diff options
-rw-r--r-- | .SRCINFO | 27 | ||||
-rw-r--r-- | PKGBUILD | 66 | ||||
-rw-r--r-- | matomo.install | 97 |
3 files changed, 150 insertions, 40 deletions
@@ -1,24 +1,23 @@ -# Generated by mksrcinfo v8 -# Sun Apr 1 09:32:41 UTC 2018 pkgbase = matomo - pkgdesc = matomo is a real time web analytics software program, written in PHP - pkgver = 3.4.0 + pkgdesc = real time web analytics platform + pkgver = 3.5.1 pkgrel = 1 url = https://matomo.org/ install = matomo.install arch = any - license = GPL - depends = php + license = GPL3 + depends = php>=5.5.9 depends = php-gd - optdepends = mariadb: Database server - optdepends = python2: For log importer script - optdepends = php-geoip: For GeoIP php module + optdepends = mysql>=5.5: database server + optdepends = python2: log importer script + optdepends = geoip2-database: GeoIP database replaces = piwik - backup = etc/webapps/matomo/config.ini.php - source = http://builds.piwik.org/piwik-3.4.0.tar.gz - source = http://builds.piwik.org/piwik-3.4.0.tar.gz.asc - sha512sums = e9aeca686acadf5eb03a7a6c31e0f62df2fbeabe9eade4a2367a6433011d38933c8b8d8d8222566d135e2f31b2d55c0dbc665072021febdb2da54a94dc736005 - sha512sums = SKIP + backup = usr/share/webapps/matomo/piwik.js + source = https://builds.matomo.org/matomo-3.5.1.tar.gz + source = https://builds.matomo.org/matomo-3.5.1.tar.gz.asc + validpgpkeys = 814E346FA01A20DBB04B6807B5DBD5925590A237 + sha256sums = 86bfef7e4f93aa8c5094225502f8258addf1f6920f2459e9d22b867b4ed8a734 + sha256sums = 4cf4763827ab09407a50ebc04b44e75f040beaeda0da74d454d6a27d19462dda pkgname = matomo @@ -1,32 +1,60 @@ +# Maintainer: Chris Morgan <me@chrismorgan.info> # Maintainer: Carsten Feuls <archlinux dot carstenfeuls dot de> # Co-Maintainer: Nils Czernia <nils at czserver dot de> pkgname=matomo -_pkgname=piwik -pkgver=3.4.0 +pkgver=3.5.1 pkgrel=1 -pkgdesc="matomo is a real time web analytics software program, written in PHP" +pkgdesc="real time web analytics platform" arch=("any") url="https://matomo.org/" -license=("GPL") -depends=("php" "php-gd") +license=("GPL3") +depends=("php>=5.5.9" "php-gd") replaces=("piwik") -optdepends=("mariadb: Database server" - "python2: For log importer script" - "php-geoip: For GeoIP php module") +optdepends=("mysql>=5.5: database server" + "python2: log importer script" + "geoip2-database: GeoIP database") install="$pkgname.install" -source=(http://builds.piwik.org/${_pkgname}-${pkgver}.tar.gz{,.asc}) -backup=("etc/webapps/${pkgname}/config.ini.php") -sha512sums=("e9aeca686acadf5eb03a7a6c31e0f62df2fbeabe9eade4a2367a6433011d38933c8b8d8d8222566d135e2f31b2d55c0dbc665072021febdb2da54a94dc736005" - "SKIP") -validpgpkeys=("814E346FA01A20DBB04B6807B5DBD5925590A237") +source=("https://builds.matomo.org/${pkgname}-${pkgver}.tar.gz" + "https://builds.matomo.org/${pkgname}-${pkgver}.tar.gz.asc") +backup=("usr/share/webapps/${pkgname}/piwik.js") +sha256sums=("86bfef7e4f93aa8c5094225502f8258addf1f6920f2459e9d22b867b4ed8a734" + "4cf4763827ab09407a50ebc04b44e75f040beaeda0da74d454d6a27d19462dda") -_matomopath="/usr/share/webapps/" -_matomoconfigpath="/etc/webapps/${pkgname}" +validpgpkeys=("814E346FA01A20DBB04B6807B5DBD5925590A237") package() { - install -d ${pkgdir}${_matomopath} - install -d ${pkgdir}${_matomoconfigpath} - cp -r ${srcdir}/${_pkgname} ${pkgdir}${_matomopath}/${pkgname} - cp ${srcdir}/${_pkgname}/config/global.ini.php ${pkgdir}${_matomoconfigpath}/config.ini.php + install -d "${pkgdir}/usr/share/webapps" + cp -r "${srcdir}/${pkgname}" "${pkgdir}/usr/share/webapps/${pkgname}" + # Some extensions want to append to piwik.js, so we relectantly let them. + chmod g+w "${pkgdir}/usr/share/webapps/${pkgname}/piwik.js" + + # While installing matomo, it insists on being able to write to the config directory, + # because it creates config.ini.php. After it’s installed, you can make it read-only, + # e.g. by `chown -R root:http /etc/webapps/${pkgname}` + install -d "${pkgdir}/etc/webapps" + mv "${pkgdir}/usr/share/webapps/${pkgname}/config" "${pkgdir}/etc/webapps/${pkgname}" + ln -s "../../../../etc/webapps/${pkgname}" "${pkgdir}/usr/share/webapps/matomo/config" + + # matomo uses this tmp dir for writing its own data; + # but it belongs in /var rather than /usr. + rmdir "${pkgdir}/usr/share/webapps/matomo/tmp" + install -dm700 "${pkgdir}/var/lib/webapps/matomo/tmp" + ln -s "../../../../var/lib/webapps/matomo/tmp" "${pkgdir}/usr/share/webapps/matomo/tmp" + + # Installing or upgrading non-core plugins requires write access to plugins/; + # we could try g+w on the directory and try to restrict core plugins, but + # then you’ve got mixed ownership (anything it creates will be http:http + # instead of root:http) which is nasty. Another approach is to put `plugins` + # in /var/lib with core plugins *actually* in /usr/share and symlinked back; + # but that’s getting too clever for my sanity at present: this is all getting + # rather bothersome; I’m tired of messing around with PHP apps that are + # ill-designed for hardening and not designed for use in the scope of a + # system package manager. So for now at least, we’re just going to leave it + # as it is, chown the whole plugins directory in matomo.install, and wash our + # hands of it. + + # GeoLite2-City.mmdb is provided by geoip2-datbase, which is optdepends. + # I figure a dead symlink should be safe if it’s missing. + ln -s "../../../../../usr/share/GeoIP/GeoLite2-City.mmdb" "${pkgdir}/usr/share/webapps/matomo/misc" } diff --git a/matomo.install b/matomo.install index b792c5a57388..576e087bde85 100644 --- a/matomo.install +++ b/matomo.install @@ -1,14 +1,97 @@ -post_install() { - ln -s /etc/webapps/matomo/config.ini.php /usr/share/webapps/matomo/config/ +pre_upgrade() { + # Owner preservation (compare post_upgrade) + if [ -d /etc/webapps/matomo ]; then + touch /etc/webapps/matomo/.owner.tmp + fi + if [ -d /usr/share/webapps/matomo/plugins ]; then + touch /usr/share/webapps/matomo/plugins/.owner.tmp + # We’ll chown -R /usr/share/webapps/matomo before getting to plugins, so + # must move it to a different directory so we don’t accidentally chmod it! + mv /usr/share/webapps/matomo/plugins/.owner.tmp /tmp/matomo-plugins-owner.tmp + fi + + # The rest is 3.4.0-1 → 3.5.1-1 or later upgrade matters. + if [ ! -L /usr/share/webapps/matomo/tmp ]; then + # It’s a directory rather than a symlink: gotta be pre-3.5.1-1. + install -dm700 /var/lib/webapps/matomo + mv /usr/share/webapps/matomo/tmp /var/lib/webapps/matomo/tmp + chown -R http:http /var/lib/webapps/matomo + # No changes needed in /usr/share/webapps/matomo/config, it’ll upgrade cleanly. + echo 'matomo 3.5.1-1 onward has some location and permissions changes to be aware' + echo 'of. Everything necessary is moved to the new locations, so you have lost' + echo 'nothing, and everything should continue to work just fine with no changes.' + echo 'This is really just a FYI.' + echo + echo '- /usr/share/webapps/matomo/tmp is moved to /var/lib/webapps/matomo/tmp,' + echo ' and a symlink left in its place.' + echo + echo '- Instead of copying global.ini.php to /etc/webapps/matomo/config.ini.php and' + echo ' making a symlink to it in /usr/share/webapps/matomo/config, the entire' + echo ' config directory is moved to /etc/webapps/matomo (*not* as' + echo ' /etc/webapps/matomo/config) with a symlink in its place. Your config.ini.php' + echo ' (which is in the same place as ever, /etc/webapps/matomo/config.ini.php)' + echo ' is probably now rather bloated by comparison with that of a regular Matomo' + echo ' installation, as it started as a copy of global.ini.php rather than empty.' + echo + echo '- The owner has changed for /usr/share/webapps/matomo: rather than http:http,' + echo ' it’s now root:http, so that matomo itself can’t modify any of its own files.' + echo ' Only the /var and /etc locations now, plus piwik.js and the plugins' + echo ' directory, are writeable:' + echo + echo ' - /var/lib/webapps/matomo/tmp is owned by http:http because it’s essential' + echo ' for the web server to be able to write there;' + echo ' - /etc/webapps/matomo is owned by http:http so the installer can run;' + echo ' but after that it need not be writeable; if you like, you can' + echo ' `chown -R root:http /etc/webapps/matomo` for security);' + echo ' - /usr/share/webapps/matomo/piwik.js is group-writeable because some plugins' + echo ' want to add to it; you can `chmod g-w` it if you like, but I’m not sure if' + echo ' that will persist across future upgrades.' + echo ' - Actually I lied about ownership: /usr/share/webapps/matomo/plugins is' + echo ' owned by http:http instead of root:http, so that you can add plugins from' + echo ' the marketplace, upgrade them, and so forth. You can harden it with' + echo ' `chown -R root:http /usr/share/webapps/matomo/plugins` if you like,' + echo ' and this will persist across future upgrades.' + echo + fi +} - chown -R http:http /usr/share/webapps/matomo + +post_install() { + chown -R root:http /usr/share/webapps/matomo + chown -R http:http /usr/share/webapps/matomo/plugins chown -R http:http /etc/webapps/matomo - chmod 600 /etc/webapps/matomo/* + chown -R http:http /var/lib/webapps/matomo + echo 'matomo: you will need to hook matomo up in your http server somehow (the files' + echo 'are in /usr/share/webapps/matomo), then go through its installer process.' + echo 'After that, consider making the config and plugin directories read-only like' + echo 'this (the directory owner changes will persist across matomo package upgrades):' + echo + echo ' chown -R root:http /etc/webapps/matomo' + echo ' chown -R root:http /usr/share/webapps/matomo/plugins' + echo } post_upgrade() { - chown -R http:http /usr/share/webapps/matomo - chown -R http:http /etc/webapps/matomo - chmod 600 /etc/webapps/matomo/* + chown -R root:http /usr/share/webapps/matomo + + # This way, if the user did a `chown -R root:http` to make config files read-only, + # we keep that owner after upgrade. (Yeah, it’s still not a great technique.) + if [ -f /etc/webapps/matomo/.owner.tmp ]; then + chown -R --reference=/etc/webapps/matomo/.owner.tmp /etc/webapps/matomo + rm /etc/webapps/matomo/.owner.tmp + else + chown -R http:http /etc/webapps/matomo + fi + + # Ditto on the plugins directory. + if [ -f /tmp/matomo-plugins-owner.tmp ]; then + chown -R --reference=/tmp/matomo-plugins-owner.tmp /usr/share/webapps/matomo/plugins + rm /tmp/matomo-plugins-owner.tmp + else + chown -R http:http /usr/share/webapps/matomo/plugins + fi + + # /var/lib/webapps/matomo: owner was set correctly in post_install or pre_upgrade, + # and we don’t install any files to that directory, so no need to fiddle with it here. } |