Bug#969084: buildd.d.o: please don't use a tainted buildenv

Holger Levsen holger at layer-acht.org
Thu Aug 27 14:06:56 BST 2020 

hi,

adding Guillem to the loop (and preserving a full quote for him).

On Thu, Aug 27, 2020 at 03:00:43PM +0200, Aurelien Jarno wrote:
> Hi,
> 
> On 2020-08-27 13:25, Holger Levsen wrote:
> > Package: buildd.debian.org
> > Severity: wishlist
> > User: reproducible-builds at lists.alioth.debian.org
> > Usertags: environment
> > 
> > Dear buildd maintainers,
> > 
> > since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin
> > is populated (which I'm not sure I agree is sensible, but it's what dpkg
> > currently does), eg
> > 
> > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep Build-Tainted-By: 08/ |wc -l
> > 35473
> > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ find 08 -name "*.buildinfo" | wc -l
> > 37182
> > 
> > so almost all .buildinfo files from August 2020 are tainted.
> > 
> > (profitbricks7 is hosting https://buildinfos.debian.net if you want to check
> > for yourself easily.)
> > 
> > So how are they tainted:
> > 
> > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ grep -A 2 Build-Tainted-By: 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo
> > Build-Tainted-By:
> >  usr-local-has-programs
> > Installed-Build-Depends:
> > 
> > 
> > And then, also, not all .buildinfo files are taited by "usr-local-has-programs" because
> > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep usr-local-has-programs 08/ |wc -l
> > 35017
> > 
> > (But I guess that's probably material for another bug report.)
> > 
> > Any chance the Debian buildds could not have a tained /usr/local?
> 
> The only file in /usr/local is /usr/local/sbin/policy-rc.d which is
> needed to prevent daemons to start in the chroot. Not sure how we can do
> things differently.

thanks for that info! maybe dpkg could treat /usr/local not as tainted if the
only file in /usr/local is /usr/local/sbin/policy-rc.d ?


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

Dance like no one's watching. Encrypt like everyone is.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20200827/cbc2ef49/attachment.sig>

More information about the Reproducible-builds mailing list