Re: Bug#1021390: nvda2speechd: downloads source from the network during build

To: Samuel Thibault <sthibault@debian.org>, 1021390@bugs.debian.org
Cc: Andreas Beckmann <anbe@debian.org>, debian-wb-team@lists.debian.org
Subject: Re: Bug#1021390: nvda2speechd: downloads source from the network during build
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 10 Oct 2022 21:51:25 +0300
Message-id: <[🔎] Y0RprZgdq2+gibN8@localhost>
In-reply-to: <20221007115541.pnmqb63j35xdcjvl@begin>
References: <166514269570.10993.14882687468967090024.reportbug@zam504.zam.kfa-juelich.de> <166514269570.10993.14882687468967090024.reportbug@zam504.zam.kfa-juelich.de> <20221007115541.pnmqb63j35xdcjvl@begin>

Control: severity -1 serious

[ adding debian-wb-team to Cc ]

On Fri, Oct 07, 2022 at 01:55:41PM +0200, Samuel Thibault wrote:
> Control: severity -1 important
> 
> Andreas Beckmann, le ven. 07 oct. 2022 13:38:15 +0200, a ecrit:
> > Justification: fails to build from source (but built successfully in the past)
> > 
> > During a local rebuild of contrib and non-free (w/o network access
> > permitted), I noticed
> 
> It can build the source, just not without the network. That's why it's
> in contrib, not main.

AFAIK accessing the network from the buildds is simply forbidden.

And what your package does is even worse:
It executes a script downloaded from the internet,
compromising the security of the buildds.

Whoever controls sh.rustup.rs could for example provide a special 
version of the script for Debian buildds that tries to find and
upload the private keys used on the buildds.

> Samuel

cu
Adrian

Reply to:

Follow-Ups:
- Re: Bug#1021390: nvda2speechd: downloads source from the network during build
  - From: Samuel Thibault <sthibault@debian.org>

Next by Date: Re: Bug#1021390: nvda2speechd: downloads source from the network during build
Next by thread: Re: Bug#1021390: nvda2speechd: downloads source from the network during build
Index(es):
- Date
- Thread