Bug#969084: buildd.d.o: please don't use a tainted buildenv

Aurelien Jarno aurelien at aurel32.net
Wed Sep 9 10:01:01 BST 2020


Hi,

On 2020-09-09 08:33, Holger Levsen wrote:
> control: tags -1 patch
> 
> On Sat, Sep 05, 2020 at 11:11:22AM +0200, Mattia Rizzolo wrote:
> >     https://tracker.debian.org/pkg/policy-rcd-declarative
> > is a good solution to this: install that package, then instead of
> > dropping that file into /usr/local/sbin/policy-rc.d, do
> >     echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all

Thanks a lot Mattia for the solution. It's just a pitty that this
package is not in (old)stable, so that we need to special case the way
we create the chroots.

> > That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
> > which I suppose it's a good compromise. 
> 
> awesome find, Mattia, thank you. I dare to tag this bug 'patch' now.

Well I would say that we have a solution but not yet the patch, but
anyway I'll plan to work on writing a patch in the next days.

> > Improvement would be to ship
> > that single conffile in a separate package (which, IMHO,
> > src:policy-rcd-declarative could do, i.e. provide a
> > "policy-rcd-declarative-deny-all" binary; or do fancy things with a
> > debconf option sbuild-createchroot could inject but that would be too
> > dirty for me).
> 
> I'm tempted to clone this bug and make the clone a wishlist bug for such
> a "policy-rcd-declarative-deny-all" binary. What do you think?

Indeed, that would be awesome.

Regards,
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien at aurel32.net                 http://www.aurel32.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20200909/fff5446b/attachment.sig>


More information about the Reproducible-builds mailing list