1. Forum
  2. Usenet
  3. LINUX.DEBIAN.POLICY

  • Bug#1068192: debian-policy: extend forbidden network access to contrib

    From Aurelien Jarno@21:1/5 to Bill Allombert on Sat Apr 6 09:51:24 2024
    XPost: linux.debian.bugs.dist

    On 2024-04-01 17:52, Bill Allombert wrote:
    On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:
    Package: debian-policy
    Version: 4.6.2.1
    Severity: normal
    X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
    Control: affects -1 buildd.debian.org

    Hi,

    The debian policy, section 4.9, forbids network access for packages in
    the main archive, which implicitly means they are authorized for
    packages in contrib and non-free (and non-free-firmware once #1029211 is fixed).

    This gives constraints on the build daemons infrastructure and also
    brings some security concerns. Would it be possible to extend this restriction to all archives?

    Does the build daemons actually build non-free ?

    Yes, they do, though only part of non-free, only the packages that have Autobuild: yes and that have been put on an allow list after review.

    Regards
    Aurelien

    --
    Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://aurel32.net

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bill Allombert@21:1/5 to Aurelien Jarno on Sat Apr 6 09:52:07 2024
    XPost: linux.debian.bugs.dist

    On Mon, Apr 01, 2024 at 06:08:10PM +0200, Aurelien Jarno wrote:
    On 2024-04-01 17:52, Bill Allombert wrote:
    On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:
    Package: debian-policy
    Version: 4.6.2.1
    Severity: normal
    X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
    Control: affects -1 buildd.debian.org

    Hi,

    The debian policy, section 4.9, forbids network access for packages in the main archive, which implicitly means they are authorized for
    packages in contrib and non-free (and non-free-firmware once #1029211 is fixed).

    This gives constraints on the build daemons infrastructure and also brings some security concerns. Would it be possible to extend this restriction to all archives?

    Does the build daemons actually build non-free ?

    Yes, they do, though only part of non-free, only the packages that have Autobuild: yes and that have been put on an allow list after review.

    Is your concern is that the package start to do network acces during build after it has been added to the allow list ?

    Do you need "Autobuild: yes" to preclude network access ?

    Cheers,
    --
    Bill. <ballombe@debian.org>

    Imagine a large red swirl here.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)