1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1068192: debian-policy: extend forbidden network access to contrib

    From Aurelien Jarno@21:1/5 to Bill Allombert on Sat Apr 6 09:52:24 2024
    XPost: linux.debian.policy

    On 2024-04-01 18:18, Bill Allombert wrote:
    On Mon, Apr 01, 2024 at 06:08:10PM +0200, Aurelien Jarno wrote:
    On 2024-04-01 17:52, Bill Allombert wrote:
    On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:
    Package: debian-policy
    Version: 4.6.2.1
    Severity: normal
    X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
    Control: affects -1 buildd.debian.org

    Hi,

    The debian policy, section 4.9, forbids network access for packages in the main archive, which implicitly means they are authorized for packages in contrib and non-free (and non-free-firmware once #1029211 is
    fixed).

    This gives constraints on the build daemons infrastructure and also brings some security concerns. Would it be possible to extend this restriction to all archives?

    Does the build daemons actually build non-free ?

    Yes, they do, though only part of non-free, only the packages that have Autobuild: yes and that have been put on an allow list after review.

    Is your concern is that the package start to do network acces during build after it has been added to the allow list ?

    Yes, this is the security concern.

    Do you need "Autobuild: yes" to preclude network access ?

    Not right now, but the goal is to fully disable the network access, and
    we do not want to have to special case contrib or non-free, as it just
    makes things complicated.

    Regards
    Aurelien

    --
    Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://aurel32.net

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)