Guus Sliepen writes ("Re: Network access during build"):
> But should this perhaps also be enforced in our build tools? Ie, have
> dpkg-buildpackage set up an empty namespace before executing
> debian/rules? AFAIK, at the moment it's only the buildds that block
> network access. A malicious upstream could have a build process that
> only does network access when it detects that it is not running on a
> buildd or that network access is not somehow blocked.If we do something in our build tools, the default should be to detect attempted network accesses and fail the build if they occur, not to silently suppress them. This is because if we care about eliminating network accesses for the reasons Adam explains (which I agree with), or indeed for reasons of reliability, we want those network accesses eliminated even if the user runs `make check' (or whatever) rather than dpkg-buildpackage, or if they are running in an environment where the feature used for blocking is not available, or whatever. IOW, I think the actual tests (or whatever) that try to do network access should be fixed in the actual source code. Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
