Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Holger Levsen]

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:
> Thanks Philipp. Following that result, please find a patch proposal: 
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,9 +338,9 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> -network access, except, via the loopback interface, to services on the
> -build host that have been started by the build.
> +Required targets must not attempt network access, except, via the
> +loopback interface, to services on the build host that have been started
> +by the build.
>  
>  Required targets must not attempt to write outside of the unpacked
>  source package tree.  There are two exceptions.  Firstly, the binary

thanks, this looks good to me as well. seconded.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bananas are berries.


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Russ Allbery]

Tobias Frost  writes:
> On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:

>> Thanks Philipp. Following that result, please find a patch proposal: 
>> 
>> --- a/policy/ch-source.rst
>> +++ b/policy/ch-source.rst
>> @@ -338,9 +338,9 @@
>>  For example, the build target should pass ``--disable-silent-rules``
>>  to any configure scripts.  See also :ref:`s-binaries`.
>>  
>> -For packages in the main archive, required targets must not attempt
>> -network access, except, via the loopback interface, to services on the
>> -build host that have been started by the build.
>> +Required targets must not attempt network access, except, via the
>> +loopback interface, to services on the build host that have been started
>> +by the build.
>>  
>>  Required targets must not attempt to write outside of the unpacked
>>  source package tree.  There are two exceptions.  Firstly, the binary

> LGTM, Seconded.

Also looks good to me.  Seconded.

-- 
Russ Allbery (r...@debian.org)  

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Tobias Frost]

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:
> Hi,
> 
> On 2024-04-03 12:37, Philipp Kern wrote:
> > Hi,
> > 
> > On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:
> > > On 2024-04-02 09:21, Sean Whitton wrote:
> > > > Hello,
> > > > 
> > > > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:
> > > > 
> > > > > The debian policy, section 4.9, forbids network access for packages in
> > > > > the main archive, which implicitly means they are authorized for
> > > > > packages in contrib and non-free (and non-free-firmware once #1029211 
> > > > > is
> > > > > fixed).
> > > > >
> > > > > This gives constraints on the build daemons infrastructure and also
> > > > > brings some security concerns. Would it be possible to extend this
> > > > > restriction to all archives?
> > > > 
> > > > We need to know if this is going to break existing packages and allow
> > > > some input from their maintainers.  Are you able to prepare a list of
> > > > the affected packages?
> > > 
> > > Fair enough. I can work on that, but help would be welcome as my
> > > resources are limited.
> > 
> > I did a test rebuild of contrib, non-free and non-free-firmware packages
> > in sid with both stable sbuild schroot and unshare backends and could
> > not find a difference in build success (i.e. what failed failed in both,
> > what succeeded succeeded in both).
> 
> Thanks Philipp. Following that result, please find a patch proposal: 
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,9 +338,9 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> -network access, except, via the loopback interface, to services on the
> -build host that have been started by the build.
> +Required targets must not attempt network access, except, via the
> +loopback interface, to services on the build host that have been started
> +by the build.
>  
>  Required targets must not attempt to write outside of the unpacked
>  source package tree.  There are two exceptions.  Firstly, the binary
> 
> Regards
> Aurelien

LGTM, Seconded.

> -- 
> Aurelien Jarno  GPG: 4096R/1DDD8C9B
> aurel...@aurel32.net http://aurel32.net




signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Aurelien Jarno]

Hi,

On 2024-04-03 12:37, Philipp Kern wrote:
> Hi,
> 
> On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:
> > On 2024-04-02 09:21, Sean Whitton wrote:
> > > Hello,
> > > 
> > > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:
> > > 
> > > > The debian policy, section 4.9, forbids network access for packages in
> > > > the main archive, which implicitly means they are authorized for
> > > > packages in contrib and non-free (and non-free-firmware once #1029211 is
> > > > fixed).
> > > >
> > > > This gives constraints on the build daemons infrastructure and also
> > > > brings some security concerns. Would it be possible to extend this
> > > > restriction to all archives?
> > > 
> > > We need to know if this is going to break existing packages and allow
> > > some input from their maintainers.  Are you able to prepare a list of
> > > the affected packages?
> > 
> > Fair enough. I can work on that, but help would be welcome as my
> > resources are limited.
> 
> I did a test rebuild of contrib, non-free and non-free-firmware packages
> in sid with both stable sbuild schroot and unshare backends and could
> not find a difference in build success (i.e. what failed failed in both,
> what succeeded succeeded in both).

Thanks Philipp. Following that result, please find a patch proposal: 

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,9 +338,9 @@
 For example, the build target should pass ``--disable-silent-rules``
 to any configure scripts.  See also :ref:`s-binaries`.
 
-For packages in the main archive, required targets must not attempt
-network access, except, via the loopback interface, to services on the
-build host that have been started by the build.
+Required targets must not attempt network access, except, via the
+loopback interface, to services on the build host that have been started
+by the build.
 
 Required targets must not attempt to write outside of the unpacked
 source package tree.  There are two exceptions.  Firstly, the binary

Regards
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Bill Allombert]

On Tue, Apr 02, 2024 at 09:21:02AM +0800, Sean Whitton wrote:
> Hello,
> 
> On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:
> 
> > Package: debian-policy
> > Version: 4.6.2.1
> > Severity: normal
> > X-Debbugs-Cc: d...@debian.org, wb-t...@buildd.debian.org
> > Control: affects -1 buildd.debian.org
> >
> > Hi,
> >
> > The debian policy, section 4.9, forbids network access for packages in
> > the main archive, which implicitly means they are authorized for
> > packages in contrib and non-free (and non-free-firmware once #1029211 is
> > fixed).
> >
> > This gives constraints on the build daemons infrastructure and also
> > brings some security concerns. Would it be possible to extend this
> > restriction to all archives?
> 
> We need to know if this is going to break existing packages and allow
> some input from their maintainers.  Are you able to prepare a list of
> the affected packages?

What I suggested was that "Autobuild: yes" imply no network access.

Cheers,
-- 
Bill. 

Imagine a large red swirl here. 

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Philipp Kern]

Hi,

On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:
> On 2024-04-02 09:21, Sean Whitton wrote:
> > Hello,
> > 
> > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:
> > 
> > > The debian policy, section 4.9, forbids network access for packages in
> > > the main archive, which implicitly means they are authorized for
> > > packages in contrib and non-free (and non-free-firmware once #1029211 is
> > > fixed).
> > >
> > > This gives constraints on the build daemons infrastructure and also
> > > brings some security concerns. Would it be possible to extend this
> > > restriction to all archives?
> > 
> > We need to know if this is going to break existing packages and allow
> > some input from their maintainers.  Are you able to prepare a list of
> > the affected packages?
> 
> Fair enough. I can work on that, but help would be welcome as my
> resources are limited.

I did a test rebuild of contrib, non-free and non-free-firmware packages
in sid with both stable sbuild schroot and unshare backends and could
not find a difference in build success (i.e. what failed failed in both,
what succeeded succeeded in both).

Kind regards
Philipp Kern

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Aurelien Jarno]

Hi,

On 2024-04-02 09:21, Sean Whitton wrote:
> Hello,
> 
> On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:
> 
> > Package: debian-policy
> > Version: 4.6.2.1
> > Severity: normal
> > X-Debbugs-Cc: d...@debian.org, wb-t...@buildd.debian.org
> > Control: affects -1 buildd.debian.org
> >
> > Hi,
> >
> > The debian policy, section 4.9, forbids network access for packages in
> > the main archive, which implicitly means they are authorized for
> > packages in contrib and non-free (and non-free-firmware once #1029211 is
> > fixed).
> >
> > This gives constraints on the build daemons infrastructure and also
> > brings some security concerns. Would it be possible to extend this
> > restriction to all archives?
> 
> We need to know if this is going to break existing packages and allow
> some input from their maintainers.  Are you able to prepare a list of
> the affected packages?

Fair enough. I can work on that, but help would be welcome as my
resources are limited.

Regards
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Sean Whitton]

Hello,

On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:

> Package: debian-policy
> Version: 4.6.2.1
> Severity: normal
> X-Debbugs-Cc: d...@debian.org, wb-t...@buildd.debian.org
> Control: affects -1 buildd.debian.org
>
> Hi,
>
> The debian policy, section 4.9, forbids network access for packages in
> the main archive, which implicitly means they are authorized for
> packages in contrib and non-free (and non-free-firmware once #1029211 is
> fixed).
>
> This gives constraints on the build daemons infrastructure and also
> brings some security concerns. Would it be possible to extend this
> restriction to all archives?

We need to know if this is going to break existing packages and allow
some input from their maintainers.  Are you able to prepare a list of
the affected packages?

-- 
Sean Whitton

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Ansgar ]

Hi,

On Mon, 2024-04-01 at 17:52 +0200, Bill Allombert wrote:
> On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:
> > This gives constraints on the build daemons infrastructure and also
> > brings some security concerns. Would it be possible to extend this
> > restriction to all archives?
> 
> Does the build daemons actually build non-free ? 

Yes: allowlisted non-free packages get built on buildds.

Not allowing network access for contrib and non-free as well seems
reasonable to me.

Ansgar

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Bill Allombert]

On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:
> Package: debian-policy
> Version: 4.6.2.1
> Severity: normal
> X-Debbugs-Cc: d...@debian.org, wb-t...@buildd.debian.org
> Control: affects -1 buildd.debian.org
> 
> Hi,
> 
> The debian policy, section 4.9, forbids network access for packages in
> the main archive, which implicitly means they are authorized for
> packages in contrib and non-free (and non-free-firmware once #1029211 is
> fixed).
> 
> This gives constraints on the build daemons infrastructure and also
> brings some security concerns. Would it be possible to extend this
> restriction to all archives?

Does the build daemons actually build non-free ? 

Cheers,
-- 
Bill. 

Imagine a large red swirl here. 

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Aurelien Jarno]

Package: debian-policy
Version: 4.6.2.1
Severity: normal
X-Debbugs-Cc: d...@debian.org, wb-t...@buildd.debian.org
Control: affects -1 buildd.debian.org

Hi,

The debian policy, section 4.9, forbids network access for packages in
the main archive, which implicitly means they are authorized for
packages in contrib and non-free (and non-free-firmware once #1029211 is
fixed).

This gives constraints on the build daemons infrastructure and also
brings some security concerns. Would it be possible to extend this
restriction to all archives?

Regards,
Aurelien