Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-builds@lists.alioth.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 27 Aug 2020 11:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-builds@lists.alioth.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 27 Aug 2020 11:27:04 GMT) (full text, mbox, link).
Package: buildd.debian.org
Severity: wishlist
User: reproducible-builds@lists.alioth.debian.org
Usertags: environment
Dear buildd maintainers,
since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin
is populated (which I'm not sure I agree is sensible, but it's what dpkg
currently does), eg
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep Build-Tainted-By: 08/ |wc -l
35473
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ find 08 -name "*.buildinfo" | wc -l
37182
so almost all .buildinfo files from August 2020 are tainted.
(profitbricks7 is hosting https://buildinfos.debian.net if you want to check
for yourself easily.)
So how are they tainted:
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ grep -A 2 Build-Tainted-By: 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo
Build-Tainted-By:
usr-local-has-programs
Installed-Build-Depends:
And then, also, not all .buildinfo files are taited by "usr-local-has-programs" because
holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep usr-local-has-programs 08/ |wc -l
35017
(But I guess that's probably material for another bug report.)
Any chance the Debian buildds could not have a tained /usr/local?
Thanks for maintaining all these buildds!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
"There's no glory in prevention." (Christian Drosten)
Changed Bug title to 'buildd.d.o: please don't use a tainted buildenv' from 'buildd.d.o: please don't use a tained buildenv'.
Request was from Holger Levsen <holger@layer-acht.org>
to control@bugs.debian.org.
(Thu, 27 Aug 2020 12:45:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 27 Aug 2020 13:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 27 Aug 2020 13:03:03 GMT) (full text, mbox, link).
Hi,
On 2020-08-27 13:25, Holger Levsen wrote:
> Package: buildd.debian.org
> Severity: wishlist
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: environment
>
> Dear buildd maintainers,
>
> since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin
> is populated (which I'm not sure I agree is sensible, but it's what dpkg
> currently does), eg
>
> holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep Build-Tainted-By: 08/ |wc -l
> 35473
> holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ find 08 -name "*.buildinfo" | wc -l
> 37182
>
> so almost all .buildinfo files from August 2020 are tainted.
>
> (profitbricks7 is hosting https://buildinfos.debian.net if you want to check
> for yourself easily.)
>
> So how are they tainted:
>
> holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ grep -A 2 Build-Tainted-By: 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo
> Build-Tainted-By:
> usr-local-has-programs
> Installed-Build-Depends:
>
>
> And then, also, not all .buildinfo files are taited by "usr-local-has-programs" because
> holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep usr-local-has-programs 08/ |wc -l
> 35017
>
> (But I guess that's probably material for another bug report.)
>
> Any chance the Debian buildds could not have a tained /usr/local?
The only file in /usr/local is /usr/local/sbin/policy-rc.d which is
needed to prevent daemons to start in the chroot. Not sure how we can do
things differently.
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 27 Aug 2020 13:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 27 Aug 2020 13:09:02 GMT) (full text, mbox, link).
hi,
adding Guillem to the loop (and preserving a full quote for him).
On Thu, Aug 27, 2020 at 03:00:43PM +0200, Aurelien Jarno wrote:
> Hi,
>
> On 2020-08-27 13:25, Holger Levsen wrote:
> > Package: buildd.debian.org
> > Severity: wishlist
> > User: reproducible-builds@lists.alioth.debian.org
> > Usertags: environment
> >
> > Dear buildd maintainers,
> >
> > since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin
> > is populated (which I'm not sure I agree is sensible, but it's what dpkg
> > currently does), eg
> >
> > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep Build-Tainted-By: 08/ |wc -l
> > 35473
> > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ find 08 -name "*.buildinfo" | wc -l
> > 37182
> >
> > so almost all .buildinfo files from August 2020 are tainted.
> >
> > (profitbricks7 is hosting https://buildinfos.debian.net if you want to check
> > for yourself easily.)
> >
> > So how are they tainted:
> >
> > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ grep -A 2 Build-Tainted-By: 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo
> > Build-Tainted-By:
> > usr-local-has-programs
> > Installed-Build-Depends:
> >
> >
> > And then, also, not all .buildinfo files are taited by "usr-local-has-programs" because
> > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep usr-local-has-programs 08/ |wc -l
> > 35017
> >
> > (But I guess that's probably material for another bug report.)
> >
> > Any chance the Debian buildds could not have a tained /usr/local?
>
> The only file in /usr/local is /usr/local/sbin/policy-rc.d which is
> needed to prevent daemons to start in the chroot. Not sure how we can do
> things differently.
thanks for that info! maybe dpkg could treat /usr/local not as tainted if the
only file in /usr/local is /usr/local/sbin/policy-rc.d ?
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Dance like no one's watching. Encrypt like everyone is.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 27 Aug 2020 14:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillem Jover <guillem@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 27 Aug 2020 14:27:02 GMT) (full text, mbox, link).
Cc: 969084@bugs.debian.org,
Reproducible Builds discussion list <reproducible-builds@lists.alioth.debian.org>
Subject: Re: Bug#969084: buildd.d.o: please don't use a tainted buildenv
Date: Thu, 27 Aug 2020 16:25:56 +0200
On Thu, 2020-08-27 at 13:06:56 +0000, Holger Levsen wrote:
> On Thu, Aug 27, 2020 at 03:00:43PM +0200, Aurelien Jarno wrote:
> > On 2020-08-27 13:25, Holger Levsen wrote:
> > > Package: buildd.debian.org
> > > Severity: wishlist
> > > User: reproducible-builds@lists.alioth.debian.org
> > > Usertags: environment
> > > since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin
> > > is populated (which I'm not sure I agree is sensible, but it's what dpkg
> > > currently does), eg
> > >
> > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep Build-Tainted-By: 08/ |wc -l
> > > 35473
> > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ find 08 -name "*.buildinfo" | wc -l
> > > 37182
> > >
> > > so almost all .buildinfo files from August 2020 are tainted.
> > >
> > > (profitbricks7 is hosting https://buildinfos.debian.net if you want to check
> > > for yourself easily.)
> > >
> > > So how are they tainted:
> > >
> > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ grep -A 2 Build-Tainted-By: 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo
> > > Build-Tainted-By:
> > > usr-local-has-programs
> > > Installed-Build-Depends:
> > >
> > >
> > > And then, also, not all .buildinfo files are taited by "usr-local-has-programs" because
> > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep usr-local-has-programs 08/ |wc -l
> > > 35017
> > >
> > > (But I guess that's probably material for another bug report.)
> > >
> > > Any chance the Debian buildds could not have a tained /usr/local?
> >
> > The only file in /usr/local is /usr/local/sbin/policy-rc.d which is
> > needed to prevent daemons to start in the chroot. Not sure how we can do
> > things differently.
>
> thanks for that info! maybe dpkg could treat /usr/local not as tainted if the
> only file in /usr/local is /usr/local/sbin/policy-rc.d ?
While we could perhaps add an exception in the Debian vendor profile.
It does look like this is working as intended? :) This is a local file
that might affect the build, which is otherwise not trackable, say
what "version" (with which changes) was being used, etc. I think ideally
this would be using a system pathname and be part of a package that gets
then listed in the .buildinfo files.
Thanks,
Guillem
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Mon, 31 Aug 2020 14:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Mon, 31 Aug 2020 14:48:02 GMT) (full text, mbox, link).
On Thu, Aug 27, 2020 at 04:25:56PM +0200, Guillem Jover wrote:
> > thanks for that info! maybe dpkg could treat /usr/local not as tainted if the
> > only file in /usr/local is /usr/local/sbin/policy-rc.d ?
> While we could perhaps add an exception in the Debian vendor profile.
> It does look like this is working as intended? :)
yes, I believe the buildd admins thinks this works as intended.
> This is a local file
> that might affect the build, which is otherwise not trackable, say
> what "version" (with which changes) was being used, etc.
this kind of policy-rc.d file only contains one relevant line, "exit 0".
> I think ideally
> this would be using a system pathname and be part of a package that gets
> then listed in the .buildinfo files.
I cannot comment on this except to say that I'd wish for some more pragmatism :(
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
"... the premise [is] that privacy is about hiding a wrong. It's not.
Privacy is an inherent human right, and a requirement for maintaining
the human condition with dignity and respect." (Bruce Schneier)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Wed, 02 Sep 2020 03:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Bernhard M. Wiedemann" <bwiedemann@suse.de>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Wed, 02 Sep 2020 03:27:02 GMT) (full text, mbox, link).
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
To: 969084@bugs.debian.org
Subject: Re: Bug#969084: buildd.d.o: please don't use a tainted buildenv
Date: Wed, 2 Sep 2020 05:06:18 +0200
> I think ideally
> this would be using a system pathname and be part of a package that gets
> then listed in the .buildinfo files.
This is how openSUSE does it as well, e.g with
https://github.com/openSUSE/post-build-checks/
and
https://github.com/openSUSE/brp-check-suse/
that get pulled into the build as versioned packages.
If you think, that a package with 1 line is overkill, maybe you could
add it to another build-only package as /usr/sbin/policy-rc.d ?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Sat, 05 Sep 2020 09:15:05 GMT) (full text, mbox, link).
On Mon, Aug 31, 2020 at 02:44:12PM +0000, Holger Levsen wrote:
> On Thu, Aug 27, 2020 at 04:25:56PM +0200, Guillem Jover wrote:
> > I think ideally
> > this would be using a system pathname and be part of a package that gets
> > then listed in the .buildinfo files.
>
> I cannot comment on this except to say that I'd wish for some more pragmatism :(
It's not something that I run myself, but I believe
https://tracker.debian.org/pkg/policy-rcd-declarative
is a good solution to this: install that package, then instead of
dropping that file into /usr/local/sbin/policy-rc.d, do
echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
which I suppose it's a good compromise. Improvement would be to ship
that single conffile in a separate package (which, IMHO,
src:policy-rcd-declarative could do, i.e. provide a
"policy-rcd-declarative-deny-all" binary; or do fancy things with a
debconf option sbuild-craetechroot could inject but that would be too
dirty for me).
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Wed, 09 Sep 2020 08:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Wed, 09 Sep 2020 08:36:04 GMT) (full text, mbox, link).
control: tags -1 patch
On Sat, Sep 05, 2020 at 11:11:22AM +0200, Mattia Rizzolo wrote:
> https://tracker.debian.org/pkg/policy-rcd-declarative
> is a good solution to this: install that package, then instead of
> dropping that file into /usr/local/sbin/policy-rc.d, do
> echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
>
> That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
> which I suppose it's a good compromise.
awesome find, Mattia, thank you. I dare to tag this bug 'patch' now.
> Improvement would be to ship
> that single conffile in a separate package (which, IMHO,
> src:policy-rcd-declarative could do, i.e. provide a
> "policy-rcd-declarative-deny-all" binary; or do fancy things with a
> debconf option sbuild-createchroot could inject but that would be too
> dirty for me).
I'm tempted to clone this bug and make the clone a wishlist bug for such
a "policy-rcd-declarative-deny-all" binary. What do you think?
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
There are only two kinds of nazis: stupid ones and those without an excuse.
(Volker Strübing)
Added tag(s) patch.
Request was from Holger Levsen <holger@layer-acht.org>
to 969084-submit@bugs.debian.org.
(Wed, 09 Sep 2020 08:36:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Wed, 09 Sep 2020 09:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Wed, 09 Sep 2020 09:03:03 GMT) (full text, mbox, link).
Hi,
On 2020-09-09 08:33, Holger Levsen wrote:
> control: tags -1 patch
>
> On Sat, Sep 05, 2020 at 11:11:22AM +0200, Mattia Rizzolo wrote:
> > https://tracker.debian.org/pkg/policy-rcd-declarative
> > is a good solution to this: install that package, then instead of
> > dropping that file into /usr/local/sbin/policy-rc.d, do
> > echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
Thanks a lot Mattia for the solution. It's just a pitty that this
package is not in (old)stable, so that we need to special case the way
we create the chroots.
> > That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
> > which I suppose it's a good compromise.
>
> awesome find, Mattia, thank you. I dare to tag this bug 'patch' now.
Well I would say that we have a solution but not yet the patch, but
anyway I'll plan to work on writing a patch in the next days.
> > Improvement would be to ship
> > that single conffile in a separate package (which, IMHO,
> > src:policy-rcd-declarative could do, i.e. provide a
> > "policy-rcd-declarative-deny-all" binary; or do fancy things with a
> > debconf option sbuild-createchroot could inject but that would be too
> > dirty for me).
>
> I'm tempted to clone this bug and make the clone a wishlist bug for such
> a "policy-rcd-declarative-deny-all" binary. What do you think?
Indeed, that would be awesome.
Regards,
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
On 2020-09-09 11:01, Aurelien Jarno wrote:
> Hi,
>
> On 2020-09-09 08:33, Holger Levsen wrote:
> > control: tags -1 patch
> >
> > On Sat, Sep 05, 2020 at 11:11:22AM +0200, Mattia Rizzolo wrote:
> > > https://tracker.debian.org/pkg/policy-rcd-declarative
> > > is a good solution to this: install that package, then instead of
> > > dropping that file into /usr/local/sbin/policy-rc.d, do
> > > echo ".* .* deny" > /etc/service-policy.d/00-buildd-deny-all
>
> Thanks a lot Mattia for the solution. It's just a pitty that this
> package is not in (old)stable, so that we need to special case the way
> we create the chroots.
>
> > > That turns a non-dpkg tracked binary into a non-dpkg tracked conffile,
> > > which I suppose it's a good compromise.
> >
> > awesome find, Mattia, thank you. I dare to tag this bug 'patch' now.
>
> Well I would say that we have a solution but not yet the patch, but
> anyway I'll plan to work on writing a patch in the next days.
>
I have just pushed:
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/abacce72bdc2417961cab2704ef3881f6d15d654
That should be effective the next time the chroots are regenerated
(tonight).
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
On Wed, Sep 09, 2020 at 11:01:01AM +0200, Aurelien Jarno wrote:
> Well I would say that we have a solution but not yet the patch, but
> anyway I'll plan to work on writing a patch in the next days.
Oh, great!
thank you for being so quick!
> > > Improvement would be to ship
> > > that single conffile in a separate package (which, IMHO,
> > > src:policy-rcd-declarative could do, i.e. provide a
> > > "policy-rcd-declarative-deny-all" binary; or do fancy things with a
> > > debconf option sbuild-createchroot could inject but that would be too
> > > dirty for me).
> >
> > I'm tempted to clone this bug and make the clone a wishlist bug for such
> > a "policy-rcd-declarative-deny-all" binary. What do you think?
>
> Indeed, that would be awesome.
I opened a new bug instead, to give the policy-rcd-declarative
maintainer some context without being shoved a bugload of comments ^^
https://bugs.debian.org/970027
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 10 Sep 2020 12:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 10 Sep 2020 12:03:03 GMT) (full text, mbox, link).
Hi,
On Thu, Sep 10, 2020 at 01:45:31PM +0200, Mattia Rizzolo wrote:
> On Wed, Sep 09, 2020 at 11:01:01AM +0200, Aurelien Jarno wrote:
> > Well I would say that we have a solution but not yet the patch, but
> > anyway I'll plan to work on writing a patch in the next days.
> Oh, great!
> thank you for being so quick!
indeed, thank you very much Aurelien!
fwiw, I also think it's fine to only have this for new
unstable/bullseye/bookworm/... builds.
> > > I'm tempted to clone this bug and make the clone a wishlist bug for such
> > > a "policy-rcd-declarative-deny-all" binary. What do you think?
> > Indeed, that would be awesome.
> I opened a new bug instead, to give the policy-rcd-declarative
> maintainer some context without being shoved a bugload of comments ^^
> https://bugs.debian.org/970027
very nice & thank you very much too, Mattia!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
"There's no glory in prevention." (Christian Drosten)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 10 Sep 2020 12:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 10 Sep 2020 12:18:02 GMT) (full text, mbox, link).
On 2020-09-10 11:58, Holger Levsen wrote:
> Hi,
>
> On Thu, Sep 10, 2020 at 01:45:31PM +0200, Mattia Rizzolo wrote:
> > On Wed, Sep 09, 2020 at 11:01:01AM +0200, Aurelien Jarno wrote:
> > > Well I would say that we have a solution but not yet the patch, but
> > > anyway I'll plan to work on writing a patch in the next days.
> > Oh, great!
> > thank you for being so quick!
>
> indeed, thank you very much Aurelien!
>
> fwiw, I also think it's fine to only have this for new
> unstable/bullseye/bookworm/... builds.
policy-rcd-declarative is used for bullseye and sid chroots. We do not
have bookworm chroots yet ;-)
Regards,
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
On Thu, Sep 10, 2020 at 02:14:57PM +0200, Aurelien Jarno wrote:
> On 2020-09-10 11:58, Holger Levsen wrote:
> > Hi,
> >
> > On Thu, Sep 10, 2020 at 01:45:31PM +0200, Mattia Rizzolo wrote:
> > > On Wed, Sep 09, 2020 at 11:01:01AM +0200, Aurelien Jarno wrote:
> > > > Well I would say that we have a solution but not yet the patch, but
> > > > anyway I'll plan to work on writing a patch in the next days.
> > > Oh, great!
> > > thank you for being so quick!
> >
> > indeed, thank you very much Aurelien!
> >
> > fwiw, I also think it's fine to only have this for new
> > unstable/bullseye/bookworm/... builds.
>
> policy-rcd-declarative is used for bullseye and sid chroots. We do not
> have bookworm chroots yet ;-)
do buildds use the sid chroots for experimental builds?
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 10 Sep 2020 13:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 10 Sep 2020 13:27:04 GMT) (full text, mbox, link).
On 2020-09-10 14:17, Mattia Rizzolo wrote:
> On Thu, Sep 10, 2020 at 02:14:57PM +0200, Aurelien Jarno wrote:
> > On 2020-09-10 11:58, Holger Levsen wrote:
> > > Hi,
> > >
> > > On Thu, Sep 10, 2020 at 01:45:31PM +0200, Mattia Rizzolo wrote:
> > > > On Wed, Sep 09, 2020 at 11:01:01AM +0200, Aurelien Jarno wrote:
> > > > > Well I would say that we have a solution but not yet the patch, but
> > > > > anyway I'll plan to work on writing a patch in the next days.
> > > > Oh, great!
> > > > thank you for being so quick!
> > >
> > > indeed, thank you very much Aurelien!
> > >
> > > fwiw, I also think it's fine to only have this for new
> > > unstable/bullseye/bookworm/... builds.
> >
> > policy-rcd-declarative is used for bullseye and sid chroots. We do not
> > have bookworm chroots yet ;-)
>
> do buildds use the sid chroots for experimental builds?
Yes, as the packages in experimental are not self-contained, so
experimental is basically just an overlay to sid. Said otherwise you
can't debootstrap experimental, just debootstrap sid and pickup
experimental packages.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Buildd Team <wb-team@buildd.debian.org>: Bug#969084; Package buildd.debian.org.
(Thu, 10 Sep 2020 14:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Wouter Verhelst <wouter@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Buildd Team <wb-team@buildd.debian.org>.
(Thu, 10 Sep 2020 14:00:03 GMT) (full text, mbox, link).
FYI: I added a "policy-rcd-declarative-deny-all" package that contains
an alternative default policy denying all service startup requests. As
soon as it passes my tests, I'll upload that to unstable.
You might want to update the script then to install
policy-rcd-declarative-deny-all (which depends on
policy-rcd-declarative) and drop the manual policy config file.
If wanted, I could also upload this to backports?
Regards,
--
To the thief who stole my anti-depressants: I hope you're happy
-- seen somewhere on the Internet on a photo of a billboard
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 09 Oct 2020 07:27:26 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.