[TriLUG] rpm database question

[Jeremy Katz]

On Tuesday, November 20 2001, Tom Bryan said:
> then the .spec file isn't that hard.  Here's a trimmed down .spec file for a 
> basic postgresql install.  

Allow me to add some annotation just for the sake of doing so
 
> Summary: PostgreSQL, packaged for running and/or developing EcoAccess software
> Name: postgresql
> Version: 7.1.3
> Release: 1
> #BuildRoot: /var/tmp/
> Source0: postgresql-%{version}.tar.gz

It's nice if you reference this as
http://some.location.com/directory/%{name}-%{version}.tar.gz

Then people can look for updated pristine sources more easily.

> Copyright: BSD-style
> Group: Application/Database

To head off the obvious question which always comes up about groups,
"valid" groups are in /usr/share/doc/rpm-4.0.3/GROUPS

> Vendor: Yourself
> Packager: You again <email at goes.here>
> Provides: PostgreSQL

Does anything depend on PostgresSQL as opposed to postgresql?  Note that
a package automatically provides at least %{name} = %{version} as well
as any shared libs found with the find-provides script in /usr/lib/rpm

> %description
> Anyhting you want here
> 
> %prep
> # unpack the sources under /usr/src/redhat
> %setup -q -T -b 0 -n postgresql-%{version}
>  
> %build
> ./configure --prefix=/usr/local/postgresql-%{version}

Installing things in /usr/local via package management is a bad idea
IMHO, but that's just because I like to keep it so that I can blow away
/usr/local and not lose anything in my rpmdb.

> make
>  
> %install
> make install
> 
> %files
> %defattr(-,postgres,postgres)
> /usr/local/postgresql-%{version}

Do you really want all of the binaries to be owned by the postgres user?
This means if a postgres exploit occurs, they can easily trojan the
binaries.  eww :)

Cheers,

Jeremy

-- 
Jeremy Katz
katzj at linuxpower.org	| jlkatz at eos.ncsu.edu
http://linuxpower.org	| Developer, NCSU Realm Kit for Red Hat Linux
GPG fingerprint: 367E 8B6B 5E57 2BDB 972A 4D73 C83C B4E8 89FE 392D