Merge remote-tracking branch 'qubesos/pr/63'

* qubesos/pr/63:
  archlinux: restore setup of pam.d/su-l
  archlinux: remove python3 dependency
  archlinux: ensure [options] section is present in all pacman drop-ins
  archlinux: enforce usage of python2 in all scripts
  Makefile: avoid using python interpreter as a static name
  archlinux: create user 'user' using bash by default instead of zsh
  archlinux: ship pam.d/qrexec as a replacement of using su
  archlinux: do not mess with locales in post-install script
  archlinux: remove pam configuration for su and su-l
  archlinux: remove deprecated setup of pam since v4.0.3
  Add the 4.0 repo to the PKGBUILD sources list
  Restore the binary pacman repo and update it for QubesOS 4.0
  Fix the makefile for archlinux - SBINDIR is already /usr/bin
  Update the arch PKGBUILD script for QubesOS 4.0

Makefile

@@ -9,7 +9,7 @@ BINDIR ?= /usr/bin
 LIBDIR ?= /usr/lib
 SYSLIBDIR ?= /lib
 
-PYTHON = /usr/bin/python2
+PYTHON ?= /usr/bin/python2
 PYTHON_SITEARCH = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)'`
 PYTHON2_SITELIB = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib()'`
 PYTHON3_SITELIB = `python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())'`
@@ -171,9 +171,13 @@ install-common: install-doc
 	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
 
 	# force /usr/bin before /bin to have /usr/bin/python instead of /bin/python
-	PATH="/usr/bin:$(PATH)" python setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR)
+	PATH="/usr/bin:$(PATH)" $(PYTHON) setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR)
 	mkdir -p $(DESTDIR)$(SBINDIR)
+
+ifneq ($(SBINDIR),/usr/bin)
 	mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall
+endif
+
 
 	install -d -m 0750 $(DESTDIR)/etc/sudoers.d/
 	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes

archlinux/PKGBUILD

@@ -3,15 +3,15 @@
 # shellcheck disable=SC2034
 pkgname=qubes-vm-core
 pkgver=$(cat version)
-pkgrel=11
+pkgrel=13
 epoch=
 pkgdesc="The Qubes core files for installation inside a Qubes VM."
 arch=("x86_64")
 url="http://qubes-os.org/"
 license=('GPL')
 groups=()
-depends=("qubes-vm-utils>=3.1.3" python2 python3 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg)
-makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release)
+depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg)
+makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc)
 checkdepends=()
 optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer)
 provides=()
@@ -24,16 +24,16 @@ changelog=
 
 source=(
     PKGBUILD.qubes-ensure-lib-modules.service PKGBUILD.qubes-update-desktop-icons.hook
-    PKGBUILD-qubes-noupgrade.conf
-    PKGBUILD-qubes-repo-3.1.conf
+    PKGBUILD-qubes-pacman-options.conf
     PKGBUILD-qubes-repo-3.2.conf
+    PKGBUILD-qubes-repo-4.0.conf
 )
 
 noextract=()
 md5sums=(SKIP)
 
 build() {
-    for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version; do
+    for source in autostart-dropins qubes-rpc qrexec misc Makefile vm-init.d vm-systemd network init version doc setup.py qubesagent post-install.d; do
         # shellcheck disable=SC2154
         (ln -s "$srcdir/../$source" "$srcdir/$source")
     done
@@ -46,10 +46,10 @@ build() {
     sed 's:/bin/grep:grep:g' -i network/*
 
     # Force running all scripts with python2
-    sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i misc/*
-    sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i misc/*
-    sed 's:#!/usr/bin/python:#!/usr/bin/python2:' -i qubes-rpc/*
-    sed 's:#!/usr/bin/env python:#!/usr/bin/env python2:' -i qubes-rpc/*
+    sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i misc/*
+    sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i misc/*
+    sed 's:^#!/usr/bin/python.*:#!/usr/bin/python2:' -i qubes-rpc/*
+    sed 's:^#!/usr/bin/env python.*:#!/usr/bin/env python2:' -i qubes-rpc/*
 
     # Fix for archlinux sbindir
     sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock
@@ -65,7 +65,7 @@ package() {
     # shellcheck disable=SC2154
     make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib
 
-    make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
+    PYTHON=python2 make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux
 
     # Remove things non wanted in archlinux
     rm -r "$pkgdir/etc/yum"*
@@ -82,7 +82,7 @@ package() {
 
     # Install pacman.d drop-ins (at least 1 drop-in must be installed or pacman will fail)
     mkdir -p "${pkgdir}/etc/pacman.d"
-    install -m 644 "$srcdir/PKGBUILD-qubes-noupgrade.conf" "${pkgdir}/etc/pacman.d/10-qubes-noupgrade.conf"
+    install -m 644 "$srcdir/PKGBUILD-qubes-pacman-options.conf" "${pkgdir}/etc/pacman.d/10-qubes-options.conf"
 
     # Install pacman repository
     release=$(echo "$pkgver" | cut -d '.' -f 1,2)

archlinux/PKGBUILD-qubes-noupgrade.conf

@@ -1,3 +0,0 @@
-[options]
-NoUpgrade = etc/pam.d/su
-NoUpgrade = etc/pam.d/su-l

archlinux/PKGBUILD-qubes-pacman-options.conf

@@ -0,0 +1,2 @@
+[options]
+NoUpgrade = etc/pam.d/su-l

archlinux/PKGBUILD-qubes-repo-3.1.conf → archlinux/PKGBUILD-qubes-repo-4.0.conf

@@ -1,2 +1,2 @@
-[qubes-r3.1]
+[qubes-r4.0]
 Server = http://olivier.medoc.free.fr/archlinux/current

archlinux/PKGBUILD.install

@@ -12,7 +12,7 @@ update_default_user() {
     # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
     # See https://bugs.archlinux.org/task/31831
     id -u 'user' >/dev/null 2>&1 || {
-        useradd --user-group --create-home --shell /bin/zsh user
+        useradd --user-group --create-home --shell /bin/bash user
     }
     usermod -a --groups qubes user
 }
@@ -130,21 +130,6 @@ EOF
         done
     fi
 
-    # Make sure there is a default locale set so gnome-terminal will start
-    if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
-        touch /etc/locale.conf
-        echo "LANG=en_US.UTF-8" >> /etc/locale.conf
-    fi
-    # ... and make sure it is really generated
-    # This line is buggy as LANG can be set to LANG="en_US.UTF-8". The Quotes must be stripped
-    current_locale=$(grep LANG /etc/locale.conf|cut -f 2 -d = | tr -d '"')
-    if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then
-        base=$(echo "$current_locale" | cut -f 1 -d .)
-        charmap=$(echo "$current_locale.UTF-8" | cut -f 2 -d .)
-        [ -n "$charmap" ] && charmap="-f $charmap"
-        # shellcheck disable=SC2086
-        localedef -i "$base" $charmap "$current_locale"
-    fi
 }
 
 ############################
@@ -331,24 +316,14 @@ update_finalize() {
     /usr/lib/qubes/update-proxy-configs
 
     # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
-    # Also remove pam_unix.so from su configuration
+    # This is required as qubes-gui agent calls xinit with su -l user without initializing properly
+    # the user session.
+    # pam_unix.so can also be removed from su configuration
     # as system-login (which include system-auth) already gives pam_unix.so
     # with more appropriate parameters (fix the missing nullok parameter)
-
     if grep -q pam_unix.so /etc/pam.d/su; then
         echo "Fixing pam.d"
-        cat <<EOF > /etc/pam.d/su
-#%PAM-1.0
-auth		sufficient	pam_rootok.so
-# Uncomment the following line to implicitly trust users in the "wheel" group.
-#auth		sufficient	pam_wheel.so trust use_uid
-# Uncomment the following line to require a user to be in the "wheel" group.
-#auth		required	pam_wheel.so use_uid
-auth		include		system-login
-account		include         system-login
-session		include		system-login
-EOF
-        cp /etc/pam.d/su /etc/pam.d/su-l
+	cp /etc/pam.d/qrexec /etc/pam.d/su-l
     fi
 
     # Archlinux specific: ensure tty1 is enabled

network/update-proxy-configs

@@ -121,7 +121,7 @@ if [ -d /etc/pacman.d ]; then
 ### All modifications here will be lost.
 ### If you want to override some of this settings, create another file under 
 ### /etc/pacman.d
-
+[options]
 XferCommand = http_proxy=$PROXY_ADDR /usr/bin/curl -C - -f %u > %o
 EOF
     else

qrexec/Makefile

@@ -21,6 +21,8 @@ install:
 	install qubes-rpc-multiplexer $(DESTDIR)/usr/lib/qubes
 ifeq ($(shell lsb_release -is), Debian)
 	install -D -m 0644 qrexec.pam.debian $(DESTDIR)/etc/pam.d/qrexec
+else ifeq ($(shell lsb_release -is), Arch)
+	install -D -m 0644 qrexec.pam.archlinux $(DESTDIR)/etc/pam.d/qrexec
 else
 	install -D -m 0644 qrexec.pam $(DESTDIR)/etc/pam.d/qrexec
 endif

qrexec/qrexec.pam.archlinux

@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth		include		system-login
+account		include         system-login
+session		include		system-login