Re: Scripts that run insecurely-downloaded code

To: debian-security@lists.debian.org
Subject: Re: Scripts that run insecurely-downloaded code
From: Paul Wise <pabs@debian.org>
Date: Sat, 2 May 2020 00:53:00 +0000
Message-id: <[🔎] CAKTje6G1iTai92=rnb+SJbrA3xBMXW-HEzU0CUDA8gu46xya9g@mail.gmail.com>
In-reply-to: <[🔎] 369e1054-8c41-7d96-b7f8-44fcd987b6a5@zoho.com>
References: <[🔎] a5aded84-6cff-8ceb-6b6b-6dd88b66c4dc@zoho.com> <[🔎] 3fc09223-2566-fb68-00ab-65c277d8e86c@elstel.org> <[🔎] 369e1054-8c41-7d96-b7f8-44fcd987b6a5@zoho.com>

On Fri, May 1, 2020 at 8:18 PM Rebecca N. Palmer wrote:

> This is already policy (and enforced by blocking network access) for
> official Debian package builds: dependencies must be installed by the
> package manager, not the build script.

Correction: the debian.org buildds do not at this time block any
network access. The main issue is that schroot does not support it and
it has been orphaned and unmaintained for years. You might be thinking
of pbuilder, which does do this by default.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Scripts that run insecurely-downloaded code
  - From: estellnb@elstel.org

References:
- Scripts that run insecurely-downloaded code
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: Scripts that run insecurely-downloaded code
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: Scripts that run insecurely-downloaded code
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>

Prev by Date: Re: Scripts that run insecurely-downloaded code
Next by Date: Re: Scripts that run insecurely-downloaded code
Previous by thread: Re: Scripts that run insecurely-downloaded code
Next by thread: Re: Scripts that run insecurely-downloaded code
Index(es):
- Date
- Thread