Re: Proposal: Amendment for section 7.7 debian policy
Russ Allbery <firstname.lastname@example.org> writes:
> Martin Zobel-Helas <email@example.com> writes:
>> i would like to propose an addendum to section 7.7 of the Debian Policy:
>> | Build-Depends and Build-Depends-Indep must not depend directly or
>> | indirectly on packages which provide network services.
> Package maintainers have little control over what their packages depend
> on indirectly, and it can also change entirely without their knowledge.
> I think we'd have to put the burden somewhere else for that to be
Isn't the bigger problem that those services might already be running
outside the chroot and the build process would get the wrong one?
>> a) Packages with no secure default configuration may expose the building
>> machine. Also network facing services may expose the system to
>> security issues.
> We should not have any packages in the *archive* that enable an insecure
> network service on installation. That's an RC bug in that package and
> should be dealt with that way, IMO.
>> b) You can not relay on the assumption that init-scripts are not called
>> within a building chroot.
> I think this raises a broader issue beyond just network services, namely
> what happens when packages build-depend on a package that starts a
> daemon. (For instance, packages installed on buildds are not
> necessarily removed after the build, which can leave the daemon
> I suspect the easiest practical solution to this problem would be to
> refute (b) by guaranteeing that init scripts are not called within a
> building chroot, although of course we can only make that guarantee for
> our build infrastructure, not for other contributors who want to build
> Debian packages.
But that then is their problem. There is a policy-rc.d for a reason
and cdebootstrap automatically sets one.