[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#845715: Required targets must not write outside of the source package tree

Hi,

On Sat, Nov 03, 2018 at 12:38:55PM -0700, Sean Whitton wrote:
> Given that whole archive rebuilds with use sbuild and already catch
> packages that violate this requirement, making this change would not
> declare any packages buggy that would not already be considered buggy,
> so we can make it right away.

That's not entirely true, I can very easily imagine stuff trying to
write to $HOME but, if failing, trying elsewhere…



Anyway, seconded the below, with or without Russ' amend in
<[🔎] 87woptdiwa.fsf@hope.eyrie.org>.
Thank you!

> diff --git a/debian/changelog b/debian/changelog
> index 956f367..b90ea92 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -10,6 +10,11 @@ debian-policy (4.2.2.0) UNRELEASED; urgency=medium
>      Seconded: Holger Levsen <holger@layer-acht.org>
>      Seconded: Russ Allbery <rra@debian.org>
>      Closes: #912581
> +  * Policy: Required targets must not write outside of the source package tree
> +    Wording: Johannes Schauer <josch@debian.org>
> +    Seconded: Sean Whitton <spwhitton@spwhitton.name>
> +    Seconded: ...
> +    Closes: #845715
>    * In a preexisting footnote, recommend passing -D to strip(1) when
>      stripping static libraries.
>      Thanks to Niels Thykier for the suggestion.
> diff --git a/policy/ch-source.rst b/policy/ch-source.rst
> index dc80243..c486e7c 100644
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -291,6 +291,16 @@ For packages in the main archive, no required targets may attempt
>  network access, except, via the loopback interface, to services on the
>  build host that have been started by the build.
> 
> +Required targets must not attempt to write outside of the unpacked
> +source package tree. An exception to this rule is the use of
> +``TMPDIR`` (or ``/tmp`` if that is not set) which is permitted as long
> +as temporary files are deleted by the end of the target, and not
> +reused by subsequent execution of the target.  This restriction is
> +intended to prevent source package builds creating and depending on
> +state outside of themselves, thus affecting multiple independent
> +rebuilds.  In particular, the required targets must not attempt to
> +write into ``HOME``.
> +
>  The targets are as follows:
> 
>  ``build`` (required)
> diff --git a/policy/upgrading-checklist.rst b/policy/upgrading-checklist.rst
> index 899f7e8..70b31bd 100644
> --- a/policy/upgrading-checklist.rst
> +++ b/policy/upgrading-checklist.rst
> @@ -52,6 +52,10 @@ Unreleased.
>      copyright file, but it need not be if creating and maintaining a
>      copy of that information involves significant time and effort
> 
> +4.9
> +    Required targets must not write outside of the unpacked source
> +    package tree, except for TMPDIR (or /tmp if that is not set).
> +
>  10.1
>      Binaries should be stripped using
>      ``strip --strip-unneeded --remove-section=.comment --remove-section=.note``

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to: