On Tue, Sep 02, 2014 at 01:28:13PM +0200, Thorsten Glaser wrote:
On Mon, 1 Sep 2014, Adam Borowski wrote:
Also, should we detect all other attempts to contact the outside network,
and swat such builds with extreme prejudice?
Yes. These can be privacy breeches, licence violations (download
things that change what gets embedded into the packages), and
all other sorts of nasties. There may be no network access during
a Debian package build; the switchover is usually between installing
the B-D and extracting the source package, at most directly after
the latter.
(I’m aware that there is still *too* much “disable the network” in
pbuilder. Sorry for not having had the time to work on that. I’ll
try to do so shortly.)
Could you tell us what's this too much?
Here's how I would do it:
unshare --net
iptables rule on !127.0.0.0/8 and !::1 -j REJECT, if after the build the
rule's counter is non-zero we fail the build
--
// If you believe in so-called intellectual property, please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140902121305.ga14...@angband.pl