Turns out that it is surprisingly easy to build most packages without (fake)root. You just need to basic changes:
- A way to set ownership to “root:root” of paths when dpkg-deb –build constructs the binary.
- A way to have debhelper not do a bunch of (now) pointless chowns to “root:root”.
The above is sufficient for dpkg, debhelper, lintian, apt-file, mscgen, pbuilder and a long list of other packages that only provide paths owned by “root:root”. Obviously, packages differ and yours might need more tweaks than this (e.g. dh_usrlocal had to change behaviour to support this).
But for me, the best part is that the above is not just some random prototype stuck in two git repos on alioth:
- dpkg and debhelper in unstable have all the bits required to do this and only requires you to opt-in via the “Rules-Requires-Root”-field (R³) after doing all the necessary tweaks (if any). Most of the above listed packages have actually already opted in by just adding the R³-field.
- Guillem and I have posted an RFC for specification of “Rules-Requires-Root”-field that describes the field and what it is expected from you as a “Debian package maintainer”, a “packaging-tool maintainer” and a “package builder”. Review of this specification is very welcome.
- The implementations in dpkg and debhelper are generally safe for backporters. While YMMV, we expect that the vast majority will find that backporting an R³=no package just works™.
- Before you upload any R³-related changes to unstable, please note that the specification and implementations are still subject to changes (assuming there are any concerns with either). That said, I believe that it is unlikely that there will be fundamental changes to the basic “R³=no” variant. Accordingly, I have started to opt-in in my packages. 🙂
Unfortunately, if you are working with games or core packages like shadow with need for static ownership different from “root:root” (usually with a setuid or setgid bit), then our first implementation does not support your needs at the moment. We are working on a separate way to solve static ownership in a declarative way.
 Note regarding “/usr/local”: If your package needs to provide directories there owned by “root:staff” with mode 02775, then dh_usrlocal can handle that. The non-“root:root” ownership here works because the directories are created in a maintainer script run as root during installation. Unfortunately, it cannot provide different ownership or modes with “R³ != binary-targets” at the moment.