Bug#969084: buildd.d.o: please don't use a tainted buildenv

Holger Levsen holger at layer-acht.org
Wed Sep 9 09:33:36 BST 2020

control: tags -1 patch

On Sat, Sep 05, 2020 at 11:11:22AM +0200, Mattia Rizzolo wrote:
>     https://tracker.debian.org/pkg/policy-rcd-declarative
> is a good solution to this: install that package, then instead of
> dropping that file into /usr/local/sbin/policy-rc.d, do
>     echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
> That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
> which I suppose it's a good compromise. 

awesome find, Mattia, thank you. I dare to tag this bug 'patch' now.

> Improvement would be to ship
> that single conffile in a separate package (which, IMHO,
> src:policy-rcd-declarative could do, i.e. provide a
> "policy-rcd-declarative-deny-all" binary; or do fancy things with a
> debconf option sbuild-createchroot could inject but that would be too
> dirty for me).

I'm tempted to clone this bug and make the clone a wishlist bug for such
a "policy-rcd-declarative-deny-all" binary. What do you think?


       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

There are only two kinds of nazis: stupid ones and those without an excuse.
(Volker StrĂ¼bing)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20200909/621564cb/attachment.sig>

More information about the Reproducible-builds mailing list