Import Debian changes 0.9.0-ok1

bubblewrap (0.9.0-ok1) nile; urgency=medium * Build for openKylin.
2024-04-24 09:11:58 +08:00 · 2024-04-24 09:11:58 +08:00 · 20b859454d
parent 015eefdf88
commit 20b859454d
27 changed files with 606 additions and 0 deletions
--- a/debian/50-bubblewrap.conf
+++ b/debian/50-bubblewrap.conf
@ -0,0 +1,10 @@
 # Enable unprivileged creation of new user namespaces in older Debian
 # kernels.
 #
 # If this is not desired, copy this file to
 # /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter
 # to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root.
 #
 # For more details see https://deb.li/bubblewrap or
 # /usr/share/doc/bubblewrap/README.Debian
 kernel.unprivileged_userns_clone=1
--- a/debian/README.Debian
+++ b/debian/README.Debian
@ -0,0 +1,172 @@
 bubblewrap kernel requirements
 ==============================
 bubblewrap can be used by various parts of the system to run
 partially-trusted programs in a sandboxed environment where their impact
 on system security is reduced. For example:
 - Flatpak uses bubblewrap to run partially-trusted, user-installable
  apps in a sandboxed environment.
 - libgnome-desktop uses bubblewrap to run thumbnailers in a sandboxed
  environment, so that if there are security flaws in an image decoder
  used by a thumbnailer, the process of generating thumbnails for a
  maliciously crafted image cannot be used to attack the rest of the
  system.
 bubblewrap can also be used to run trusted programs in a different
 environment, for example with different shared libraries available:
 - Flatpak uses bubblewrap to run apps with a predictable library stack
  that does not match the rest of the system, even if those apps are
  trusted and so do not need to be sandboxed for security.
 - Steam uses bubblewrap to run some games with a predictable library
  stack that does not match the rest of the system.
 The necessary capabilities to do this can be obtained in one of two
 ways:
 - On kernels where unprivileged users can create new user namespaces,
  bubblewrap's bwrap executable can be an ordinary unprivileged program.
 - On kernels where this is not possible, bubblewrap will not work unless
  the /usr/bin/bwrap executable is setuid root. Some bubblewrap and Flatpak
  features will not work in this configuration for security reasons.
 Newer Debian kernels (Linux 5.10 and newer; Debian 11 and newer)
 ----------------------------------------------------------------
 Debian kernels since 5.10 allow unprivileged users to create new user
 namespaces. The bwrap executable can be made non-setuid on these kernels.
 By default, the bubblewrap package in Debian no longer installs a setuid
 root /usr/bin/bwrap executable.
 Ubuntu kernels (Ubuntu 18.04 and newer)
 ---------------------------------------
 Ubuntu kernels also allow unprivileged users to create new user
 namespaces. The bwrap executable can be made non-setuid on these kernels,
 and the Ubuntu bubblewrap package does not install a setuid executable.
 Older Debian kernels (Linux 5.9 and older; Debian 10 and older)
 ---------------------------------------------------------------
 Debian kernels older than 5.10 have support for user namespaces, but
 that feature is disabled by default to reduce the kernel's attack
 surface.
 The bubblewrap package contains configuration in
 /usr/lib/sysctl.d/50-bubblewrap.conf to enable user namespaces
 (see "Enabling kernel.unprivileged_userns_clone", below).
 If this is not desired, system administrators can copy that file
 to /etc/sysctl.d/50-bubblewrap.conf and modify it to disable unprivileged
 creation of user namespaces, then make bubblewrap setuid root so that it
 still works as intended (see "Making bubblewrap setuid root", below).
 Custom and third-party kernels
 ------------------------------
 If you compile your own kernel, you will need at least
 CONFIG_NAMESPACES=y and preferably CONFIG_USER_NS=y.
 If you do not have CONFIG_UTS_NS=y, CONFIG_IPC_NS=y, CONFIG_USER_NS=y,
 CONFIG_PID_NS=y and CONFIG_NET_NS=y, then the corresponding bubblewrap
 features will not work.
 Configuring kernel.unprivileged_userns_clone
 --------------------------------------------
 This Debian-specific sysctl parameter controls whether unprivileged
 users are allowed to create new user namespaces.
 If it is set to 0, some attacks against the kernel are made more difficult,
 which can increase security. However, some user-space software will not
 be able to create a sandboxed environment or will have to rely on a
 setuid version of bubblewrap to create a sandboxed environment, which
 reduces security. The value of this sysctl parameter is a trade-off
 between different security risks.
 If this parameter is set to 0, bubblewrap and Flatpak will not work unless
 bwrap is made setuid root (see "Making bubblewrap setuid root" below).
 The default is 1 for Debian kernels that are version 5.10 or newer,
 1 for Ubuntu kernels, or 0 for older Debian kernels. The bubblewrap
 package contains configuration in /usr/lib/sysctl.d/50-bubblewrap.conf
 to set this parameter to 1 during system startup.
 If this is not desired, system administrators can copy
 /usr/lib/sysctl.d/50-bubblewrap.conf to /etc/sysctl.d/50-bubblewrap.conf
 and modify it to disable unprivileged creation of user namespaces, then
 make bubblewrap setuid root so that it still works as intended (see
 "Making bubblewrap setuid root", below).
 You can view the current setting with:
    cat /proc/sys/kernel/unprivileged_userns_clone
 and temporarily set it to 1 (until the next reboot) with:
    sudo sysctl -w kernel.unprivileged_userns_clone=1
 Configuring the maximum number of namespaces per user
 -----------------------------------------------------
 The number of user namespaces per user is limited. The default limit
 depends on the amount of RAM available.
 Setting this limit to 0 is the recommended way to disable user namespace
 creation if this is required as a security hardening measure. bubblewrap
 will not work with this limit set to 0, unless it is setuid root (see
 "Configuring whether bubblewrap is setuid root" below).
 The limit is given by the user.max_user_namespaces sysctl parameter.
 You can view the current setting with:
    cat /proc/sys/user/max_user_namespaces
 and temporarily set it to a value (until the next reboot) with a
 command like:
    sudo sysctl -w user.max_user_namespaces=1000
 To set it to a value during system startup, create a file in /etc/sysctl.d
 containing a line like this:
    user.max_user_namespaces=1000
 Configuring whether bubblewrap is setuid root
 ---------------------------------------------
 To use bubblewrap with kernel.unprivileged_userns_clone set to 0
 or user.max_user_namespaces set to 0, it is necessary to make the bwrap
 executable setuid root. This gives it the necessary capabilities to set
 up containers even when run by an otherwise unprivileged user, and is the
 configuration normally used in Debian 10.
 This can be a security risk: if there are bugs in bubblewrap, it might be
 possible for an unprivileged user to get root privileges by running a
 setuid version of the bwrap executable. CVE-2020-5291 and CVE-2016-8659
 are examples of bugs that had this effect in the past. However, it allows
 the kernel to be configured to disallow creation of user namespaces by
 unprivileged users, which prevents attacks like CVE-2016-3135 from being
 carried out against the kernel. This is a trade-off between different
 security risks.
 To avoid other attacks, some Flatpak and bubblewrap features are not
 available when bwrap is setuid root, and the absence of those features
 is known to break some Flatpak apps. For example, the Flatpak app for
 the Chromium web browser will not work with a setuid bwrap executable.
 To check whether the bwrap executable will be made setuid root after
 the next upgrade, use this command:
    dpkg-statoverride --list /usr/bin/bwrap
 To force the bwrap executable to be setuid root, use these commands:
    sudo dpkg-statoverride --quiet --remove /usr/bin/bwrap
    sudo dpkg-statoverride --update --add root root 4755 /usr/bin/bwrap
--- a/debian/bubblewrap.bug-script
+++ b/debian/bubblewrap.bug-script
@ -0,0 +1,16 @@
 #!/bin/sh
 set -eu
 exec >&3 2>&3
 echo "Permissions of /usr/bin/bwrap:"
 ls -l /usr/bin/bwrap || :
 for f in \
    /etc/sysctl.d/*-bubblewrap.conf \
    /usr/lib/sysctl.d/*-bubblewrap.conf \
    /proc/sys/kernel/unprivileged_userns_clone \
    /proc/sys/user/max_*_namespaces \
 ; do
    echo "$f:"
    cat "$f" || :
 done
--- a/debian/bubblewrap.examples
+++ b/debian/bubblewrap.examples
@ -0,0 +1 @@
 demos/*
--- a/debian/bubblewrap.install
+++ b/debian/bubblewrap.install
@ -0,0 +1 @@
 debian/50-bubblewrap.conf usr/lib/sysctl.d
--- a/debian/bubblewrap.postinst
+++ b/debian/bubblewrap.postinst
@ -0,0 +1,10 @@
 #!/bin/sh
 set -e
 #DEBHELPER#
 # Apply sysctl configuration after upgrade
 if command -v sysctl > /dev/null; then
    sysctl --quiet --pattern '^kernel\.unprivileged_userns_clone$' --system || :
 fi
--- a/debian/changelog
+++ b/debian/changelog
@ -0,0 +1,5 @@
 bubblewrap (0.9.0-ok1) nile; urgency=medium
  * Build for openKylin.
 -- Luoyaoming <Luoyaoming@kylinos.cn>  Wed, 24 Apr 2024 09:11:58 +0800
--- a/debian/clean
+++ b/debian/clean
@ -0,0 +1 @@
 config.log
--- a/debian/control
+++ b/debian/control
@ -0,0 +1,50 @@
 Source: bubblewrap
 Section: admin
 Priority: optional
 Maintainer: openKylin Developers <packaging@lists.openkylin.top>
 XSBC-Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
 Uploaders:
 Laszlo Boszormenyi (GCS) <gcs@debian.org>,
 Simon McVittie <smcv@debian.org>,
 Build-Depends:
 bash-completion,
 debhelper-compat (= 13),
 docbook-xml,
 docbook-xsl,
 iproute2 <!nocheck>,
 libcap-dev,
 libcap2-bin <!nocheck>,
 libipc-run-perl <!nocheck>,
 libselinux1-dev,
 meson,
 perl:any <!nocheck>,
 pkgconf,
 python3:any <!nocheck>,
 xsltproc,
 Standards-Version: 4.6.2
 Homepage: https://github.com/containers/bubblewrap
 Vcs-Git: https://salsa.debian.org/debian/bubblewrap.git
 Vcs-Browser: https://salsa.debian.org/debian/bubblewrap
 Rules-Requires-Root: no
 Package: bubblewrap
 Architecture: linux-any
 Multi-Arch: foreign
 Depends:
 ${misc:Depends},
 ${shlibs:Depends},
 Recommends:
 procps,
 Description: utility for unprivileged chroot and namespace manipulation
 bubblewrap uses Linux namespaces to launch unprivileged containers.
 These containers can be used to sandbox semi-trusted applications such
 as Flatpak apps, image/video thumbnailers and web browser components,
 or to run programs in a different library stack such as a Flatpak runtime
 or a different Debian release.
 .
 By default, this package relies on a kernel with user namespaces enabled.
 Official Debian and Ubuntu kernels are suitable.
 .
 On kernels without user namespaces, system administrators can make the
 bwrap executable setuid root, allowing it to create unprivileged
 containers even though ordinary user processes cannot.
--- a/debian/copyright
+++ b/debian/copyright
@ -0,0 +1,89 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: bubblewrap
 Source: https://github.com/containers/bubblewrap/
 Files: *
 Copyright:
 2016 Alexander Larsson
 2021 Simon McVittie
 2022 Collabora Ltd.
 License: LGPL-2+
 Files: bubblewrap.jpg
 Copyright: none
 License: pd-bubblewrap.jpg
 Placed in the public domain by the photographer "dancing_stupidity".
 Files: debian/*
 Copyright:
 2016 Laszlo Boszormenyi (GCS) <gcs@debian.org>
 2016-2024 Simon McVittie
 2016-2024 Collabora Ltd.
 License: LGPL-2+
 Files:
 git.mk
 Copyright:
 2009, Red Hat, Inc.
 2010-2013 Behdad Esfahbod
 License: permissive-git.mk
 Copying and distribution of this file, with or without modification,
 is permitted in any medium without royalty provided the copyright
 notice and this notice are preserved.
 Files: m4/attributes.m4
 Copyright:
 2006-2008 Diego Pettenò <flameeyes@gmail.com>
 2006-2008 xine project
 2012 Lucas De Marchi <lucas.de.marchi@gmail.com>
 License: GPL-2+ with Autoconf exception
 License: LGPL-2+
 This library is free software; you can redistribute it and/or
 modify it under the terms of the GNU Library General Public
 License as published by the Free Software Foundation; either
 version 2 of the License, or (at your option) any later version.
 .
 This library is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 Library General Public License for more details.
 .
 You should have received a copy of the GNU Library General Public
 License along with this library; if not, write to the Free Software
 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
 USA.
 .
 On Debian systems, the full text of the GNU Library General Public License
 version 2 can be found in the file `/usr/share/common-licenses/LGPL-2'.
 License: GPL-2+ with Autoconf exception
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2, or (at your option)
 any later version.
 .
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 .
 You should have received a copy of the GNU General Public License
 along with this program; if not, write to the Free Software
 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 02110-1301, USA.
 .
 As a special exception, the copyright owners of the
 macro gives unlimited permission to copy, distribute and modify the
 configure scripts that are the output of Autoconf when processing the
 Macro. You need not follow the terms of the GNU General Public
 License when using or distributing such scripts, even though portions
 of the text of the Macro appear in them. The GNU General Public
 License (GPL) does govern all other use of the material that
 constitutes the Autoconf Macro.
 .
 This special exception to the GPL applies to versions of the
 Autoconf Macro released by this project. When you make and
 distribute a modified version of the Autoconf Macro, you may extend
 this special exception to the GPL to apply to your modified version as
 well.
--- a/debian/docs
+++ b/debian/docs
@ -0,0 +1 @@
 README.md
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@ -0,0 +1,6 @@
 [DEFAULT]
 pristine-tar = True
 debian-branch = debian/latest
 upstream-branch = upstream/latest
 patch-numbers = False
 upstream-vcs-tag = v%(version)s
--- a/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
+++ b/debian/patches/debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
@ -0,0 +1,22 @@
 From: Simon McVittie <smcv@debian.org>
 Date: Fri, 1 Jan 2021 15:03:27 +0000
 Subject: Change EPERM error message to show Debian-specific information
 Forwarded: not-needed
 ---
 bubblewrap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/bubblewrap.c b/bubblewrap.c
 index 9b78a9a..1ea16c9 100644
 --- a/bubblewrap.c
 +++ b/bubblewrap.c
@@ -2905,7 +2905,7 @@ main (int    argc,
           if (errno == EINVAL)
             die ("Creating new namespace failed, likely because the kernel does not support user namespaces.  bwrap must be installed setuid on such systems.");
           else if (errno == EPERM && !is_privileged)
 -            die ("No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.");
 +            die ("No permissions to create new namespace, likely because the kernel does not allow non-privileged user namespaces. See <https://deb.li/bubblewrap> or <file:///usr/share/doc/bubblewrap/README.Debian.gz>.");
         }
       if (errno == ENOSPC)
--- a/debian/patches/series
+++ b/debian/patches/series
@ -0,0 +1 @@
 debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch
--- a/debian/rules
+++ b/debian/rules
@ -0,0 +1,27 @@
 #!/usr/bin/make -f
 # -*- makefile -*-
 export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 PKGDIR=$(CURDIR)/debian/bubblewrap
 %:
 	dh $@ --buildsystem=meson+ninja --without=autoreconf
 override_dh_auto_configure:
 	dh_auto_configure \
 		-- \
 		-Dzsh_completion_dir=/usr/share/zsh/vendor-completions \
 		${NULL}
 .PHONY: override_dh_auto_configure
 override_dh_auto_test:
 	# Remove LD_PRELOAD so we don't run with faketime. It uses
 	# sem_open(), but bubblewrap runs in an environment where that
 	# can't work.
 	env -u LD_PRELOAD dh_auto_test
 .PHONY: override_dh_auto_test
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@ -0,0 +1,3 @@
 include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
--- a/debian/source/format
+++ b/debian/source/format
@ -0,0 +1 @@
 3.0 (quilt)
--- a/debian/tests/basic
+++ b/debian/tests/basic
@ -0,0 +1,21 @@
 #!/usr/bin/perl
 # vim:set sw=4 sts=4 et ft=perl:
 use strict;
 use warnings;
 use Test::More;
 use IPC::Run qw(run);
 sub run_ok {
    my $argv = shift;
    my $debug = join(' ', @$argv);
    ok(run($argv, @_), qq{"$debug" should succeed});
 }
 my $out;
 run_ok([qw(bwrap --ro-bind / / /usr/bin/id -u)], '<', \undef, '>', \$out);
 is($out, `id -u`);
 run_ok([qw(bwrap --ro-bind / / /usr/bin/id -g)], '<', \undef, '>', \$out);
 is($out, `id -g`);
 done_testing;
--- a/debian/tests/control
+++ b/debian/tests/control
@ -0,0 +1,36 @@
 Tests:
 basic
 dev
 net
 upstream
 userns
 Restrictions: allow-stderr, isolation-machine
 Depends:
 bubblewrap,
 iproute2:native,
 libcap2-bin:native,
 libipc-run-perl:native,
 perl:native,
 python3:native,
 Tests: upstream-usrmerge
 Restrictions: allow-stderr, isolation-machine, breaks-testbed
 Depends:
 bubblewrap,
 iproute2:native,
 libcap2-bin:native,
 libipc-run-perl:native,
 perl:native,
 python3:native,
 usrmerge
 Tests:
 upstream-as-root
 Restrictions: allow-stderr, isolation-machine, needs-root
 Depends:
 bubblewrap,
 iproute2:native,
 libcap2-bin:native,
 libipc-run-perl:native,
 perl:native,
 python3:native,
--- a/debian/tests/dev
+++ b/debian/tests/dev
@ -0,0 +1,40 @@
 #!/usr/bin/perl
 # vim:set sw=4 sts=4 et ft=perl:
 use strict;
 use warnings;
 use Test::More;
 use IPC::Run qw(run);
 sub run_ok {
    my $argv = shift;
    my $debug = join(' ', @$argv);
    ok(run($argv, @_), qq{"$debug" should succeed});
 }
 my $out;
 run_ok([qw(bwrap --ro-bind / / --dev /dev //bin/sh -c), "echo /dev/*"],
    '<', \undef, '>', \$out);
 like($out, qr{(^| )/dev/full( |$)});
 like($out, qr{(^| )/dev/null( |$)});
 like($out, qr{(^| )/dev/pts( |$)});
 like($out, qr{(^| )/dev/random( |$)});
 like($out, qr{(^| )/dev/shm( |$)});
 like($out, qr{(^| )/dev/stderr( |$)});
 like($out, qr{(^| )/dev/stdin( |$)});
 like($out, qr{(^| )/dev/stdout( |$)});
 like($out, qr{(^| )/dev/tty( |$)});
 like($out, qr{(^| )/dev/urandom( |$)});
 like($out, qr{(^| )/dev/zero( |$)});
 unlike($out, qr{(^| )/dev/hda( |$)});
 unlike($out, qr{(^| )/dev/dsp( |$)});
 unlike($out, qr{(^| )/dev/fuse( |$)});
 unlike($out, qr{(^| )/dev/kmsg( |$)});
 unlike($out, qr{(^| )/dev/loop0( |$)});
 unlike($out, qr{(^| )/dev/mem( |$)});
 unlike($out, qr{(^| )/dev/sda( |$)});
 unlike($out, qr{(^| )/dev/snd( |$)});
 unlike($out, qr{(^| )/dev/tty1( |$)});
 unlike($out, qr{(^| )/dev/vda( |$)});
 done_testing;
--- a/debian/tests/net
+++ b/debian/tests/net
@ -0,0 +1,24 @@
 #!/usr/bin/perl
 # vim:set sw=4 sts=4 et ft=perl:
 use strict;
 use warnings;
 use Test::More;
 use IPC::Run qw(run);
 sub run_ok {
    my $argv = shift;
    my $debug = join(' ', @$argv);
    ok(run($argv, @_), qq{"$debug" should succeed});
 }
 my $out;
 run_ok([qw(bwrap --ro-bind / / --unshare-net /bin/sh -c), "ip link ls"],
    '<', \undef, '>', \$out);
 like($out, qr{^[0-9]+: lo:});
 unlike($out, qr{^[0-9]+: en[^:]*:});
 unlike($out, qr{^[0-9]+: eth[^:]*:});
 unlike($out, qr{^[0-9]+: wlan[^:]*:});
 done_testing;
--- a/debian/tests/upstream
+++ b/debian/tests/upstream
@ -0,0 +1,5 @@
 #!/bin/sh
 set -e
 exec tests/test-run.sh
--- a/debian/tests/upstream-as-root
+++ b/debian/tests/upstream-as-root
@ -0,0 +1,5 @@
 #!/bin/sh
 set -e
 exec tests/test-run.sh
--- a/debian/tests/upstream-usrmerge
+++ b/debian/tests/upstream-usrmerge
@ -0,0 +1 @@
 upstream
--- a/debian/tests/userns
+++ b/debian/tests/userns
@ -0,0 +1,42 @@
 #!/usr/bin/perl
 # vim:set sw=4 sts=4 et ft=perl:
 use strict;
 use warnings;
 use Test::More;
 use IPC::Run qw(run);
 sub run_ok {
    my $argv = shift;
    my $debug = join(' ', @$argv);
    ok(run($argv, @_), qq{"$debug" should succeed});
 }
 my $out;
 diag("Unshare user ID");
 run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -u)],
    '<', \undef, '>', \$out);
 is($out, "2\n");
 run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /usr/bin/id -g)],
    '<', \undef, '>', \$out);
 is($out, "3\n");
 run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 /bin/sh -c),
        'ls -l /etc/passwd'],
    '<', \undef, '>', \$out);
 like($out, qr{ nobody nogroup });
 diag("Combine new /dev with new user namespace (#71)");
 run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /bin/sh -c),
        'echo /dev/*'],
    '<', \undef, '>', \$out);
 like($out, qr{(^| )/dev/full( |$)});
 unlike($out, qr{(^| )/dev/tty1( |$)});
 run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -u)],
    '<', \undef, '>', \$out);
 is($out, "2\n");
 run_ok([qw(bwrap --ro-bind / / --unshare-user --uid 2 --gid 3 --dev /dev /usr/bin/id -g)],
    '<', \undef, '>', \$out);
 is($out, "3\n");
 done_testing;
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@ -0,0 +1,7 @@
 ---
 Repository: https://github.com/containers/bubblewrap.git
 Repository-Browse: https://github.com/containers/bubblewrap
 Bug-Database: https://github.com/containers/bubblewrap/issues
 Bug-Submit: https://github.com/containers/bubblewrap/issues/new
 ...
 # vim:set ft=yaml:
--- a/debian/watch
+++ b/debian/watch
@ -0,0 +1,9 @@
 version=4
 # Upstream releases official Autotools 'make dist' tarballs, so we use
 # those in preference to git tags
 opts="\
    compression=xz, \
    dversionmangle=s/\+(?:git)?[0-9]*(?:\+g[0-9a-f]*)//, \
    downloadurlmangle=s#/tag/#/download/#;s#(v?@ANY_VERSION@)$#$1/@PACKAGE@-$2.tar.xz#, \
    filenamemangle=s#v?@ANY_VERSION@#@PACKAGE@-$1.tar.xz#" \
 https://github.com/containers/@PACKAGE@/tags .*/releases/tag/v?@ANY_VERSION@
		`@ -0,0 +1 @@`
							`debian/Change-EPERM-error-message-to-show-Debian-specific-inform.patch`