Bug#969084: buildd.d.o: please don't use a tainted buildenv
Aurelien Jarno
aurelien at aurel32.net
Wed Sep 9 10:01:01 BST 2020
Hi,
On 2020-09-09 08:33, Holger Levsen wrote:
> control: tags -1 patch
>
> On Sat, Sep 05, 2020 at 11:11:22AM +0200, Mattia Rizzolo wrote:
> > https://tracker.debian.org/pkg/policy-rcd-declarative
> > is a good solution to this: install that package, then instead of
> > dropping that file into /usr/local/sbin/policy-rc.d, do
> > echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
Thanks a lot Mattia for the solution. It's just a pitty that this
package is not in (old)stable, so that we need to special case the way
we create the chroots.
> > That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
> > which I suppose it's a good compromise.
>
> awesome find, Mattia, thank you. I dare to tag this bug 'patch' now.
Well I would say that we have a solution but not yet the patch, but
anyway I'll plan to work on writing a patch in the next days.
> > Improvement would be to ship
> > that single conffile in a separate package (which, IMHO,
> > src:policy-rcd-declarative could do, i.e. provide a
> > "policy-rcd-declarative-deny-all" binary; or do fancy things with a
> > debconf option sbuild-createchroot could inject but that would be too
> > dirty for me).
>
> I'm tempted to clone this bug and make the clone a wishlist bug for such
> a "policy-rcd-declarative-deny-all" binary. What do you think?
Indeed, that would be awesome.
Regards,
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien at aurel32.net http://www.aurel32.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20200909/fff5446b/attachment.sig>
More information about the Reproducible-builds
mailing list