Skip to content

Refactor PKGBUILD and Systemd unit

Daniel Rudolfrequested to merge
phrozenbyte/udp2raw:enhancement/refactor-pkgbuild-systemd into main

I initially totally missed that udp2raw is in extra already and thus created a PKGBUILD myself... 🙈 So, here are a few key changes of the PKGBUILD I created from scratch. I feel like the following differences could also benefit the official package:

  • udp2raw
    • Don't ship a make fast binary that is actually meant for development (make fast is without -O2, but with -ggdb), but use make dynamic instead
    • Remove udp2raw_script.sh fiddling around with the output of udp2raw -g to create iptables rules, but use the built-in udp2raw --gen-add and udp2raw --clear instead
    • Remove udp2raw.install and consequently the setcap call; I'm no expert in this matter, thus I might be wrong, but I don't think that this is the best approach, because it allows any unprivileged user to use udp2raw, and a flaw in udp2raw could thus allow any unprivileged user to gain CAP_NET_RAW and CAP_NET_ADMIN capabilities; using ambient capabilities is better, and the easiest way to use ambient capabilities is the Systemd unit; we should thus encourage users to always use the Systemd unit instead, users simply shouldn't try to do this manually
  • Systemd unit
    • Add ConditionFileNotEmpty to check whether the required udp2raw config actually exists
    • Don't order the Systemd service after network-online.target, but after network.target: udp2raw itself doesn't need the network to be "up", it might actually be part of what needs tbd for the network to get "up"
    • Don't let the Systemd service run udp2raw with User=nobody (which is deprecated), but use DynamicUser=yes instead
    • Replace the deprecated PermissionsStartOnly option by the + prefix
    • Lock down the execution environment of udp2raw as much as possible
  • Packaging and misc stuff
    • Fix pkgdesc in PKGBUILD
    • Add udp2raw's README.md to /usr/share/doc/udp2raw/
    • Add a .gitignore

Note (doesn't affect me personally, just noticed it): I think that we could add more arches here. Yes, I know, Arch only supports x86_64, but I feel like we could add them now in case Arch ever wants to officially support more arches.

WDYT?

Merge request reports