Re: Alternative solution
On 09/07/2016 07:43 AM, Christian Seiler wrote:
> On 09/07/2016 07:17 AM, Vincent Bernat wrote:
>> One of the package that I maintain (python-asyncssh) makes a DNS request
>> during build and expects it to fail. Since Policy 4.9 forbids network
>> access (in a rather confusing wording "may not"), I got this serious
>> bug:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830568
>>
>> The fix is easy: just disable the test.
>>
>> However, I have a hard time to find this useful for anyone. To sum up:
>>
>> - patching the test suite requires maintaining the patch forever
>> - both pbuilder and sbuild are using an isolated network namespace
>> - package builds reproducibly with or without network access
>>
>> I have the impression that enforcing every word of the policy in the
>> hard sense can bring endless serious bugs. This particular occurrence
>> affected about 70 packages. I appear as a bad maintainer because I don't
>> feel this is an important bug.
>>
>> Any thoughts?
>
> Well, the problem mentioned in the bug report is not only the
> package itself, but the information leak created by the DNS
> request. And I think that really is something you should fix,
> because package builds should really not cause _any_ network
> traffic, even if said traffic doesn't actually affect the
> result of the build. I don't think this is an overly strict
> interpretation of the policy, but rather it's intention.
>
> However, instead of disabling the test via a patch, there is a
> solution where you can have your cake and eat it too. And it's
> even in Debian. :-)
>
> There's a piece of software called nss_wrapper, written by the
> Samba people, that allows you to modify glibc's DNS functions'
> (getaddrinfo, gethostbyname, ...) behavior via an LD_PRELOAD
> library. It's called nss_wrapper;
>
> Upstream website:
> https://cwrap.org/nss_wrapper.html
>
> Debian package:
> https://packages.debian.org/unstable/libnss-wrapper
>
> That way, you can force host name resolution to not use DNS for
> your test suite (via just using a hosts file), then there will
> be no network access during package build, and you don't have
> to keep rebasing a patch. And, even better, IF there is a host
> name called 'fail' on the local network, using nss_wrapper the
> package build will still succeed.
>
> Hope that helps.
>
> Regards,
> Christian
This seem a pretty good solution to the problem. Could you show an
example in a package that does that, or maybe a patch for this kind of
bug that Lamby opened?
Cheers,
Thomas Goirand (zigo)
Reply to: