On Thu, Jan 29, 2026 at 05:11:06PM +0000, Simon McVittie wrote: > > [Is it] a bug in schroot at all that it copies some files via the > > nssdatabases mechanism? > > Yes and no. It's schroot working as designed, but for the use-case where you > are using sbuild to get a clean, predictable, reproducible environment for > doing builds, it could be argued that it's a bug in sbuild and it shouldn't > be letting this implementation detail of the host leak into the > chroot/container. The unshare backend is the solution for this maybe-bug.
Well, the unshare backend is indeed my default mode of building packages these days, and I only use the old schroot backend occasionally, as it helps me to catch things that otherwise would remain hidden. For example, when I build packages in the "future" (to ensure that they will build in the next stable at least for 3 years), I still use the old backend, because this way packages trying to access Internet using https are more likely to fail when they see that the certificates are expired. I could also use unshare + allowing internet access, but have not had time to change my scripts for that. Regarding nocheck build profile, this bug shows that it would be better indeed to use the unshare backend, so I'll add that to my todo list. Thanks a lot.
