Re: Network access during build

To: Guus Sliepen <guus@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Network access during build
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 9 Sep 2016 15:37:23 +0100
Message-id: <[🔎] 22482.51491.306071.975100@chiark.greenend.org.uk>
In-reply-to: <[🔎] 20160909141928.GD7169@sliepen.org>
References: <[🔎] m3inu8nva7.fsf@neo.luffy.cx> <[🔎] 1473228111@msgid.manchmal.in-ulm.de> <[🔎] 20160908221738.og7slxh4txwuo6uc@jadzia.comodo.priv.at> <[🔎] 87shta2fso.fsf@hope.eyrie.org> <[🔎] 20160908231320.GB7774@khazad-dum.debian.net> <[🔎] d90ee3db-289c-e203-585a-fe5fa3c48f2d@apache.org> <[🔎] 20160909135742.GA24595@angband.pl> <[🔎] 20160909141928.GD7169@sliepen.org>

Guus Sliepen writes ("Re: Network access during build"):
> But should this perhaps also be enforced in our build tools? Ie, have
> dpkg-buildpackage set up an empty namespace before executing
> debian/rules? AFAIK, at the moment it's only the buildds that block
> network access. A malicious upstream could have a build process that
> only does network access when it detects that it is not running on a
> buildd or that network access is not somehow blocked.

If we do something in our build tools, the default should be to
detect attempted network accesses and fail the build if they occur,
not to silently suppress them.

This is because if we care about eliminating network accesses for the
reasons Adam explains (which I agree with), or indeed for reasons of
reliability, we want those network accesses eliminated even if the
user runs `make check' (or whatever) rather than dpkg-buildpackage, or
if they are running in an environment where the feature used for
blocking is not available, or whatever.

IOW, I think the actual tests (or whatever) that try to do network
access should be fixed in the actual source code.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

References:
- Network access during build
  - From: Vincent Bernat <bernat@debian.org>
- Re: Network access during build
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Re: Network access during build
  - From: gregor herrmann <gregoa@debian.org>
- Re: Network access during build
  - From: Russ Allbery <rra@debian.org>
- Re: Network access during build
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Network access during build
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Network access during build
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Network access during build
  - From: Guus Sliepen <guus@debian.org>

Prev by Date: Re: Network access during build
Next by Date: Re: Network access during build
Previous by thread: Re: Network access during build
Next by thread: Re: Network access during build
Index(es):
- Date
- Thread