Bug#969084: buildd.d.o: please don't use a tainted buildenv
Mattia Rizzolo
mattia at debian.org
Sat Sep 5 10:11:22 BST 2020
On Mon, Aug 31, 2020 at 02:44:12PM +0000, Holger Levsen wrote:
> On Thu, Aug 27, 2020 at 04:25:56PM +0200, Guillem Jover wrote:
> > I think ideally
> > this would be using a system pathname and be part of a package that gets
> > then listed in the .buildinfo files.
>
> I cannot comment on this except to say that I'd wish for some more pragmatism :(
It's not something that I run myself, but I believe
https://tracker.debian.org/pkg/policy-rcd-declarative
is a good solution to this: install that package, then instead of
dropping that file into /usr/local/sbin/policy-rc.d, do
echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
which I suppose it's a good compromise. Improvement would be to ship
that single conffile in a separate package (which, IMHO,
src:policy-rcd-declarative could do, i.e. provide a
"policy-rcd-declarative-deny-all" binary; or do fancy things with a
debconf option sbuild-craetechroot could inject but that would be too
dirty for me).
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20200905/0e193253/attachment.sig>
More information about the Reproducible-builds
mailing list