From NetBSD Wiki

This article contains ideas for projects that improve either pkgsrc itself or the generated packages.

Contents 1 Use the MIPSpro compiler to increase the pkgsrc code quality 2 Make sure that all packages accept the CFLAGS from the pkgsrc user 3 Make all packages use normalized file permissions 4 See also

Use the MIPSpro compiler to increase the pkgsrc code quality

The MIPSpro user can select for each of the diagnostics whether it should be suppressed, a remark, a warning or an error. We could develop a useful set of diagnostics that every package should pass and make them errors. A good starting point would be to make all diagnostics errors and then decide which ones should be allowed.

First result: Configuring sysutils/mc is possible with the following settings:

# 1110: The indicated statement is not reachable.
# 1174: The %n was declared but never referenced.
# 1196: The indicated function is declared implicitly.
# 1209: The controlling expression is constant.
# 1498: There is no prototype for the call to %1.
# 1551: The %n is used before its value is set.
# 1552: The %n is set but never used.
_WRAP_EXTRA_ARGS.CC+=   -diag_error 1-10000 -diag_warning 1110,1174,1196,1209,1498,1551,1552

Warning: This project involves sending many patches to the upstream authors.

If you don't have access to a MIPSpro compiler, another possibility is to write a wrapper around gcc that analyzes the warnings from stderr and converts some of them to errors. A possible wrapper might look like this:

#! /bin/sh
err="$HOME/tmp/compiler-err-$$"
/usr/bin/cc "$@" 2>"$err"
status=$?
sed -f "$HOME/warnings-to-errors.sed" < "$err" > "$err.2"
cmp -s "$err" "$err.2" || status=1
rm -f "$err" "$err.2"
exit $status

The remaining task is to write a good warnings-to-errors.sed script.

Make sure that all packages accept the CFLAGS from the pkgsrc user

The pkgsrc user can set his own CFLAGS and CXXFLAGS in mk.conf to influence the optimization and the generated diagnostics. Not all packages use those settings.

See also:

• Examples_for_pkgsrc-specific_mk.conf_files#Checking_whether_packages_accept_user-settable_CFLAGS

Make all packages use normalized file permissions

Currently, packages may install files with whatever permissions they like. There is sysutils/checkperms, which does a good job at finding many inconsistencies, but it would be better to have stricter permissions:

• 6555, 4555 or 2555 for all set-uid or set-gid executable files. Since they are published in binary packages that everyone can download, there is no point in making them unreadable for anyone.
• 0555 for all executable files.
• 0444 for all other files.
• 0755 for all directories.

All permissions that deviate from the above must be explicitly specified in the package Makefile or the PLIST. (TODO: How?)

The ownership of most files doesn't matter, since all users have the same permissions on them. Therefore, it should be possible to manage the binary packages as an ordinary user and to use just-in-time-su for installing the set-uid and set-gid files, for which the ownership matters.

For set-uid and set-gid binaries there are cases when the owner or the group cannot be changed due to insufficient permissions. For example, sudo without the set-uid bit is useless. That file should therefore have the permissions 444 until the correct permissions are set, probably by root. Other set-uid programs are partly usable when they do not have the set-uid bit set. These should be installed with permissions 0555 by default.

See also

• http://www.netbsd.org/contrib/projects.html#pkgsrc