Prepare now

# open slides
xdg-open http://bit.ly/PJUMHe
# adapt for your installed distribution
zypper ar http://download.opensuse.org/repositories/openSUSE:/Tools/openSUSE_13.1/openSUSE:Tools.repo
zypper ref
zypper in --from openSUSE_Tools osc build
zypper in quilt spec-cleaner
# if you want to follow the code examples
osc co home:darix:workshop
# need an account?
xdg-open https://bit.ly/opensuse_create_account

Packaging

Yes we can!

Created by Marcus Rückert or just darix ;)

About me

  • S.u.S.E. user since 5.1
  • With SuSE since 2005
  • Packaging since about 11years
  • Doing package reviews at SUSE and packager support for almost my whole time there

Let's install something

The usual ...


tar xf librelp-1.2.5.tar.gz
cd librelp-1.2.5
./configure
make && make install

... which begs the question

Do you really want every of our users have to go through that?

But packaging is hard

Actually it is not. Lets start with a new spec file.

Working

Licenses

  • You can try to ignore them for private stuff, but if you want it in Factory our legal team will have a word with you if you try
  • Licenses can actually make it impossible to legally ship software
  • Look for the license of the package in the source tarball (LICENSE/COPYING/README) or on the website of the source
  • If missing or conflicting informations found → contact upstream (email/bug)
  • Use spdx format for licenses

Take aways #1 (The preamble)

  • vim foo.spec will create a new spec file skeleton for you.
  • Version should reflect what is in the main tarball.
  • Leave release at 0
  • Name, Version and Release tag define macros, which you can use in the spec.
  • Use spdx format for licenses

Preparation is key!

Take away #2 (%prep)

  • "tar xf librelp-1.2.5.tar.gz" becomes "%setup"
  • Apply patches
  • Fix permissions
  • Do not call autotools or configure
  • When done the unpacked source should be ready for the next steps

Building blocks

Take away #3 (%build)

  • "./configure" becomes %configure.
  • Using %{?_smp_flags} can speed up your build a lot.
  • When done all the binaries and files you want to install should be created.

Install all the things

Somewhat

Take away #4 (%install)

  • %make_install not usable on older distros yet, in doubt use make install DESTDIR="%{buildroot}"
  • You need to copy all the files, you want to see in the package into the buildroot.
  • Documentation in /usr/share/doc/packages/$pkgname is special (%doc in %files)

First build

Always fails, so don't worry.

Take away #5 (Getting it building)

  • "osc repos" to see what we can build for.
  • "osc build openSUSE_13.1 x86_64"
  • "pkgconfig($libraryname)" for portability, except for older distributions.
  • use verbose build to see compiler commandlines V=1
  • Building in a minimal build environment makes sure your builds don't pick up library that you have installed but might not actually want to use. (Gentoo Wiki: Automagic Dependencies)

Take away #6 (%files)

  • As specific as needed as general as possible
  • Use macros for the path names. (see "/usr/lib/rpm/macros")
  • "/path/to/dir/" will including the directory and all its content. If you dont want that use "%dir".
  • use %attr($mode,$user,$group) to set permissions different from defaults
  • Ignore "/usr/lib/debug", it is handled by the debug package handling.

Almost but not quite

Take away #7 (sub packages)

Yes there are some rules.

General

  • Packaging Guidelines
  • Are valid for openSUSE and SLES
  • They are meant to make our life easier (as packager, reviewer and user)

Changes file

Packaging for your favorite language/software stack

  • For many languages we already have guide lines or even tools (gem2rpm, py2pack)
  • Your favorite language is missing? Look how other distros are solving it. Maybe we can adapt their tooling/documentation for it.

Security Matters

  • Create a seperate user/group for your package. Most of the time your daemon does not need root to run.
  • Minimize permissions e.g.
    Config files
    root:$group 0640
    Runtime data (usually in /var/lib/$pkgname
    $user:group 0700
  • Configure daemon to drop root privs and run as the user you created

Security Still Matters

  • Network listen? bind to localhost by default
  • Make sure the default configuration is safe
  • Provide Apparmor/SELinux profiles for your program
  • Enable compiler security measures for everything that talks to the network (server and client).

export LDFLAGS="-Wl,-z,relro,-z,now -pie"
export CFLAGS="%{optflags} -fPIE -pie"
export CXXFLAGS="%{optflags} -fPIE -pie"

Tools

Open Build Service

  • Supports deb/rpm/archlinux/windows
  • More than just a packaging platform
  • Manages complete life cycle for our distribution (package/image building, maintenance)
  • Collaboration platform
  • opensource so you can run your own as well

osc

  • zypper in osc
  • command line client for the OBS
  • available also for other distros and operating systems

Quilt

  • zypper in quilt
  • managing stacks of patches
  • Quilt: A really quick howto
  • If you maintain your patches in your favorite SCM (git,svn...) you can also just export the patch series from that

spec-cleaner

  • zypper in spec-cleaner
  • Having a common style is important to make it easier to contribute
  • Don't like the format? Discuss it on the opensuse-packaging mailinglist

Communication & Collaboration

  • Obvious you would say?
  • Amount of duplicate packages seems to imply otherwise
  • Talk to people, push your fixes/changes back so others can benefit from them too.
  • Also to upstream.
  • If you are an upstream dev and see a packager doing something not so smart, talk to them.

Gimme more

All the informations in one place

Q & A

Thank you for flying with openSUSE