Bug#1068192: debian-policy: extend forbidden network access to contrib and non-free

To: Bill Allombert <ballombe@debian.org>
Cc: 1068192@bugs.debian.org
Subject: Bug#1068192: debian-policy: extend forbidden network access to contrib and non-free
From: Aurelien Jarno <aurel32@debian.org>
Date: Mon, 1 Apr 2024 18:26:23 +0200
Message-id: <[🔎] ZgrgL1zlchTJrNKm@aurel32.net>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 1068192@bugs.debian.org
In-reply-to: <[🔎] ZgreRbcs4nRieotd@seventeen>
References: <[🔎] 171198539477.3458990.18076405111856874367.reportbug@ohm.local> <ZgrYJoyPHQ6umZ/7@seventeen> <[🔎] Zgrb6sWBJkZ5moeP@aurel32.net> <[🔎] ZgreRbcs4nRieotd@seventeen> <[🔎] 171198539477.3458990.18076405111856874367.reportbug@ohm.local>

On 2024-04-01 18:18, Bill Allombert wrote:
> On Mon, Apr 01, 2024 at 06:08:10PM +0200, Aurelien Jarno wrote:
> > On 2024-04-01 17:52, Bill Allombert wrote:
> > > On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:
> > > > Package: debian-policy
> > > > Version: 4.6.2.1
> > > > Severity: normal
> > > > X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
> > > > Control: affects -1 buildd.debian.org
> > > > 
> > > > Hi,
> > > > 
> > > > The debian policy, section 4.9, forbids network access for packages in
> > > > the main archive, which implicitly means they are authorized for
> > > > packages in contrib and non-free (and non-free-firmware once #1029211 is
> > > > fixed).
> > > > 
> > > > This gives constraints on the build daemons infrastructure and also
> > > > brings some security concerns. Would it be possible to extend this
> > > > restriction to all archives?
> > > 
> > > Does the build daemons actually build non-free ? 
> > 
> > Yes, they do, though only part of non-free, only the packages that have
> > Autobuild: yes and that have been put on an allow list after review.
> 
> Is your concern is that the package start to do network acces during build
> after it has been added to the allow list ?

Yes, this is the security concern.

> Do you need "Autobuild: yes" to preclude network access ?

Not right now, but the goal is to fully disable the network access, and
we do not want to have to special case contrib or non-free, as it just
makes things complicated.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net

Reply to:

References:
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
  - From: Bill Allombert <ballombe@debian.org>
- Bug#1068192: debian-policy: extend forbidden network access to contrib and non-free
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#1068192: debian-policy: extend forbidden network access to contrib and non-free
  - From: Bill Allombert <ballombe@debian.org>

Prev by Date: Bug#1068192: debian-policy: extend forbidden network access to contrib and non-free
Next by Date: Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Previous by thread: Bug#1068192: debian-policy: extend forbidden network access to contrib and non-free
Next by thread: Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Index(es):
- Date
- Thread