subject:"Bug#942051\: debian\-policy\: \[4.9\] requirement to write only to \/tmp, \/var\/tmp, $\{TMPDIR\} is too strict"

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

2019-10-10 Thread Bastian Blank

On Wed, Oct 09, 2019 at 05:51:53PM +0200, Ansgar Burchardt wrote:
> While checking the upgrade checklist I noticed this new requirement:
> +---
> | 4.9
> |Required targets must not write outside of the unpacked source
> |package tree, except for TMPDIR, /tmp and /var/tmp.
> +---
> The wording is a bit too strict and should be relaxed.  There are
> other paths that should be fine to be written to during the build
> process, for example /dev/shm, /run/lock[1], or possibly anything
> below /proc/ for processes spawned by the build process.

Why do you think package builds should be allowed to use /run/lock?  It
records system state.

The use of /dev/shm is an implementation detail of the shm
implementation in libc.  I don't think using the shm stuff counts as
writing.

If you take the strict approach, then writing to stdout and stderr would
be forbidden as well.

Regards,
Bastian

-- 
Ahead warp factor one, Mr. Sulu.

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

2019-10-10 Thread Bill Allombert

On Wed, Oct 09, 2019 at 05:30:51PM +0100, Simon McVittie wrote:
> On Wed, 09 Oct 2019 at 18:08:09 +0200, Bill Allombert wrote:
> > On Wed, Oct 09, 2019 at 05:51:53PM +0200, Ansgar Burchardt wrote:
> > > There are
> > > other paths that should be fine to be written to during the build
> > > process, for example /dev/shm
> > 
> > Do you have example of packages that does that ?
> 
> Anything that uses the POSIX shared memory API (shm_open()), and notably
> anything that is built using fakeroot with its default fakeroot-sysv
> backend.

fakeroot is not started by debian/rules so this is outside the scope of
this policy.

Cheers,
-- 
Bill. 

Imagine a large red swirl here.

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

2019-10-10 Thread Simon McVittie

On Wed, 09 Oct 2019 at 17:51:53 +0200, Ansgar Burchardt wrote:
> +---
> | 4.9
> |Required targets must not write outside of the unpacked source
> |package tree, except for TMPDIR, /tmp and /var/tmp.
> +---

If you are interested in this sort of thing, 
is perhaps also relevant.

smcv

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

2019-10-09 Thread Simon McVittie

On Wed, 09 Oct 2019 at 18:08:09 +0200, Bill Allombert wrote:
> On Wed, Oct 09, 2019 at 05:51:53PM +0200, Ansgar Burchardt wrote:
> > There are
> > other paths that should be fine to be written to during the build
> > process, for example /dev/shm
> 
> Do you have example of packages that does that ?

Anything that uses the POSIX shared memory API (shm_open()), and notably
anything that is built using fakeroot with its default fakeroot-sysv
backend.

smcv

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

2019-10-09 Thread Bill Allombert

On Wed, Oct 09, 2019 at 05:51:53PM +0200, Ansgar Burchardt wrote:
> Package: debian-policy
> Version: 4.4.1.1
> Severity: minor
> 
> While checking the upgrade checklist I noticed this new requirement:
> 
> +---
> | 4.9
> |Required targets must not write outside of the unpacked source
> |package tree, except for TMPDIR, /tmp and /var/tmp.
> +---
> 
> The wording is a bit too strict and should be relaxed.  There are
> other paths that should be fine to be written to during the build
> process, for example /dev/shm, /run/lock[1], or possibly anything
> below /proc/ for processes spawned by the build process.

Hello Ansgar,

Do you have example of packages that does that ?

(FWIW I do not consider writing to /proc/pid to be writing.
This is the same issue as with using localhost and network access.)

Cheers,
-- 
Bill. 

Imagine a large red swirl here.

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

2019-10-09 Thread Ansgar Burchardt

Package: debian-policy
Version: 4.4.1.1
Severity: minor

While checking the upgrade checklist I noticed this new requirement:

+---
| 4.9
|Required targets must not write outside of the unpacked source
|package tree, except for TMPDIR, /tmp and /var/tmp.
+---

The wording is a bit too strict and should be relaxed.  There are
other paths that should be fine to be written to during the build
process, for example /dev/shm, /run/lock[1], or possibly anything
below /proc/ for processes spawned by the build process.

Ansgar

  [1] Which I noticed is world-writable which I'm not sure should be
  as users could then fill /run...  Note that /run/user/ has
  separate filesystems to avoid this problem; but then there are
  many paths below /run writable by service users which can cause
  the same problems.

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

Bug#942051: debian-policy: [4.9] requirement to write only to /tmp, /var/tmp, ${TMPDIR} is too strict

6 matches

Site Navigation

Mail list logo

Footer information