[Dev] [RFC/FYI] dbscripts plan, please read

Luke Shumaker lukeshu at lukeshu.com
Wed Apr 25 01:53:12 GMT 2018

TL;DR: Over the next 2 or more weeks, there will some changes in the
pacman repos/dbscripts.  Please keep an eye out for anything amiss,
and reply in this email thread.  This going smoothly depends on
packager feedback if something is wrong.

Hi all,

There are some changes to dbscripts that I've talked about forever.
They haven't happened yet because:
 1. dbscripts is gross and scary
 2. dbscripts is under-tested
 3. Mistakes can cause critical breakage for... everyone
 4. Each change seems to be blocked by a different change.

 1. I'm more familiar with dbscripts now than I ever have been
 2. The test-suite is more complete now than it ever has been (though
    db-import-pkg is not tested at all)
 3. I'll be really careful, including communicating changes.
 4. I have a plan (this plan).

This plan is small in scope, to enable the future evolution of


 - Have db-import-pkg use db-update & db-remove, rather than
   manipulating the repos directly.
 - Have proper user-separation, instead of having everything run as repo@


 1. Change: Adjust `db-import-pkg` to have separate `UPSTREAM`s of
    `packages` and `community`, rather than lumping them together in
    the `UPSTREAM=archlinux`.

    Rationale: `db-update` will need to be run with different
    `PKGPOOL`/`SRCPOOL` settings for these cases.

    Timeframe: tonight/tomorrow

 2. Change: Add
    files, symlink `config.local` → `config.local.parabola`.  Move
    `PKGREPOS`, `PKGPOOL`, `SRCPOOL` to these files.
    Rationale: Separate `DBSCRIPTS_CONFIG` files will need to exist to
    set the per-UPSTREAM `PKGPOOL`/`SRCPOOL` values.  This allows us
    to set them in a uniform way.  The `config.local` symlink allows
    us to preserve current behavior, for clients that don't set `DBSCRIPTS_CNFIG`
    Timeframe: tonight/tomorrow
 3. Change:
     a. Create a `repo` group on repo.parabola.nu
     b. Change the primary group of `repo`: `users` → `repo`
     c. `chgrp -R repo /srv/repo/main/`
     d. Ensure that the SGID bit is set on all directories in `/srv/repo/main/`

       All hackers' user accounts will automatically be members of the
       group (per `/etc/parabola-hackers.yml`).  Given the `002` umask
       that `db-functions` sets, write access to the repos will now be
       governed by membership in the `repo` NSS group, rather than
       restricted to the `repo` user (access to which is governed by
       the `repo` hackers.git group).

       This is a good idea, security-wise anyway; since `db-functions`
       runs `chmod g+w` the `.db` files, currently all local users have
       write access to the `.db` files.
       Packagers *should* then be able to adjust their
       `libretools.conf:REPODEST` to be
       `ssh://$LIBREUSER@repo.parabola.nu:1863/~/staging/` instead of
       This will be opt-in for a period, so that we can identify any
       issues before rolling the change out to all packagers.
       Doing user-separation for human packagers first, before doing
       it for db-import, allows us to limit large-scale breakage in
       case anything goes wrong, and ensures that a human is looking
       at what is going on during the initial days of it.
    Timeframe: tomorrow

 4. Change: Adjust librerelease to set
    Rationale: This needs to happen after the `config.local.parabola`
    file is created (step #1).  This will allow us to eventually
    remove the `config.local` symlink, once all packagers have
    upgraded to a version of libretools that has this.

    Timeframe: tomorrow

 5. Change: Include systemd files with dbscripts to run cron-jobs as
    systemd timers.
    Rationale: This will allow us to easily set User=, ProtectSystem=,
    and such, to enforce security policy, and ensure scripts are
    well-behaved (once we're ready for that).  It will also supply
    complete logs in the journal, for better debugging.
    Timeframe: in a few days

 6. Change:
      Rework `db-import-pkg` to set up a `db-update`-style staging
      directory, rather than manipulating the repos directly.  At this
      point, `db-import-pkg` is still running as `repo`.  However, set
      `ProtectSystem=strict`, limit it to a staging & scratch
      directory, and have it
          ssh localhost DBSCRIPTS_CONFIG=...${UPSTREAM} db-update
      to add/remove packages.  This will involve adding an ssh key for
    Rationale: Obviously, this is a primary objective.  Using
    ssh+ProtectSystem allows us to ensure that the objective is met.
    Concern: Currently, it rsyncs against the local repo, to avoid
    downloading up-to-date packages.  If not working in-place, it
    can't do that.  One solution is to copy (or hardlink?) the
    relevant directories from "$FTP_BASE" to "$WORKDIR".

    Timeframe: A few days after that
 7. Change: Adjust the default `libretools.conf:REPODEST` to be
    `ssh://$LIBREUSER@repo.parabola.nu:1863/~/staging/` instead of
    Rationale: This will change the user-separated `db-update` from
    opt-in to opt-out.
    DISRUPTION: This will make the default configuration unsuitable
    for packagers whose local username doesn't match their username in
    hackers.git.  They will need to manually adjust their
    `libretools.conf:REPODEST` to have the correct username.
    Timeframe: at least a week from now [NB: no sooner than 2018-05-01]

 8. Change: Add
    `db-import-{packages,community,archlinux32,archlinuxarm}` users,
    members of the `repo` group; have `db-import-pkg` run as them.
    Rationale: Mission accomplished
    Timeframe: at least a week after that [NB: no sooner than 2018-05-08]

Bonus: If someone is willing to help, we can have a copy of the new
version of `db-import-pkg` run against a shadow copy of the repos, and
generate daily reports on if the new version and old version disagree.

Comments?  Concerns?

Happy hacking,
~ Luke Shumaker

More information about the Dev mailing list