Re: Proposal: Amendment for section 7.7 debian policy
Russ Allbery <rra@debian.org> writes:
> Martin Zobel-Helas <zobel@ftbfs.de> writes:
>
>> i would like to propose an addendum to section 7.7 of the Debian Policy:
>>
>> | Build-Depends and Build-Depends-Indep must not depend directly or
>> | indirectly on packages which provide network services.
>
> Package maintainers have little control over what their packages depend
> on indirectly, and it can also change entirely without their knowledge.
> I think we'd have to put the burden somewhere else for that to be
> effective.
>
>> Rationale:
Isn't the bigger problem that those services might already be running
outside the chroot and the build process would get the wrong one?
>> a) Packages with no secure default configuration may expose the building
>> machine. Also network facing services may expose the system to
>> security issues.
>
> We should not have any packages in the *archive* that enable an insecure
> network service on installation. That's an RC bug in that package and
> should be dealt with that way, IMO.
>
>> b) You can not relay on the assumption that init-scripts are not called
>> within a building chroot.
>
> I think this raises a broader issue beyond just network services, namely
> what happens when packages build-depend on a package that starts a
> daemon. (For instance, packages installed on buildds are not
> necessarily removed after the build, which can leave the daemon
> running.)
>
> I suspect the easiest practical solution to this problem would be to
> refute (b) by guaranteeing that init scripts are not called within a
> building chroot, although of course we can only make that guarantee for
> our build infrastructure, not for other contributors who want to build
> Debian packages.
But that then is their problem. There is a policy-rc.d for a reason
and cdebootstrap automatically sets one.
MfG
Goswin
Reply to: