Bug#813471: network access to the loopback device should be allowed
- To: Bill Allombert <ballombe@debian.org>, 813471@bugs.debian.org
- Cc: Gunnar Wolf <gwolf@debian.org>, Osamu Aoki <osamu@debian.org>
- Subject: Bug#813471: network access to the loopback device should be allowed
- From: Simon McVittie <smcv@debian.org>
- Date: Thu, 10 May 2018 15:22:44 +0100
- Message-id: <[🔎] 20180510142244.GA2500@espresso.pseudorandom.co.uk>
- Reply-to: Simon McVittie <smcv@debian.org>, 813471@bugs.debian.org
- In-reply-to: <20171004120953.GJ7659@yellowpig>
- References: <87shf49f41.fsf@iris.silentflame.com> <20171003044027.juwpqoj75l4tlafk@gwolf.org> <150670584355.10563.10238760966760741232.reportbug@zam581.zam.kfa-juelich.de> <85d3c42b-858f-2221-3fa3-326fb51e822a@onenetbeyond.org> <20171003173448.rqv427pr3ag7i45z@gwolf.org> <CAJxTCxwAdZn9HxvdGgKcn-5TetD6YYrLgodHKF=DtsSVHVdmXg@mail.gmail.com> <20160202114603.GA10732@goofy.local> <20171003180013.ppezgyokw7w3xkdb@gwolf.org> <20160202114603.GA10732@goofy.local> <20171004120953.GJ7659@yellowpig> <20160202114603.GA10732@goofy.local>
On Wed, 04 Oct 2017 at 14:09:53 +0200, Bill Allombert wrote:
> On Tue, Oct 03, 2017 at 01:00:14PM -0500, Gunnar Wolf wrote:
> > Jérémy Lal dijo [Tue, Oct 03, 2017 at 07:46:43PM +0200]:
> > > It might be a good idea to make policy more explicit about downloads during
> > > build.
> >
> > I completely agree. This led me to look at #813471 ("network access to
> > the loopback device should be allowed"), and... Well, it seems to set
> > the stage to the issue we are tackling now: #813471 is opened as a
> > reaction against #770016 ("Clarify network access for building
> > packages in main").
>
> I want to clarify that I never intended the prohibition of network access
> to apply to the loopback device, and I expect the other seconders to
> think the same, given the rationale for the change.
>
> To my mind, using the loop backdevice is not performing network access.
An interesting question related to this: Is it legitimate for a package
to resolve the reserved name "localhost" during build, and assume that
it will get 127.0.0.1 and/or ::1 back? Possible answers include:
- yes, always
- yes, but only if it Build-Depends on libnss-myhostname and/or netbase
- no, and it must not attempt to resolve that name because that might
be network access in corner cases
Similarly, can it assume it can resolve $(hostname) always, or only if
it B-D on libnss-myhostname, or never?
At the moment, schroot/sbuild is very likely to make both localhost and
$(hostname) resolvable (/etc/hosts from the host system is copied into
the chroot, and that file is not strictly guaranteed to make localhost or
$(hostname) resolvable but probably does), but pbuilder with its default
USENETWORK=no configuration does not necessarily have a hosts file or a
working resolv.conf. dbus currently FTBFS on reproducible-builds (#897662)
because one of its automated tests assumes localhost is resolvable.
I started to implement a feature in pbuilder to make it create a trivial
/etc/hosts that can resolve localhost and friends (the same as is created
by netbase.postinst) whenever it locks down resolv.conf, but then realised
that netbase isn't Essential, so it isn't completely clear whether the
resolvability of localhost is part of the basic "API" of a Debian system.
smcv
Reply to: