On 2024-04-01 18:18, Bill Allombert wrote: > On Mon, Apr 01, 2024 at 06:08:10PM +0200, Aurelien Jarno wrote: > > On 2024-04-01 17:52, Bill Allombert wrote: > > > On Mon, Apr 01, 2024 at 05:29:54PM +0200, Aurelien Jarno wrote: > > > > Package: debian-policy > > > > Version: 4.6.2.1 > > > > Severity: normal > > > > X-Debbugs-Cc: d...@debian.org, wb-t...@buildd.debian.org > > > > Control: affects -1 buildd.debian.org > > > > > > > > Hi, > > > > > > > > The debian policy, section 4.9, forbids network access for packages in > > > > the main archive, which implicitly means they are authorized for > > > > packages in contrib and non-free (and non-free-firmware once #1029211 is > > > > fixed). > > > > > > > > This gives constraints on the build daemons infrastructure and also > > > > brings some security concerns. Would it be possible to extend this > > > > restriction to all archives? > > > > > > Does the build daemons actually build non-free ? > > > > Yes, they do, though only part of non-free, only the packages that have > > Autobuild: yes and that have been put on an allow list after review. > > Is your concern is that the package start to do network acces during build > after it has been added to the allow list ?
Yes, this is the security concern. > Do you need "Autobuild: yes" to preclude network access ? Not right now, but the goal is to fully disable the network access, and we do not want to have to special case contrib or non-free, as it just makes things complicated. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://aurel32.net
