add new sudo= build field for per-build buildserver customization
The buildserver has for a long time supported password-less sudo
calls. This is secure since the buildserver is reset to the initial snapshot after each build, so no modifications are ever saved after a build completes. There are many cases where an app or even a single build of an app requires specific setups that likely conflict with other apps' setups. That means there can never be one buildserver setup that will build all apps.
To solve this issue, I propose adding a new build field sudo=
. It is a list of command lines that are run with sudo
before any other step of the build process. The commands in sudo-
are only ever run in the buildserver, so when someone runs fdroid build
without a buildserver set up, sudo=
will be ignored, and a warning will be printed out in the terminal that the build requires setup.
This was discussed a lot in #fdroid-dev. One idea was to have packages=
which would then be fed to apt install
or ansible's package install routine. But that would leave out a lot of important use cases:
- pip, npm, etc.
- wget-based install like for Qt, Kivy, Cordoba, etc.
- different apt repos or PPAs, e.g. for different versions of Rust
This is not a replacement for the way things currently work, the vast majority of apps should never need to use sudo=
. This will allow us to include apps with new build setups like for Rust or Cordoba, while learning how best to support them in the buildserver as a standard part of the buildserver setup.