Re: network access during package build (was Re: Bug#759762: ITP: libz-mingw-w64 -- compression library (targeting Windows))
On Tue, Sep 02, 2014 at 01:28:13PM +0200, Thorsten Glaser wrote:
> On Mon, 1 Sep 2014, Adam Borowski wrote:
>
> > Also, should we detect all other attempts to contact the outside network,
> > and swat such builds with extreme prejudice?
>
> Yes. These can be privacy breeches, licence violations (download
> things that change what gets embedded into the packages), and
> all other sorts of nasties. There may be no network access during
> a Debian package build; the switchover is usually between installing
> the B-D and extracting the source package, at most directly after
> the latter.
>
> (I’m aware that there is still *too* much “disable the network” in
> pbuilder. Sorry for not having had the time to work on that. I’ll
> try to do so shortly.)
Could you tell us what's this "too much"?
Here's how I would do it:
unshare --net
iptables rule on !127.0.0.0/8 and !::1 -j REJECT, if after the build the
rule's counter is non-zero we fail the build
--
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.
Reply to: