Re: Debian and our frenemies of containers and userland repos

To: debian-devel@lists.debian.org
Subject: Re: Debian and our frenemies of containers and userland repos
From: Paul Wise <pabs@debian.org>
Date: Fri, 26 Jul 2019 10:31:29 +0800
Message-id: <[🔎] CAKTje6GTCxd7QtFD-TA1yOdTFBucm-YPmMYEAVbU6dW6gDYzXw@mail.gmail.com>
In-reply-to: <[🔎] 156403550395.30059.11068304917386288706@hoothoot>
References: <[🔎] 20190711152551.GA5279@madoka.m-wei.net> <[🔎] 24daedaa-2f29-d270-80a3-2b293a8abc74@metux.net> <[🔎] E1hqAaV-00035E-BG@drop.zugschlus.de> <[🔎] 156395051100.30059.2808376337751315471@hoothoot> <[🔎] CAKTje6FdrXWn9UZ_rr-=KgO2=WZ7irsOhYmj3hZao6fTT=kqHQ@mail.gmail.com> <[🔎] 156403550395.30059.11068304917386288706@hoothoot>

On Thu, Jul 25, 2019 at 2:18 PM Johannes Schauer wrote:

> But you'd have to ask somebody who is more knowledgable about the security
> implications of such a change. There certainly is a reason why #898446 is still
> open.
>
> Furthermore, since buildds currently use the schroot backend, I guess that
> buildd admins already took all necessary precautions to secure their systems
> against arbitrary code running as part of the package build process. I do not
> know what benefit the "unshare" backend would have for buildds.

I think my mental model of what the "unshare" backend does was
incorrect. I didn't think it needed #898446 to be closed. I assumed it
was just like schroot except with the addition of moving all processes
run within the chroot into a separate network/process/mount/etc
namespace with no access to the host namespaces. The primary advantage
of this would be to isolate the build chroot from the network. Perhaps
schroot is the component that should be adding support for separate
network/process/mount/etc namespaces?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Debian and our frenemies of containers and userland repos
  - From: Johannes Schauer <josch@debian.org>

References:
- Debian and our frenemies of containers and userland repos
  - From: Yao Wei <mwei@debian.org>
- Re: Debian and our frenemies of containers and userland repos
  - From: "Enrico Weigelt, metux IT consult" <lkml@metux.net>
- Re: Debian and our frenemies of containers and userland repos
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Debian and our frenemies of containers and userland repos
  - From: Johannes Schauer <josch@debian.org>
- Re: Debian and our frenemies of containers and userland repos
  - From: Paul Wise <pabs@debian.org>
- Re: Debian and our frenemies of containers and userland repos
  - From: Johannes Schauer <josch@debian.org>

Prev by Date: Work-needing packages report for Jul 26, 2019
Next by Date: Re: regarding non-free firmware for wi-fi and ethernet
Previous by thread: Re: Debian and our frenemies of containers and userland repos
Next by thread: Re: Debian and our frenemies of containers and userland repos
Index(es):
- Date
- Thread