diff options
authorChris Morgan2018-08-29 15:36:54 +1000
committerChris Morgan2018-08-29 15:36:54 +1000
commitff3f2bdccdeb1b1d7afaaba0a86c2b9a2376838d (patch)
parent89e05ab76828da2a211c77923553d32b2acf2596 (diff)
Update to matamo 3.5.1, with various changes
As far as this AUR package is concerned, this is a major update. Packaging changes: • Use “matomo” where possible (no more “piwik” in the build scripts) • Fix pkgdesc (shouldn’t mention the package name) • License is GPL3 (GPLv3 or later), not GPL (GPLv2 or later) • PHP dependency needs to be at least 5.5.9 (so e.g. php53 from AUR wouldn’t be good enough, but php56 would be) • Replace mariadb dependency with mysql>=5.5 (mariadb provides mysql, so this way it supports any mysql, not just mariadb; I considered moving it from optdepends to depends as well, but I suppose its mysql need not be on the same server, so optdepends is correct) • Use HTTPS for downloads • Quote paths with variable expansions in the shell scripting • Removed optional php-geoip dependency, because it’s not what Matomo needs: Matomo uses geoip2, not geoip. It’s pure PHP and thus vendored in, though if you install the faster maxminddb C extension it’ll automatically use it in preference. Functional changes: • Upgrade from 3.4.0 to 3.5.1 • Move /usr/share/webapps/matomo/config/ to /etc/webapps/matomo/, leaving a symlink in its stead. • Move /usr/share/webapps/matomo/tmp/ to /usr/lib/webapps/matomo/tmp/ • Tighten the permissions of /usr/share/webapps/matomo by changing the owner from http:http to root:http, so that in it, only piwik.js and the plugins directory are writable by the http user. Note that /usr/share/webapps/matomo/plugins is excluded from the owner change: it is still owned by http:http so you can add plugins through the marketplace. • Support geoip2-database directly (install that package, and you can immediately enable proper geolocation in the Matomo admin) Upgrades should be fine with no data loss, but I still suggest caution. I have not been rigourous in verifying that everything works properly in all circumstances.
3 files changed, 150 insertions, 40 deletions
diff --git a/.SRCINFO b/.SRCINFO
index c821cfd53aa..662130d9dcb 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,24 +1,23 @@
-# Generated by mksrcinfo v8
-# Sun Apr 1 09:32:41 UTC 2018
pkgbase = matomo
- pkgdesc = matomo is a real time web analytics software program, written in PHP
- pkgver = 3.4.0
+ pkgdesc = real time web analytics platform
+ pkgver = 3.5.1
pkgrel = 1
url =
install = matomo.install
arch = any
- license = GPL
- depends = php
+ license = GPL3
+ depends = php>=5.5.9
depends = php-gd
- optdepends = mariadb: Database server
- optdepends = python2: For log importer script
- optdepends = php-geoip: For GeoIP php module
+ optdepends = mysql>=5.5: database server
+ optdepends = python2: log importer script
+ optdepends = geoip2-database: GeoIP database
replaces = piwik
- backup = etc/webapps/matomo/config.ini.php
- source =
- source =
- sha512sums = e9aeca686acadf5eb03a7a6c31e0f62df2fbeabe9eade4a2367a6433011d38933c8b8d8d8222566d135e2f31b2d55c0dbc665072021febdb2da54a94dc736005
- sha512sums = SKIP
+ backup = usr/share/webapps/matomo/piwik.js
+ source =
+ source =
+ validpgpkeys = 814E346FA01A20DBB04B6807B5DBD5925590A237
+ sha256sums = 86bfef7e4f93aa8c5094225502f8258addf1f6920f2459e9d22b867b4ed8a734
+ sha256sums = 4cf4763827ab09407a50ebc04b44e75f040beaeda0da74d454d6a27d19462dda
pkgname = matomo
diff --git a/PKGBUILD b/PKGBUILD
index cfaf34dda6d..fe692c1088e 100644
@@ -1,32 +1,60 @@
+# Maintainer: Chris Morgan <>
# Maintainer: Carsten Feuls <archlinux dot carstenfeuls dot de>
# Co-Maintainer: Nils Czernia <nils at czserver dot de>
-pkgdesc="matomo is a real time web analytics software program, written in PHP"
+pkgdesc="real time web analytics platform"
-depends=("php" "php-gd")
+depends=("php>=5.5.9" "php-gd")
-optdepends=("mariadb: Database server"
- "python2: For log importer script"
- "php-geoip: For GeoIP php module")
+optdepends=("mysql>=5.5: database server"
+ "python2: log importer script"
+ "geoip2-database: GeoIP database")
- "SKIP")
+ "${pkgname}-${pkgver}.tar.gz.asc")
+ "4cf4763827ab09407a50ebc04b44e75f040beaeda0da74d454d6a27d19462dda")
package() {
- install -d ${pkgdir}${_matomopath}
- install -d ${pkgdir}${_matomoconfigpath}
- cp -r ${srcdir}/${_pkgname} ${pkgdir}${_matomopath}/${pkgname}
- cp ${srcdir}/${_pkgname}/config/global.ini.php ${pkgdir}${_matomoconfigpath}/config.ini.php
+ install -d "${pkgdir}/usr/share/webapps"
+ cp -r "${srcdir}/${pkgname}" "${pkgdir}/usr/share/webapps/${pkgname}"
+ # Some extensions want to append to piwik.js, so we relectantly let them.
+ chmod g+w "${pkgdir}/usr/share/webapps/${pkgname}/piwik.js"
+ # While installing matomo, it insists on being able to write to the config directory,
+ # because it creates config.ini.php. After it’s installed, you can make it read-only,
+ # e.g. by `chown -R root:http /etc/webapps/${pkgname}`
+ install -d "${pkgdir}/etc/webapps"
+ mv "${pkgdir}/usr/share/webapps/${pkgname}/config" "${pkgdir}/etc/webapps/${pkgname}"
+ ln -s "../../../../etc/webapps/${pkgname}" "${pkgdir}/usr/share/webapps/matomo/config"
+ # matomo uses this tmp dir for writing its own data;
+ # but it belongs in /var rather than /usr.
+ rmdir "${pkgdir}/usr/share/webapps/matomo/tmp"
+ install -dm700 "${pkgdir}/var/lib/webapps/matomo/tmp"
+ ln -s "../../../../var/lib/webapps/matomo/tmp" "${pkgdir}/usr/share/webapps/matomo/tmp"
+ # Installing or upgrading non-core plugins requires write access to plugins/;
+ # we could try g+w on the directory and try to restrict core plugins, but
+ # then you’ve got mixed ownership (anything it creates will be http:http
+ # instead of root:http) which is nasty. Another approach is to put `plugins`
+ # in /var/lib with core plugins *actually* in /usr/share and symlinked back;
+ # but that’s getting too clever for my sanity at present: this is all getting
+ # rather bothersome; I’m tired of messing around with PHP apps that are
+ # ill-designed for hardening and not designed for use in the scope of a
+ # system package manager. So for now at least, we’re just going to leave it
+ # as it is, chown the whole plugins directory in matomo.install, and wash our
+ # hands of it.
+ # GeoLite2-City.mmdb is provided by geoip2-datbase, which is optdepends.
+ # I figure a dead symlink should be safe if it’s missing.
+ ln -s "../../../../../usr/share/GeoIP/GeoLite2-City.mmdb" "${pkgdir}/usr/share/webapps/matomo/misc"
diff --git a/matomo.install b/matomo.install
index b792c5a5738..576e087bde8 100644
--- a/matomo.install
+++ b/matomo.install
@@ -1,14 +1,97 @@
-post_install() {
- ln -s /etc/webapps/matomo/config.ini.php /usr/share/webapps/matomo/config/
+pre_upgrade() {
+ # Owner preservation (compare post_upgrade)
+ if [ -d /etc/webapps/matomo ]; then
+ touch /etc/webapps/matomo/.owner.tmp
+ fi
+ if [ -d /usr/share/webapps/matomo/plugins ]; then
+ touch /usr/share/webapps/matomo/plugins/.owner.tmp
+ # We’ll chown -R /usr/share/webapps/matomo before getting to plugins, so
+ # must move it to a different directory so we don’t accidentally chmod it!
+ mv /usr/share/webapps/matomo/plugins/.owner.tmp /tmp/matomo-plugins-owner.tmp
+ fi
+ # The rest is 3.4.0-1 → 3.5.1-1 or later upgrade matters.
+ if [ ! -L /usr/share/webapps/matomo/tmp ]; then
+ # It’s a directory rather than a symlink: gotta be pre-3.5.1-1.
+ install -dm700 /var/lib/webapps/matomo
+ mv /usr/share/webapps/matomo/tmp /var/lib/webapps/matomo/tmp
+ chown -R http:http /var/lib/webapps/matomo
+ # No changes needed in /usr/share/webapps/matomo/config, it’ll upgrade cleanly.
+ echo 'matomo 3.5.1-1 onward has some location and permissions changes to be aware'
+ echo 'of. Everything necessary is moved to the new locations, so you have lost'
+ echo 'nothing, and everything should continue to work just fine with no changes.'
+ echo 'This is really just a FYI.'
+ echo
+ echo '- /usr/share/webapps/matomo/tmp is moved to /var/lib/webapps/matomo/tmp,'
+ echo ' and a symlink left in its place.'
+ echo
+ echo '- Instead of copying global.ini.php to /etc/webapps/matomo/config.ini.php and'
+ echo ' making a symlink to it in /usr/share/webapps/matomo/config, the entire'
+ echo ' config directory is moved to /etc/webapps/matomo (*not* as'
+ echo ' /etc/webapps/matomo/config) with a symlink in its place. Your config.ini.php'
+ echo ' (which is in the same place as ever, /etc/webapps/matomo/config.ini.php)'
+ echo ' is probably now rather bloated by comparison with that of a regular Matomo'
+ echo ' installation, as it started as a copy of global.ini.php rather than empty.'
+ echo
+ echo '- The owner has changed for /usr/share/webapps/matomo: rather than http:http,'
+ echo ' it’s now root:http, so that matomo itself can’t modify any of its own files.'
+ echo ' Only the /var and /etc locations now, plus piwik.js and the plugins'
+ echo ' directory, are writeable:'
+ echo
+ echo ' - /var/lib/webapps/matomo/tmp is owned by http:http because it’s essential'
+ echo ' for the web server to be able to write there;'
+ echo ' - /etc/webapps/matomo is owned by http:http so the installer can run;'
+ echo ' but after that it need not be writeable; if you like, you can'
+ echo ' `chown -R root:http /etc/webapps/matomo` for security);'
+ echo ' - /usr/share/webapps/matomo/piwik.js is group-writeable because some plugins'
+ echo ' want to add to it; you can `chmod g-w` it if you like, but I’m not sure if'
+ echo ' that will persist across future upgrades.'
+ echo ' - Actually I lied about ownership: /usr/share/webapps/matomo/plugins is'
+ echo ' owned by http:http instead of root:http, so that you can add plugins from'
+ echo ' the marketplace, upgrade them, and so forth. You can harden it with'
+ echo ' `chown -R root:http /usr/share/webapps/matomo/plugins` if you like,'
+ echo ' and this will persist across future upgrades.'
+ echo
+ fi
- chown -R http:http /usr/share/webapps/matomo
+post_install() {
+ chown -R root:http /usr/share/webapps/matomo
+ chown -R http:http /usr/share/webapps/matomo/plugins
chown -R http:http /etc/webapps/matomo
- chmod 600 /etc/webapps/matomo/*
+ chown -R http:http /var/lib/webapps/matomo
+ echo 'matomo: you will need to hook matomo up in your http server somehow (the files'
+ echo 'are in /usr/share/webapps/matomo), then go through its installer process.'
+ echo 'After that, consider making the config and plugin directories read-only like'
+ echo 'this (the directory owner changes will persist across matomo package upgrades):'
+ echo
+ echo ' chown -R root:http /etc/webapps/matomo'
+ echo ' chown -R root:http /usr/share/webapps/matomo/plugins'
+ echo
post_upgrade() {
- chown -R http:http /usr/share/webapps/matomo
- chown -R http:http /etc/webapps/matomo
- chmod 600 /etc/webapps/matomo/*
+ chown -R root:http /usr/share/webapps/matomo
+ # This way, if the user did a `chown -R root:http` to make config files read-only,
+ # we keep that owner after upgrade. (Yeah, it’s still not a great technique.)
+ if [ -f /etc/webapps/matomo/.owner.tmp ]; then
+ chown -R --reference=/etc/webapps/matomo/.owner.tmp /etc/webapps/matomo
+ rm /etc/webapps/matomo/.owner.tmp
+ else
+ chown -R http:http /etc/webapps/matomo
+ fi
+ # Ditto on the plugins directory.
+ if [ -f /tmp/matomo-plugins-owner.tmp ]; then
+ chown -R --reference=/tmp/matomo-plugins-owner.tmp /usr/share/webapps/matomo/plugins
+ rm /tmp/matomo-plugins-owner.tmp
+ else
+ chown -R http:http /usr/share/webapps/matomo/plugins
+ fi
+ # /var/lib/webapps/matomo: owner was set correctly in post_install or pre_upgrade,
+ # and we don’t install any files to that directory, so no need to fiddle with it here.