Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Hi, On 2024-04-03 12:37, Philipp Kern wrote: > Hi, > > On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote: > > On 2024-04-02 09:21, Sean Whitton wrote: > > > Hello, > > > > > > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote: > > > > > > > The debian policy, section 4.9, forbids network access for packages in > > > > the main archive, which implicitly means they are authorized for > > > > packages in contrib and non-free (and non-free-firmware once #1029211 is > > > > fixed). > > > > > > > > This gives constraints on the build daemons infrastructure and also > > > > brings some security concerns. Would it be possible to extend this > > > > restriction to all archives? > > > > > > We need to know if this is going to break existing packages and allow > > > some input from their maintainers. Are you able to prepare a list of > > > the affected packages? > > > > Fair enough. I can work on that, but help would be welcome as my > > resources are limited. > > I did a test rebuild of contrib, non-free and non-free-firmware packages > in sid with both stable sbuild schroot and unshare backends and could > not find a difference in build success (i.e. what failed failed in both, > what succeeded succeeded in both). Thanks Philipp. Following that result, please find a patch proposal: --- a/policy/ch-source.rst +++ b/policy/ch-source.rst @@ -338,9 +338,9 @@ For example, the build target should pass ``--disable-silent-rules`` to any configure scripts. See also :ref:`s-binaries`. -For packages in the main archive, required targets must not attempt -network access, except, via the loopback interface, to services on the -build host that have been started by the build. +Required targets must not attempt network access, except, via the +loopback interface, to services on the build host that have been started +by the build. Required targets must not attempt to write outside of the unpacked source package tree. There are two exceptions. Firstly, the binary Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://aurel32.net signature.asc Description: PGP signature
Re: Bug#1067079: Clarify that policy on a technology does not implicitly mandate that technology
Hello, On Tue 02 Apr 2024 at 04:18pm +01, Josh Triplett wrote: > Sean Whitton wrote: >> On Tue 26 Mar 2024 at 10:11am -06, Sam Hartman wrote: >> > I tend to agree with Sean that your rationale is not convincing. >> > It sounds like you want to use policy as a stick to hit people >> > over the head and say "policy is not a stick." >> >> This was basically my concern. > > This feels like a painful mischaracterization of what I said. I don't > want to use policy as a stick. I want to make policy less usable as a > stick. I'm sorry, I didn't mean to be pejorative. I was meaning to say something more like "you can't fight fire with fire", rather than saying you actively wanted to use Policy like a stick. I'm sorry I was so terse. -- Sean Whitton
Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
On Tue, Apr 02, 2024 at 09:21:02AM +0800, Sean Whitton wrote: > Hello, > > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote: > > > Package: debian-policy > > Version: 4.6.2.1 > > Severity: normal > > X-Debbugs-Cc: d...@debian.org, wb-t...@buildd.debian.org > > Control: affects -1 buildd.debian.org > > > > Hi, > > > > The debian policy, section 4.9, forbids network access for packages in > > the main archive, which implicitly means they are authorized for > > packages in contrib and non-free (and non-free-firmware once #1029211 is > > fixed). > > > > This gives constraints on the build daemons infrastructure and also > > brings some security concerns. Would it be possible to extend this > > restriction to all archives? > > We need to know if this is going to break existing packages and allow > some input from their maintainers. Are you able to prepare a list of > the affected packages? What I suggested was that "Autobuild: yes" imply no network access. Cheers, -- Bill. Imagine a large red swirl here.
Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free
Hi, On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote: > On 2024-04-02 09:21, Sean Whitton wrote: > > Hello, > > > > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote: > > > > > The debian policy, section 4.9, forbids network access for packages in > > > the main archive, which implicitly means they are authorized for > > > packages in contrib and non-free (and non-free-firmware once #1029211 is > > > fixed). > > > > > > This gives constraints on the build daemons infrastructure and also > > > brings some security concerns. Would it be possible to extend this > > > restriction to all archives? > > > > We need to know if this is going to break existing packages and allow > > some input from their maintainers. Are you able to prepare a list of > > the affected packages? > > Fair enough. I can work on that, but help would be welcome as my > resources are limited. I did a test rebuild of contrib, non-free and non-free-firmware packages in sid with both stable sbuild schroot and unshare backends and could not find a difference in build success (i.e. what failed failed in both, what succeeded succeeded in both). Kind regards Philipp Kern