Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

To: Aurelien Jarno <aurel32@debian.org>, 1068192@bugs.debian.org
Cc: Philipp Kern <pkern@debian.org>, Sean Whitton <spwhitton@spwhitton.name>
Subject: Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
From: Tobias Frost <tobi@debian.org>
Date: Thu, 4 Apr 2024 20:08:27 +0200
Message-id: <[🔎] Zg7smwt_xI4Lp9Qi@isildor2.loewenhoehle.ip>
Reply-to: Tobias Frost <tobi@debian.org>, 1068192@bugs.debian.org
In-reply-to: <[🔎] Zg3C_f7ash2zRlUZ@aurel32.net>
References: <[🔎] 171198539477.3458990.18076405111856874367.reportbug@ohm.local> <[🔎] 875xx0r24h.fsf@melete.silentflame.com> <[🔎] 171198539477.3458990.18076405111856874367.reportbug@ohm.local> <[🔎] ZguQe9SswHMsKF27@aurel32.net> <[🔎] Zg1NpwNDTrWHouco@master.debian.org> <[🔎] 171198539477.3458990.18076405111856874367.reportbug@ohm.local> <[🔎] Zg3C_f7ash2zRlUZ@aurel32.net> <[🔎] 171198539477.3458990.18076405111856874367.reportbug@ohm.local>

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:
> Hi,
> 
> On 2024-04-03 12:37, Philipp Kern wrote:
> > Hi,
> > 
> > On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:
> > > On 2024-04-02 09:21, Sean Whitton wrote:
> > > > Hello,
> > > > 
> > > > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:
> > > > 
> > > > > The debian policy, section 4.9, forbids network access for packages in
> > > > > the main archive, which implicitly means they are authorized for
> > > > > packages in contrib and non-free (and non-free-firmware once #1029211 is
> > > > > fixed).
> > > > >
> > > > > This gives constraints on the build daemons infrastructure and also
> > > > > brings some security concerns. Would it be possible to extend this
> > > > > restriction to all archives?
> > > > 
> > > > We need to know if this is going to break existing packages and allow
> > > > some input from their maintainers.  Are you able to prepare a list of
> > > > the affected packages?
> > > 
> > > Fair enough. I can work on that, but help would be welcome as my
> > > resources are limited.
> > 
> > I did a test rebuild of contrib, non-free and non-free-firmware packages
> > in sid with both stable sbuild schroot and unshare backends and could
> > not find a difference in build success (i.e. what failed failed in both,
> > what succeeded succeeded in both).
> 
> Thanks Philipp. Following that result, please find a patch proposal: 
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,9 +338,9 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> -network access, except, via the loopback interface, to services on the
> -build host that have been started by the build.
> +Required targets must not attempt network access, except, via the
> +loopback interface, to services on the build host that have been started
> +by the build.
>  
>  Required targets must not attempt to write outside of the unpacked
>  source package tree.  There are two exceptions.  Firstly, the binary
> 
> Regards
> Aurelien

LGTM, Seconded.

> -- 
> Aurelien Jarno                          GPG: 4096R/1DDD8C9B
> aurelien@aurel32.net                     http://aurel32.net

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Russ Allbery <rra@debian.org>

References:
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Philipp Kern <pkern@debian.org>
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Aurelien Jarno <aurel32@debian.org>

Prev by Date: Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Next by Date: Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Previous by thread: Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Next by thread: Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Index(es):
- Date
- Thread