Your message dated Wed, 9 Sep 2020 15:58:18 +0200
with message-id <[email protected]>
and subject line Re: Bug#969084: buildd.d.o: please don't use a tainted buildenv
has caused the Debian Bug report #969084,
regarding buildd.d.o: please don't use a tainted buildenv
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
969084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: buildd.debian.org
Severity: wishlist
User: [email protected]
Usertags: environment
Dear buildd maintainers,
since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin
is populated (which I'm not sure I agree is sensible, but it's what dpkg
currently does), eg
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$
rgrep Build-Tainted-By: 08/ |wc -l
35473
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$
find 08 -name "*.buildinfo" | wc -l
37182
so almost all .buildinfo files from August 2020 are tainted.
(profitbricks7 is hosting https://buildinfos.debian.net if you want to check
for yourself easily.)
So how are they tainted:
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$
grep -A 2 Build-Tainted-By: 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo
Build-Tainted-By:
usr-local-has-programs
Installed-Build-Depends:
And then, also, not all .buildinfo files are taited by "usr-local-has-programs"
because
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$
rgrep usr-local-has-programs 08/ |wc -l
35017
(But I guess that's probably material for another bug report.)
Any chance the Debian buildds could not have a tained /usr/local?
Thanks for maintaining all these buildds!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
"There's no glory in prevention." (Christian Drosten)
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On 2020-09-09 11:01, Aurelien Jarno wrote:
> Hi,
>
> On 2020-09-09 08:33, Holger Levsen wrote:
> > control: tags -1 patch
> >
> > On Sat, Sep 05, 2020 at 11:11:22AM +0200, Mattia Rizzolo wrote:
> > > https://tracker.debian.org/pkg/policy-rcd-declarative
> > > is a good solution to this: install that package, then instead of
> > > dropping that file into /usr/local/sbin/policy-rc.d, do
> > > echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
>
> Thanks a lot Mattia for the solution. It's just a pitty that this
> package is not in (old)stable, so that we need to special case the way
> we create the chroots.
>
> > > That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
> > > which I suppose it's a good compromise.
> >
> > awesome find, Mattia, thank you. I dare to tag this bug 'patch' now.
>
> Well I would say that we have a solution but not yet the patch, but
> anyway I'll plan to work on writing a patch in the next days.
>
I have just pushed:
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/abacce72bdc2417961cab2704ef3881f6d15d654
That should be effective the next time the chroots are regenerated
(tonight).
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
[email protected] http://www.aurel32.net
signature.asc
Description: PGP signature
--- End Message ---
