On Sun, Jul 12, 2015 at 05:56:08PM +0200, Luca Bruno wrote: > However, as this seems to be part of repro-build (which I do care about), you > can find a patch here that should fix it. Let me know if it works.
Woo, thanks! > > If you have CAP_DAC_OVERRIDE (e.g. you're running the build as root), > > Isn't this an incredibly bad practice? That builder (one I'm in the middle of writing!) runs stuff as "uid 0" inside an unprivileged LXC (i.e. in a new uid/pid/mount/... namespace), which is (I believe) supported for security, i.e. it should be safe. It's easy enough to flip the builder over to using a normal user inside the container, in the future. I was under the impression that there was a policy entry requiring stuff to be buildable as root, so I thought I'd let it run as root for now. Otoh, I can't actually find said policy entry, nor one for requiring packages to build without networking; perhaps the latter covered simply by the requirement that there's no dependency on anything outside of main. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
