B %e, %Y", localtime($epochtime); s/(\.Dd )\$$d/$1$datestr/;}' \</span> <span class="gi">+ &gt;fink.sb.5</span> <span class="gi">+</span> echo "Creating shlibs default file..." sed "s|@PREFIX@|$basepath|g" &lt;shlibs.default.in &gt;shlibs.default </pre></div> </div>Jack HowarthFri, 11 Nov 2016 13:21:29 -0000https://sourceforge.net258550504ccb403a4848267e28a37471a8043af9https://sourceforge.net/p/fink/patches/161/?limit=25#3ade<div class="markdown_content"><p>Note that the actual pull request against fink git master exists at <a class="" href="https://github.com/fink/fink/pull/135/files" rel="nofollow">https://github.com/fink/fink/pull/135/files</a></p> <p>The same set of changes appliable against the last fink 0.41.0 release are attached</p></div>Jack HowarthFri, 11 Nov 2016 13:20:16 -0000https://sourceforge.net900aa2d39f7979d362b6d6db4b853d62e30e9b48https://sourceforge.net/p/fink/patches/161/?limit=25#2515<div class="markdown_content"><p>Latest patch with manpage correction for fink.sb.5.in.</p></div>Jack HowarthWed, 09 Nov 2016 00:49:10 -0000https://sourceforge.net49f085bec3e7ba190ce3192f884bf843ec52c852https://sourceforge.net/p/fink/patches/161/?limit=25#97a7<div class="markdown_content"><p>This patch supplants the previously proposed one from <a href="https://sourceforge.net/p/fink/patches/160/.">https://sourceforge.net/p/fink/patches/160/.</a></p></div>Jack HowarthMon, 07 Nov 2016 04:02:00 -0000https://sourceforge.net25ccac5012358a745a117e06aeba642cebbd9269https://sourceforge.net/p/fink/patches/161/?limit=25#4854<div class="markdown_content"><p>The changes from the fink 0.41.0 release.are..</p> <div class="codehilite"><pre><span class="gh">diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST</span> <span class="gd">--- fink-0.41.0.orig/MANIFEST 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/MANIFEST 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -24,6 +24,8 @@</span> fink.8.in fink.conf.5.in fink.csh <span class="gi">+fink.sb</span> <span class="gi">+fink.sb.5.in</span> fink.sh images/finkDoneFailed.png images/finkDonePassed.png <span class="gh">diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in</span> <span class="gd">--- fink-0.41.0.orig/fink.8.in 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/fink.8.in 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -103,6 +103,14 @@</span> .It Cm --no-build-as-nobody Force the the unpack, patch, compile, and install phases to be performed as root. <span class="gi">+.It Cm --build-in-sandbox</span> <span class="gi">+Execute packaging within a sandbox which blacklists read access to </span> <span class="gi">+those directories listed in</span> <span class="gi">+.Pa @PREFIX@/etc/fink.sb.</span> <span class="gi">+.It Cm --no-build-in-sandbox</span> <span class="gi">+Don't execute within a sandbox, opposite of the</span> <span class="gi">+.Cm --build-in-sandbox</span> <span class="gi">+flag.</span> .It Cm -m, --maintainer Perform actions useful to package maintainers: run validation on the .info file before building and on the .deb after building a <span class="gh">diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb</span> <span class="gd">--- fink-0.41.0.orig/fink.sb 1969-12-31 19:00:00.000000000 -0500</span> <span class="gi">+++ fink-0.41.0/fink.sb 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -0,0 +1,2 @@</span> <span class="gi">+/usr/local</span> <span class="gi">+/opt/local</span> <span class="gh">diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in</span> <span class="gd">--- fink-0.41.0.orig/fink.sb.5.in 1969-12-31 19:00:00.000000000 -0500</span> <span class="gi">+++ fink-0.41.0/fink.sb.5.in 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -0,0 +1,56 @@</span> <span class="gi">+.\" -*- nroff -*-</span> <span class="gi">+.Dd November 2011</span> <span class="gi">+.Dt FINK.SB 5</span> <span class="gi">+.Sh NAME</span> <span class="gi">+.Nm fink.sb</span> <span class="gi">+.Nd sandboxing configuration file for</span> <span class="gi">+.Xr fink 8</span> <span class="gi">+.Sh SYNOPSIS</span> <span class="gi">+@PREFIX@/etc/fink.sb</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" DESCRIPTION</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh DESCRIPTION</span> <span class="gi">+When</span> <span class="gi">+.Xr fink 8</span> <span class="gi">+is initially installed it prompts you for whether you wish to enable the</span> <span class="gi">+building of packages within a protected sandbox which blacklists access to</span> <span class="gi">+those directories listed in</span> <span class="gi">+.Nm</span> <span class="gi">+by hand. In general, these options are meant for advanced users only.</span> <span class="gi">+.Pp</span> <span class="gi">+Your</span> <span class="gi">+.Nm</span> <span class="gi">+defaults to blacklisting the following directories</span> <span class="gi">+.Bl -tag -width flag -offset indent -compact</span> <span class="gi">+.It /usr/local</span> <span class="gi">+.It /opt/local</span> <span class="gi">+.El</span> <span class="gi">+.Pp</span> <span class="gi">+The blacklisted directories appear one per line in the file.</span> <span class="gi">+.El</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" AUTHOR</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh AUTHOR</span> <span class="gi">+This manpage is maintained by the Fink Core Group &lt;fink-core@lists.sourceforge.net&gt;.</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" ACKNOWLEDGEMENTS</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh ACKNOWLEDGEMENTS</span> <span class="gi">+.Nm fink</span> <span class="gi">+is developed and maintained by The Fink Project (http://www.finkproject.org).</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.\" SEE ALSO</span> <span class="gi">+.\"</span> <span class="gi">+.\"</span> <span class="gi">+.Sh "SEE ALSO"</span> <span class="gi">+.Xr apt-get 8 ,</span> <span class="gi">+.Xr fink 8</span> <span class="gh">diff -uNr fink-0.41.0.orig/install.sh fink-0.41.0/install.sh</span> <span class="gd">--- fink-0.41.0.orig/install.sh 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/install.sh 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -70,8 +70,10 @@</span> install -c -p -m 755 postinstall.pl "$basepath/lib/fink/" install -c -p -m 644 shlibs.default "$basepath/etc/dpkg/" <span class="gi">+install -c -p -m 644 fink.sb "$basepath/etc/"</span> install -c -p -m 644 fink.8 "$basepath/share/man/man8/" install -c -p -m 644 fink.conf.5 "$basepath/share/man/man5/" <span class="gi">+install -c -p -m 644 fink.sb.5 "$basepath/share/man/man5/"</span> install -c -p -m 644 images/*.png "$basepath/share/fink/images/" # copy executables <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Bootstrap.pm fink-0.41.0/perlmod/Fink/Bootstrap.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Bootstrap.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Bootstrap.pm 2016-11-06 18:58:41.000000000 -0500</span> <span class="gu">@@ -500,6 +500,8 @@</span> Fink::Config::set_options( { 'use_binary' =&gt; -1 }); # bootstrap as root Fink::Config::set_options( { 'build_as_nobody' =&gt; 0 }); <span class="gi">+ # don't use sandbox during bootstrap</span> <span class="gi">+ Fink::Config::set_options( { 'build_in_sandbox' =&gt; 0 });</span> # make sure we have the package descriptions Fink::Package-&gt;require_packages(); <span class="gu">@@ -581,6 +583,8 @@</span> # bootstrap as root Fink::Config::set_options( { 'build_as_nobody' =&gt; 0 }); <span class="gi">+ # don't use sandbox during bootstrap</span> <span class="gi">+ Fink::Config::set_options( { 'build_in_sandbox' =&gt; 0 });</span> # use normal install routines, but do not use buildlocks Fink::Config::set_options( { 'no_buildlock' =&gt; 1 } ); Fink::Engine::cmd_install(@elist, @addlist); <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Config.pm fink-0.41.0/perlmod/Fink/Config.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Config.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Config.pm 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -219,6 +219,7 @@</span> map( { $_ =&gt; 0 } qw(dontask interactive verbosity keep_build keep_root maintainermode showversion use_binary) ), map( { $_ =&gt; 1 } qw(build_as_nobody) ), <span class="gi">+ map( { $_ =&gt; -1 } qw(build_in_sandbox) ),</span> map( { $_ =&gt; "" } qw(tests validate) ), map ( { $_ =&gt; [] } qw(include_trees exclude_trees) ), map( { $_ =&gt; -1 } qw(use_binary) ), <span class="gu">@@ -272,6 +273,7 @@</span> 'download pre-compiled packages from the binary distribution ' . 'if available' ], [ 'build-as-nobody!' =&gt; \$opts{build_as_nobody}, 'see man page' ], <span class="gi">+ [ 'build-in-sandbox!' =&gt; \$opts{build_in_sandbox}, 'see man page' ],</span> [ 'maintainer|m' =&gt; sub {set_checking_opts(\%opts, @_);}, 'see man page' ], [ 'tests:s' =&gt; sub {set_checking_opts(\%opts, @_);}, 'see man page' ], [ 'validate:s' =&gt; sub {set_checking_opts(\%opts, @_);}, 'see man page' ], <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/PkgVersion.pm fink-0.41.0/perlmod/Fink/PkgVersion.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/PkgVersion.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/PkgVersion.pm 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -4036,6 +4036,9 @@</span> } } <span class="gi">+ # switch everything back to sandbox builds if we were --build-in-sandbox</span> <span class="gi">+ my $build_wo_sandbox = $self-&gt;get_family_parent()-&gt;param_boolean("NoSandbox", 0);</span> <span class="gi">+</span> # put the info file into the debian directory if (-d "$destdir/DEBIAN") { my $infofile = $self-&gt;get_filename(); <span class="gu">@@ -5218,6 +5221,7 @@</span> my $phase = shift; my $no_expand = shift || 0; my $nonroot_okay = shift || 0; <span class="gi">+ my $no_sandbox_okay = shift || 0;</span> my $ignore_result = shift || 0; # Expand percent shortcuts <span class="gu">@@ -5227,10 +5231,13 @@</span> my $result; # Don't build as nobody if BuildAsNobody: false my $build_as_nobody = $self-&gt;get_family_parent()-&gt;param_boolean("BuildAsNobody", 1); <span class="gi">+ # Build in sandbox if NoSandbox: false</span> <span class="gi">+ my $build_wo_sandbox = $self-&gt;get_family_parent()-&gt;param_boolean("NoSandbox", 0);</span> $nonroot_okay = $nonroot_okay &amp;&amp; $build_as_nobody; <span class="gi">+ $no_sandbox_okay = $build_wo_sandbox;</span> { local %ENV = %{$self-&gt;get_env($phase)}; <span class="gd">- $result = &amp;execute($script, nonroot_okay=&gt;$nonroot_okay);</span> <span class="gi">+ $result = &amp;execute($script, nonroot_okay=&gt;$nonroot_okay, no_sandbox_okay=&gt;$no_sandbox_okay);</span> } if ($result and !$ignore_result) { $self-&gt;package_error( phase =&gt; $phase ); <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Services.pm fink-0.41.0/perlmod/Fink/Services.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Services.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Services.pm 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -514,6 +514,11 @@</span> the --build-as-nobody flag, drop to user=nobody when running the actual commands. <span class="gi">+=item no_sandbox_okay</span> <span class="gi">+</span> <span class="gi">+If the value of the option 'no_sandbox_okay' is true, fink was run with</span> <span class="gi">+the --no-build-in-sandbox flag.</span> <span class="gi">+</span> =item delete_tempfile Whether to delete temp-files that are created. The following values <span class="gu">@@ -594,6 +599,33 @@</span> @wrap = map "$_=$ENV{$_}", sort keys %ENV; push @wrap, "__CFPREFERENCES_AVOID_DAEMON=1"; unshift @wrap, 'env' if @wrap; <span class="gi">+ my $runtime_request = Fink::Config::get_option("build_in_sandbox");</span> <span class="gi">+ my $sandbox_request;</span> <span class="gi">+ if ($runtime_request == 1) { # --build-in-sandbox </span> <span class="gi">+ $sandbox_request = 1;</span> <span class="gi">+ } elsif ($runtime_request == 0) { # -no-build-in-sandbox </span> <span class="gi">+ $sandbox_request = 0;</span> <span class="gi">+ } elsif ($options{'no_sandbox_okay'}) { # NoSandbox: true in info file</span> <span class="gi">+ $sandbox_request = 0;</span> <span class="gi">+ } else {</span> <span class="gi">+ $sandbox_request = 1;</span> <span class="gi">+ }</span> <span class="gi">+ if ( $sandbox_request ) {</span> <span class="gi">+ my $sandbox = "$Fink::Config::basepath/etc/fink.sb";</span> <span class="gi">+ if (open my $info, $sandbox) {</span> <span class="gi">+ my $sandbox_profile = "(version 1) \n";</span> <span class="gi">+ $sandbox_profile .= "(allow default) \n";</span> <span class="gi">+ $sandbox_profile .= "(deny file* \n";</span> <span class="gi">+ while( my $line = &lt;$info&gt;) {</span> <span class="gi">+ chomp $line;</span> <span class="gi">+ $sandbox_profile .= "\t(subpath \"".$line."\"\)\n";</span> <span class="gi">+ }</span> <span class="gi">+ $sandbox_profile .= "\)\n";</span> <span class="gi">+ close $info;</span> <span class="gi">+ print STDERR $sandbox_profile, "\n" if ($options{debug});</span> <span class="gi">+ @wrap = (qw| sandbox-exec -p |, $sandbox_profile, @wrap) if -f $sandbox;</span> <span class="gi">+ }</span> <span class="gi">+ }</span> my $sudo_cmd = "sudo -u " . Fink::Config::build_as_user_group()-&gt;{'user'}; @wrap = (split(' ', $sudo_cmd), @wrap, qw/ sh -c /); $wrap_token = "$sudo_cmd [ENV] sh -c "; <span class="gh">diff -uNr fink-0.41.0.orig/perlmod/Fink/Validation.pm fink-0.41.0/perlmod/Fink/Validation.pm</span> <span class="gd">--- fink-0.41.0.orig/perlmod/Fink/Validation.pm 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/perlmod/Fink/Validation.pm 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -66,7 +66,7 @@</span> # All fields that expect a boolean value our %boolean_fields = map {$_, 1} ( <span class="gd">- qw(builddependsonly essential nosourcedirectory updateconfigguess updatelibtool updatepod noperltests usemaxbuildjobs buildasnobody),</span> <span class="gi">+ qw(builddependsonly essential nosourcedirectory updateconfigguess updatelibtool updatepod noperltests usemaxbuildjobs buildasnobody nosandbox),</span> map {"noset".$_} @set_vars ); <span class="gu">@@ -198,6 +198,7 @@</span> 'noperltests', 'usemaxbuildjobs', 'buildasnobody', <span class="gi">+ 'nosandbox',</span> # install phase: 'updatepod', 'installscript', <span class="gh">diff -uNr fink-0.41.0.orig/setup.sh fink-0.41.0/setup.sh</span> <span class="gd">--- fink-0.41.0.orig/setup.sh 2016-09-20 14:16:24.000000000 -0400</span> <span class="gi">+++ fink-0.41.0/setup.sh 2016-11-06 18:40:34.000000000 -0500</span> <span class="gu">@@ -70,6 +70,10 @@</span> | perl -MTime::Local -MPOSIX=strftime -p -e '$d="Date:";if (s/(\.Dd \$$d) (\d+)\/(\d+)\/(\d+) (\d+):(\d+):(\d+) \$/\1/) {$epochtime = timegm($7,$6,$5,$4,$3-1,$2-1900);$datestr = strftime "%B %e, %Y", localtime($epochtime); s/(\.Dd )\$$d/$1$datestr/;}' \ &gt;fink.conf.5 <span class="gi">+sed "s|@PREFIX@|$basepath|g" &lt;fink.sb.5.in \</span> <span class="gi">+ | perl -MTime::Local -MPOSIX=strftime -p -e '$d="Date:";if (s/(\.Dd \$$d) (\d+)\/(\d+)\/(\d+) (\d+):(\d+):(\d+) \$/\1/) {$epochtime = timegm($7,$6,$5,$4,$3-1,$2-1900);$datestr = strftime "%B %e, %Y", localtime($epochtime); s/(\.Dd )\$$d/$1$datestr/;}' \</span> <span class="gi">+ &gt;fink.sb.5</span> <span class="gi">+</span> echo "Creating shlibs default file..." sed "s|@PREFIX@|$basepath|g" &lt;shlibs.default.in &gt;shlibs.default </pre></div> </div>Jack HowarthMon, 07 Nov 2016 03:59:18 -0000https://sourceforge.net0839c050326d514089e0c86e32179a770779644ehttps://sourceforge.net/p/fink/patches/161/?limit=25#c365<div class="markdown_content"><p>Patch file generated against the fink 0.41.0 release.</p></div>Jack HowarthMon, 07 Nov 2016 03:58:06 -0000https://sourceforge.net682b5a8451bb54584e49553a268ca3e22c9355ffhttps://sourceforge.net/p/fink/patches/161/<div class="markdown_content"><p>The attached patch reworks the previously proposed sandboxing support by...</p> <p>1) Enabling the sandbox usage by default (except during fink bootstraps)<br/> 2) Adding a 'NoSandbox' field for the Info files which can be used to<br/> disable the sandbox on a per package basis.<br/> 3) Retaining the --build-in-sandbox/--no-build-in-sandbox fink flags<br/> which override the other settings.</p> <p>The --no-build-in-sandbox fink flag can be used to disable the sandbox<br/> in any fink build while the --build-in-sandbox fink flag can be used<br/> to override 'NoSandbox: true' in a particular info file.</p> <p>The attached fink_sandboxing_v3.diff, applied to stock fink-0.41.0,<br/> has been verified to bootstrap on 10.11 and exhibit the behaviors<br/> described above.</p></div>Jack HowarthMon, 07 Nov 2016 03:57:10 -0000https://sourceforge.netdd8987a4e407cc619819652cd25bab0ba366b396