XPost: linux.debian.bugs.dist

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:

Thanks Philipp. Following that result, please find a patch proposal:

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,9 +338,9 @@
For example, the build target should pass ``--disable-silent-rules``
to any configure scripts. See also :ref:`s-binaries`.

-For packages in the main archive, required targets must not attempt
-network access, except, via the loopback interface, to services on the -build host that have been started by the build.
+Required targets must not attempt network access, except, via the
+loopback interface, to services on the build host that have been started
+by the build.

Required targets must not attempt to write outside of the unpacked
source package tree. There are two exceptions. Firstly, the binary

thanks, this looks good to me as well. seconded.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

Bananas are berries.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmYP3/UACgkQCRq4Vgaa qhzsjQ/6AnufKvhL3E330B0jCykywqht/xpPolm39mwOgv+tuGQ762+U2ozYrKdY xqEG3IeeQIjjmXX6oLJtoUsE9aB3Y0Z508NwLfHqThiH8AMqqic9D2gKgzefbFA5 BurBDlf1e7pWMYTP6JFeuMl+2B73dpGXGDfexBc9pLCFB4/OhOz4PjKVKSmsO5yq SwE0kyUhufKc3nKLuOHKe0rqQsg3ZAInIce6XdjA9eb+9OFoXdB7HwYNZEpDsxGa c4pHw25jRLlpt66u2Y6Swp80xfetSvhkv9Zuoxs6e0ejKu4Jn6xpxk26vdLwHhJJ pOYctXvkTvXbexN7aA9eXUAFxbWTCeBMk+b4x+DrmmD1NWl/TUH7oK3jxAR6DSOY o76T8DPKiJ2jQkztQXKwEb4gvQYKz8UsG5uMPgzQZeDxp0xVm0PUBtRo9ZcC2vca W/ewbTEM4milzrMXGOkb54sEJuxvsEZ0MGeaAt7WYsbk1dUlWsmgVweNrIG6mfM9 IKBbYKrwJOH54M4mnXR4uQrZp/ePe5ugrrIg+1+TUhk0qpVBahLSHWWEDkx+j+fM LhZpAsdWlPNVXkgkbhC8b8g/xguxJUUcnYPIb78a0WbbU/hdn7GldzesTk27b6+o IRt1aK9v5+4T0Dvjnm0VxpcAWI

XPost: linux.debian.bugs.dist

Hi,

On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:

On 2024-04-02 09:21, Sean Whitton wrote:

Hello,

On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:

The debian policy, section 4.9, forbids network access for packages in the main archive, which implicitly means they are authorized for
packages in contrib and non-free (and non-free-firmware once #1029211 is fixed).

This gives constraints on the build daemons infrastructure and also brings some security concerns. Would it be possible to extend this restriction to all archives?

We need to know if this is going to break existing packages and allow
some input from their maintainers. Are you able to prepare a list of
the affected packages?

Fair enough. I can work on that, but help would be welcome as my
resources are limited.

I did a test rebuild of contrib, non-free and non-free-firmware packages
in sid with both stable sbuild schroot and unshare backends and could
not find a difference in build success (i.e. what failed failed in both,
what succeeded succeeded in both).

Kind regards
Philipp Kern

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

Hi,

On Mon, 2024-04-01 at 17:52 +0200, Bill Allombert wrote:

On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:

This gives constraints on the build daemons infrastructure and also
brings some security concerns. Would it be possible to extend this restriction to all archives?

Does the build daemons actually build non-free ?

Yes: allowlisted non-free packages get built on buildds.

Not allowing network access for contrib and non-free as well seems
reasonable to me.

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

On Thu, Apr 04, 2024 at 11:42:34AM -0700, Russ Allbery wrote:

Tobias Frost <tobi@debian.org> writes:

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:

Thanks Philipp. Following that result, please find a patch proposal:

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,9 +338,9 @@
For example, the build target should pass ``--disable-silent-rules``
to any configure scripts. See also :ref:`s-binaries`.

-For packages in the main archive, required targets must not attempt
-network access, except, via the loopback interface, to services on the
-build host that have been started by the build.
+Required targets must not attempt network access, except, via the
+loopback interface, to services on the build host that have been started >> +by the build.

Required targets must not attempt to write outside of the unpacked
source package tree. There are two exceptions. Firstly, the binary

LGTM, Seconded.

Also looks good to me. Seconded.

I still think we should allow Autobuild: no as an escape hatch.
If we want to require non-free package to be autobuildable, we should
be more explicit about it (and probably require more feedback from debian-devel).

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:

Hi,

On 2024-04-03 12:37, Philipp Kern wrote:

Hi,

On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:

On 2024-04-02 09:21, Sean Whitton wrote:

Hello,

On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:

The debian policy, section 4.9, forbids network access for packages in
the main archive, which implicitly means they are authorized for packages in contrib and non-free (and non-free-firmware once #1029211 is
fixed).

This gives constraints on the build daemons infrastructure and also brings some security concerns. Would it be possible to extend this restriction to all archives?

We need to know if this is going to break existing packages and allow some input from their maintainers. Are you able to prepare a list of the affected packages?

Fair enough. I can work on that, but help would be welcome as my resources are limited.

I did a test rebuild of contrib, non-free and non-free-firmware packages
in sid with both stable sbuild schroot and unshare backends and could
not find a difference in build success (i.e. what failed failed in both, what succeeded succeeded in both).

Thanks Philipp. Following that result, please find a patch proposal:

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,9 +338,9 @@
For example, the build target should pass ``--disable-silent-rules``
to any configure scripts. See also :ref:`s-binaries`.

-For packages in the main archive, required targets must not attempt
-network access, except, via the loopback interface, to services on the -build host that have been started by the build.
+Required targets must not attempt network access, except, via the
+loopback interface, to services on the build host that have been started
+by the build.

Required targets must not attempt to write outside of the unpacked
source package tree. There are two exceptions. Firstly, the binary

Regards
Aurelien

LGTM, Seconded.

--
Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://aurel32.net

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmYO7JgACgkQkWT6HRe9 XTby1w/+Ku6IqmcaLAs6rYn3QHveGwefPza3szhMdnYlF+7tpR4859OtUsU1PJHh HIdvyefpS+RSKxw/xxkk2Eji/SCpQC7m8bwFJtEk6V0hJpzHXXgpnKPlZbc8oA+2 Y/gw/gpPHA7DJQw8DgDRgfaj75cxKMXizq1J5w0o2ZwjbwfT4zO8wz9kcAWJaRVh lV3fP8fD/BG4NRi2KFDpYxFAI5bCJdL33w+jPImlQXqKeG6TSKZnaJtG+xP7UmDm PpEHTwp7HK7so0UgCS0Yils0E1U2+/lJQ2qjYAcdwlD3PXnkYK+i9floenLfz0A0 edtLF+Sno5EEwJ108M2y/XFSpQq11h2FMl/vzh5+W/WWrocKtw3xm/xshvAPYeE7 dGltIXaMdFupB65M5ZAwxweeAuzY/gzn4WmnuzEXAOB1XcwlErBOTuc3JrvZHKBS mqp59MVs2hAZKKAyfr4w7Wuh869p16eY9f9bhturyrWkL4+8NJm78JEpIRadFoRG VpG6tdHxVVbnlzO4n2s9kEZt4LfknfCmuIUnNIWlCNJMQVA9eKktu5C3szTw3RPr EV5ar7SFCYOevIBX+Cb0teokRIkJICxOUv9RSS/4o+igEK7WzYowQv3qZLKL9kbF LqKS9doLponyGpT4wDi/MZ0+ajTtcFX+gMn9/9zTDIOfEAIlGjE=
=K4mp
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote:

Package: debian-policy
Version: 4.6.2.1
Severity: normal
X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
Control: affects -1 buildd.debian.org

Hi,

The debian policy, section 4.9, forbids network access for packages in
the main archive, which implicitly means they are authorized for
packages in contrib and non-free (and non-free-firmware once #1029211 is fixed).

This gives constraints on the build daemons infrastructure and also
brings some security concerns. Would it be possible to extend this restriction to all archives?

Does the build daemons actually build non-free ?

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

On Thu, Apr 04, 2024 at 09:25:36PM +0200, Philipp Kern wrote:

Hi,

On 04.04.24 20:51, Bill Allombert wrote:

I still think we should allow Autobuild: no as an escape hatch.
If we want to require non-free package to be autobuildable, we should
be more explicit about it (and probably require more feedback from debian-devel).

There is no requirement for non-free to be autobuildable today. This change also does not introduce this, except for everything that is to be built on official builders to not require network access.

Sorry, could you point me where the diff is limiting its scope to "everything that is to be built on official builders" ?

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

On Thu, Apr 04, 2024 at 01:22:19PM -0700, Russ Allbery wrote:

I'm not sure what I think about that. We have a general escape hatch
already for non-free packages in Policy 2.2.3 that says they may not fully comply with Policy, which may be sufficient.

But precisely, we _do_ want non-free packages that are built on the autobuilders
to comply with this requirement. So we do not want 2.2.3 to apply in that specific case. It seems cleaner to say that the requirement only apply if Autobuild: yes is declared.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

Hi,

On 2024-04-03 12:37, Philipp Kern wrote:

Hi,

On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:

On 2024-04-02 09:21, Sean Whitton wrote:

Hello,

On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:

The debian policy, section 4.9, forbids network access for packages in the main archive, which implicitly means they are authorized for packages in contrib and non-free (and non-free-firmware once #1029211 is
fixed).

This gives constraints on the build daemons infrastructure and also brings some security concerns. Would it be possible to extend this restriction to all archives?

We need to know if this is going to break existing packages and allow some input from their maintainers. Are you able to prepare a list of
the affected packages?

Fair enough. I can work on that, but help would be welcome as my
resources are limited.

I did a test rebuild of contrib, non-free and non-free-firmware packages
in sid with both stable sbuild schroot and unshare backends and could
not find a difference in build success (i.e. what failed failed in both,
what succeeded succeeded in both).

Thanks Philipp. Following that result, please find a patch proposal:

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,9 +338,9 @@
For example, the build target should pass ``--disable-silent-rules``
to any configure scripts. See also :ref:`s-binaries`.

-For packages in the main archive, required targets must not attempt
-network access, except, via the loopback interface, to services on the
-build host that have been started by the build.
+Required targets must not attempt network access, except, via the
+loopback interface, to services on the build host that have been started
+by the build.

Required targets must not attempt to write outside of the unpacked
source package tree. There are two exceptions. Firstly, the binary

Regards
Aurelien

--
Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://aurel32.net

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYNwvsACgkQE4jA+Jno M2vQwA//ebKFNssDKXt4PL1Oi9YM/hw1Oim+/+UnpATK0FgwYm61NJ/oFoJ2p8uZ
97/u

XPost: linux.debian.bugs.dist

Package: debian-policy
Version: 4.6.2.1
Severity: normal
X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
Control: affects -1 buildd.debian.org

Hi,

The debian policy, section 4.9, forbids network access for packages in
the main archive, which implicitly means they are authorized for
packages in contrib and non-free (and non-free-firmware once #1029211 is fixed).

This gives constraints on the build daemons infrastructure and also
brings some security concerns. Would it be possible to extend this
restriction to all archives?

Regards,
Aurelien

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

On 2024-04-04 22:38, Bill Allombert wrote:

On Thu, Apr 04, 2024 at 01:22:19PM -0700, Russ Allbery wrote:

I'm not sure what I think about that. We have a general escape hatch already for non-free packages in Policy 2.2.3 that says they may not fully comply with Policy, which may be sufficient.

But precisely, we _do_ want non-free packages that are built on the autobuilders
to comply with this requirement. So we do not want 2.2.3 to apply in that specific case. It seems cleaner to say that the requirement only apply if Autobuild: yes is declared.

If we go that route, here is a proposed alternative patch:

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,7 +338,8 @@
For example, the build target should pass ``--disable-silent-rules``
to any configure scripts. See also :ref:`s-binaries`.

-For packages in the main archive, required targets must not attempt
+Except for packages in the non-free archive with the ``Autobuild``
+control field unset or set to ``no``, required targets must not attempt
network access, except, via the loopback interface, to services on the
build host that have been started by the build.

--
Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://aurel32.net

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

On Tue, Apr 02, 2024 at 09:21:02AM +0800, Sean Whitton wrote:

Hello,

On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:

Package: debian-policy
Version: 4.6.2.1
Severity: normal
X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
Control: affects -1 buildd.debian.org

Hi,

The debian policy, section 4.9, forbids network access for packages in
the main archive, which implicitly means they are authorized for
packages in contrib and non-free (and non-free-firmware once #1029211 is fixed).

This gives constraints on the build daemons infrastructure and also
brings some security concerns. Would it be possible to extend this restriction to all archives?

We need to know if this is going to break existing packages and allow
some input from their maintainers. Are you able to prepare a list of
the affected packages?

What I suggested was that "Autobuild: yes" imply no network access.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

Tobias Frost <tobi@debian.org> writes:

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:

Thanks Philipp. Following that result, please find a patch proposal:

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,9 +338,9 @@
For example, the build target should pass ``--disable-silent-rules``
to any configure scripts. See also :ref:`s-binaries`.

-For packages in the main archive, required targets must not attempt
-network access, except, via the loopback interface, to services on the
-build host that have been started by the build.
+Required targets must not attempt network access, except, via the
+loopback interface, to services on the build host that have been started
+by the build.

Required targets must not attempt to write outside of the unpacked
source package tree. There are two exceptions. Firstly, the binary

LGTM, Seconded.

Also looks good to me. Seconded.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

Hi,

On 2024-04-02 09:21, Sean Whitton wrote:

Hello,

On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:

Package: debian-policy
Version: 4.6.2.1
Severity: normal
X-Debbugs-Cc: dsa@debian.org, wb-team@buildd.debian.org
Control: affects -1 buildd.debian.org

Hi,

The debian policy, section 4.9, forbids network access for packages in
the main archive, which implicitly means they are authorized for
packages in contrib and non-free (and non-free-firmware once #1029211 is fixed).

This gives constraints on the build daemons infrastructure and also
brings some security concerns. Would it be possible to extend this restriction to all archives?

We need to know if this is going to break existing packages and allow
some input from their maintainers. Are you able to prepare a list of
the affected packages?

Fair enough. I can work on that, but help would be welcome as my
resources are limited.

Regards
Aurelien

--
Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://aurel32.net

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.bugs.dist

"Aurelien" == Aurelien Jarno <aurel32@debian.org> writes:

Aurelien> If we go that route, here is a proposed alternative patch:

Aurelien> --- a/policy/ch-source.rst
Aurelien> +++ b/policy/ch-source.rst
Aurelien> @@ -338,7 +338,8 @@
Aurelien> For example, the build target should pass ``--disable-silent-rules``
Aurelien> to any configure scripts. See also :ref:`s-binaries`.

Aurelien> -For packages in the main archive, required targets must not attempt
Aurelien> +Except for packages in the non-free archive with the ``Autobuild``
Aurelien> +control field unset or set to ``no``, required targets must not attempt
Aurelien> network access, except, via the loopback interface, to services on the
Aurelien> build host that have been started by the build.

Seconded.

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCZhB0iAAKCRAsbEw8qDeG dM5sAP4jbWSA3B9OtgUO58bvIen2otPm5VnxoNKF2A9wpLxVJwD/WacLEU28twT/ OGTwFYSiFhDGpWbYvoD+oFuydTRt6wM=DgYr
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)