Hi, Quoting Jakub Wilk (2016-09-07 19:29:05) > * Vincent Bernat <bernat@debian.org>, 2016-09-07, 07:17: > >both pbuilder and sbuild are using an isolated network namespace > > I know about pbuilder, but [citation needed] for sbuild. there is no out-of-the-box functionality that provides this for sbuild. There is a workaround which uses iptables to deny the user "sbuild" any network access: https://wiki.debian.org/sbuild#Disabling_network_access_for_dpkg-buildpackage But as that page says, the better solution would be to do it like pbuilder and unshare the network namespace. Unfortunately this is not so easy because sbuild is not to be run as root and thus cannot unshare the namespace itself. And if it would also unshare the user namespace, then it wouldn't be able to run schroot anymore. This is what #802850 is about. So ultimately, this has to be fixed in the chroot backends like schroot or adt-virt. The schroot bug for this is #802849 and while an implementation seems to exist, it hasn't been part of a schroot release yet. Thanks! cheers, josch
Attachment:
signature.asc
Description: signature