libgtop-2.40 tries to chown files in system in make install phase, ignoring DESTDIR
libgtop-2.40 for some reason now builds server and daemon on Linux too, but handling of it is completely incompatible with downstream packaging, as it doesn't consider with $DESTDIR.
So on first install or upgrade from 2.38 this happens in make install phase (with DESTDIR obviously used):
make install-exec-hook
make[4]: Entering directory '/tmp/portage/gnome-base/libgtop-2.40.0/work/libgtop-2.40.0/src/daemon'
chown root /usr/bin/libgtop_server2 && chmod 4755 /usr/bin/libgtop_server2
chown: cannot access '/usr/bin/libgtop_server2': No such file or directory
make[4]: [Makefile:781: install-exec-hook] Error 1 (ignored)
make[4]: Leaving directory '/tmp/portage/gnome-base/libgtop-2.40.0/work/libgtop-2.40.0/src/daemon'
and then if it happens to already be at 2.40, this happens instead:
make install-exec-hook
make[4]: Entering directory '/tmp/portage/gnome-base/libgtop-2.40.0/work/libgtop-2.40.0/src/daemon'
chown root /usr/bin/libgtop_server2 && chmod 4755 /usr/bin/libgtop_server2
* ACCESS DENIED: fchownat: /usr/bin/libgtop_server2
chown: changing ownership of '/usr/bin/libgtop_server2': Permission denied
make[4]: [Makefile:781: install-exec-hook] Error 1 (ignored)
make[4]: Leaving directory '/tmp/portage/gnome-base/libgtop-2.40.0/work/libgtop-2.40.0/src/daemon'
<snip>
* --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
* LOG FILE: "/var/log/sandbox/sandbox-4.log"
*
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line
F: fchownat
S: deny
P: /usr/bin/libgtop_server2
A: /usr/bin/libgtop_server2
R: /usr/bin/libgtop_server2
C: chown root /usr/bin/libgtop_server2
* --------------------------------------------------------------------------------
because the build system installing into DESTDIR has absolutely no business chown'ing an unrelated system install version.
If sandbox wouldn't have caught it, it would have simply been unnoticed and probably not working with correct executable permissions (if only installed, not reinstalled, at least).