On Tue, Sep 02, 2014 at 01:28:13PM +0200, Thorsten Glaser wrote: > On Mon, 1 Sep 2014, Adam Borowski wrote: > > > Also, should we detect all other attempts to contact the outside network, > > and swat such builds with extreme prejudice? > > Yes. These can be privacy breeches, licence violations (download > things that change what gets embedded into the packages), and > all other sorts of nasties. There may be no network access during > a Debian package build; the switchover is usually between installing > the B-D and extracting the source package, at most directly after > the latter. > > (I’m aware that there is still *too* much “disable the network” in > pbuilder. Sorry for not having had the time to work on that. I’ll > try to do so shortly.)
Could you tell us what's this "too much"? Here's how I would do it: unshare --net iptables rule on !127.0.0.0/8 and !::1 -j REJECT, if after the build the rule's counter is non-zero we fail the build -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable and Non-Discriminatory prices. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140902121305.ga14...@angband.pl
