Hello, On Fri 31 Jan 2025 at 08:11pm GMT, Simon McVittie wrote:
> On Fri, 31 Jan 2025 at 19:23:07 +0000, Sean Whitton wrote:
>> On Sun 30 Jun 2024 at 11:03pm +02, Paride Legovini wrote:
>> > * I am not aware of Debian (or Ubuntu) developers actively using it.
>> > This includes autopkgtest developers, and makes the virt server not
>> > well tested.
>>
>> This statement is very surprising to me:
>> I have used it for almost every upload I have made to the archive, ever.
>
> What is your expansion of "it" here? schroot, or autopkgtest-virt-schroot?
> I think Paride was referring to a-v-schroot.
autopkgtest-virt-schroot.
I have run autopkgtests locally before almost every upload I've ever
made, using autopkgtest-virt-schroot, as I thought was standard.
>> I was under the impression that it was such a core piece of Debian's
>> toolchain that there was no way there could be plans to remove it that I
>> wasn't even aware of.
>
> Again, what is "it" here? schroot, or autopkgtest-virt-schroot?
autopkgtest-virt-schroot again.
> schroot is no longer a core part of Debian's toolchain in the way that
> it was at the time of the bookworm release, because part of the response
> to the xz-utils back door (CVE-2024-3094) was a realization that schroot
> is not designed to protect the host system from malicious code running
> as root inside the chroot ("if you are root in the chroot then you are
> root in real life"). Unfortunately, running sbuild with its schroot backend
> involves running apt, dpkg and maintainer scripts from the target suite as
> root, which means that in principle, getting malicious code into unstable
> or even experimental could have been enough to achieve a root compromise on
> the buildd (and dpkg involves xz).
I hadn't made all of these connections, so thanks.
> I am sorry that I do not have the spoons to support every container
> technology, past and present, at an equivalent level, and I am sorry that
> my attempts to re-scope my maintainer responsibilities by supporting fewer
> container managers fail to meet your expectations.
You didn't fail to meet any of my expectations.
I was bothered by being caught by surprise by something which I didn't
think should have come as a surprise, but this was caused by a
disconnect between our beliefs about what is standard, and that's just a
mistake, not a failure to meet expectations.
ISTM that sbuild&schroot and autopkgtest-virt-schroot are still
perfectly appropriate for local builds, and unshare is indeed a better
choice for the buildds. autopkgtest-virt-schroot for autopkgtests seems
fine because that's significantly less security-sensitive.
I respect your judgement, though, that autopkgtest-virt-schroot has too
high a maintainance cost given all the other context.
--
Sean Whitton
signature.asc
Description: PGP signature
