Alternative solution (was: Re: Network access during build)
On 09/07/2016 07:17 AM, Vincent Bernat wrote:
> One of the package that I maintain (python-asyncssh) makes a DNS request
> during build and expects it to fail. Since Policy 4.9 forbids network
> access (in a rather confusing wording "may not"), I got this serious
> bug:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830568
>
> The fix is easy: just disable the test.
>
> However, I have a hard time to find this useful for anyone. To sum up:
>
> - patching the test suite requires maintaining the patch forever
> - both pbuilder and sbuild are using an isolated network namespace
> - package builds reproducibly with or without network access
>
> I have the impression that enforcing every word of the policy in the
> hard sense can bring endless serious bugs. This particular occurrence
> affected about 70 packages. I appear as a bad maintainer because I don't
> feel this is an important bug.
>
> Any thoughts?
Well, the problem mentioned in the bug report is not only the
package itself, but the information leak created by the DNS
request. And I think that really is something you should fix,
because package builds should really not cause _any_ network
traffic, even if said traffic doesn't actually affect the
result of the build. I don't think this is an overly strict
interpretation of the policy, but rather it's intention.
However, instead of disabling the test via a patch, there is a
solution where you can have your cake and eat it too. And it's
even in Debian. :-)
There's a piece of software called nss_wrapper, written by the
Samba people, that allows you to modify glibc's DNS functions'
(getaddrinfo, gethostbyname, ...) behavior via an LD_PRELOAD
library. It's called nss_wrapper;
Upstream website:
https://cwrap.org/nss_wrapper.html
Debian package:
https://packages.debian.org/unstable/libnss-wrapper
That way, you can force host name resolution to not use DNS for
your test suite (via just using a hosts file), then there will
be no network access during package build, and you don't have
to keep rebasing a patch. And, even better, IF there is a host
name called 'fail' on the local network, using nss_wrapper the
package build will still succeed.
Hope that helps.
Regards,
Christian
Reply to: