On Mon, Apr 01, 2024 at 06:08:10PM +0200, Aurelien Jarno wrote:
On 2024-04-01 17:52, Bill Allombert wrote:
On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:
Package: debian-policy
Version: 4.6.2.1
Severity: normal
X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
Control: affects -1 buildd.debian.org
Hi,
The debian policy, section 4.9, forbids network access for packages in the main archive, which implicitly means they are authorized for packages in contrib and non-free (and non-free-firmware once #1029211 is
fixed).
This gives constraints on the build daemons infrastructure and also brings some security concerns. Would it be possible to extend this restriction to all archives?
Does the build daemons actually build non-free ?
Yes, they do, though only part of non-free, only the packages that have Autobuild: yes and that have been put on an allow list after review.
Is your concern is that the package start to do network acces during build after it has been added to the allow list ?
Do you need "Autobuild: yes" to preclude network access ?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 307 |
Nodes: | 16 (2 / 14) |
Uptime: | 112:20:34 |
Calls: | 6,854 |
Files: | 12,355 |
Messages: | 5,416,512 |