Re: Network access during build

To: debian-devel@lists.debian.org
Subject: Re: Network access during build
From: Russ Allbery <rra@debian.org>
Date: Fri, 09 Sep 2016 12:53:32 -0700
Message-id: <[🔎] 8760q4q283.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20160909135742.GA24595@angband.pl> (Adam Borowski's message of "Fri, 9 Sep 2016 15:57:42 +0200")
References: <[🔎] m3inu8nva7.fsf@neo.luffy.cx> <[🔎] 1473228111@msgid.manchmal.in-ulm.de> <[🔎] 20160908221738.og7slxh4txwuo6uc@jadzia.comodo.priv.at> <[🔎] 87shta2fso.fsf@hope.eyrie.org> <[🔎] 20160908231320.GB7774@khazad-dum.debian.net> <[🔎] d90ee3db-289c-e203-585a-fe5fa3c48f2d@apache.org> <[🔎] 20160909135742.GA24595@angband.pl>

Adam Borowski <kilobyte@angband.pl> writes:

> As there's no way to distinguish such details automatically, and as
> data/privacy leaks can be quite surprising, I'd strongly prefer the
> nice, simple rule of "no attempt to access outside network, period".

> If _some_ network accesses are allowed, we can't easily spot the bad
> ones.  With the current wording of the policy, iptables ... -j LOG is
> all you need for a QA check.

> I'd amend the policy to say explicitely "localhost doesn't count as
> network, DNS lookup do".

> And DNS lookups do violate the Dissident Test.  A request of a
> package-specific hostname can be trivially logged by the target DNS
> server.  A request for a known-to-fail hostname can still be logged by
> the ISP, and certain countries (possibly even the US) do log such
> traffic.  Even one for .invalid is no better, thanks to glibc violating
> the RFC.

If you are a dissident building software in an environment where even a
DNS query might give away your activity, you seriously need to be using an
isolated container or other precautions.  It is completely unreasonable
and unrealistic to expect all Debian source packages to meet this
standard, even if we were trying (which we're not; we've had software that
does DNS queries during the build in Debian for twenty years and no one
has ever noticed before now), to a level of confidence that a dissident
with this type of safety concern would need.

Furthermore, we're talking about upstream test behavior here, and I don't
think this argument passes the sniff test for conversations with upstream.
We already have enough issues with upstream over licensing, where we've
decided that our very aggressive stance is worth the effort.  Please let's
not pick fights that *aren't* worth the effort and will cause upstream to
look at us like we're paranoid nit-pickers.  This sort of thing is really
bad for cooperation with other projects.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Network access during build
  - From: Thomas Goirand <zigo@debian.org>

References:
- Network access during build
  - From: Vincent Bernat <bernat@debian.org>
- Re: Network access during build
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Re: Network access during build
  - From: gregor herrmann <gregoa@debian.org>
- Re: Network access during build
  - From: Russ Allbery <rra@debian.org>
- Re: Network access during build
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Network access during build
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Network access during build
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Re: Upcoming change to perl: current directory in @INC
Next by Date: Re: FTBFS with PIE & bindnow (was: Re: Porter roll call for Debian Stretch)
Previous by thread: Re: Network access during build
Next by thread: Re: Network access during build
Index(es):
- Date
- Thread