Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Bill Allombert]

On Thu, Apr 04, 2024 at 01:22:19PM -0700, Russ Allbery wrote:
> I'm not sure what I think about that.  We have a general escape hatch
> already for non-free packages in Policy 2.2.3 that says they may not fully
> comply with Policy, which may be sufficient. 

But precisely, we _do_ want non-free packages that are built on the autobuilders
to comply with this requirement. So we do not want 2.2.3 to apply in that
specific case. It seems cleaner to say that the requirement only apply if
Autobuild: yes is declared.

Cheers,
-- 
Bill. 

Imagine a large red swirl here. 

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Russ Allbery]

Philipp Kern  writes:
> On 04.04.24 20:51, Bill Allombert wrote:

>> I still think we should allow Autobuild: no as an escape hatch.  If we
>> want to require non-free package to be autobuildable, we should be more
>> explicit about it (and probably require more feedback from
>> debian-devel).

> There is no requirement for non-free to be autobuildable today. This
> change also does not introduce this, except for everything that is to be
> built on official builders to not require network access.

I think Bill's point is that the section of Policy being changed here
isn't only for autobuilt packages.  It sets general requirements for all
Debian packages, including non-free packages that are never autobuilt, and
therefore arguably prohibits network use during the build of a non-free
package that was never intended to build on the autobuilders, which is a
bit outside the scope of the original motivation for this change.

(I didn't understand that point at first.)

I'm not sure what I think about that.  We have a general escape hatch
already for non-free packages in Policy 2.2.3 that says they may not fully
comply with Policy, which may be sufficient.  Builds that use the network
seem like a bad idea even in non-free packages because it means we may not
be able to rebuild them since all of the relevant data is not in the
Debian source package.

-- 
Russ Allbery (r...@debian.org)  

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Philipp Kern]

Hi,

On 04.04.24 20:51, Bill Allombert wrote:

I still think we should allow Autobuild: no as an escape hatch.
If we want to require non-free package to be autobuildable, we should
be more explicit about it (and probably require more feedback from
debian-devel).


There is no requirement for non-free to be autobuildable today. This 
change also does not introduce this, except for everything that is to be 
built on official builders to not require network access.


There are even two stages of allowlisting today (file-based and the dsc 
field).


Kind regards
Philipp Kern

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Bill Allombert]

On Thu, Apr 04, 2024 at 09:25:36PM +0200, Philipp Kern wrote:
> Hi,
> 
> On 04.04.24 20:51, Bill Allombert wrote:
> > I still think we should allow Autobuild: no as an escape hatch.
> > If we want to require non-free package to be autobuildable, we should
> > be more explicit about it (and probably require more feedback from
> > debian-devel).
> 
> There is no requirement for non-free to be autobuildable today. This change
> also does not introduce this, except for everything that is to be built on
> official builders to not require network access.

Sorry, could you point me where the diff is limiting its scope to "everything
that is to be built on official builders"  ?

Cheers,
-- 
Bill. 

Imagine a large red swirl here. 

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Bill Allombert]

On Thu, Apr 04, 2024 at 11:42:34AM -0700, Russ Allbery wrote:
> Tobias Frost  writes:
> > On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:
> 
> >> Thanks Philipp. Following that result, please find a patch proposal: 
> >> 
> >> --- a/policy/ch-source.rst
> >> +++ b/policy/ch-source.rst
> >> @@ -338,9 +338,9 @@
> >>  For example, the build target should pass ``--disable-silent-rules``
> >>  to any configure scripts.  See also :ref:`s-binaries`.
> >>  
> >> -For packages in the main archive, required targets must not attempt
> >> -network access, except, via the loopback interface, to services on the
> >> -build host that have been started by the build.
> >> +Required targets must not attempt network access, except, via the
> >> +loopback interface, to services on the build host that have been started
> >> +by the build.
> >>  
> >>  Required targets must not attempt to write outside of the unpacked
> >>  source package tree.  There are two exceptions.  Firstly, the binary
> 
> > LGTM, Seconded.
> 
> Also looks good to me.  Seconded.

I still think we should allow Autobuild: no as an escape hatch.
If we want to require non-free package to be autobuildable, we should
be more explicit about it (and probably require more feedback from
debian-devel).

Cheers,
-- 
Bill. 

Imagine a large red swirl here. 

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Russ Allbery]

Tobias Frost  writes:
> On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:

>> Thanks Philipp. Following that result, please find a patch proposal: 
>> 
>> --- a/policy/ch-source.rst
>> +++ b/policy/ch-source.rst
>> @@ -338,9 +338,9 @@
>>  For example, the build target should pass ``--disable-silent-rules``
>>  to any configure scripts.  See also :ref:`s-binaries`.
>>  
>> -For packages in the main archive, required targets must not attempt
>> -network access, except, via the loopback interface, to services on the
>> -build host that have been started by the build.
>> +Required targets must not attempt network access, except, via the
>> +loopback interface, to services on the build host that have been started
>> +by the build.
>>  
>>  Required targets must not attempt to write outside of the unpacked
>>  source package tree.  There are two exceptions.  Firstly, the binary

> LGTM, Seconded.

Also looks good to me.  Seconded.

-- 
Russ Allbery (r...@debian.org)  

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-free

[Tobias Frost]

On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:
> Hi,
> 
> On 2024-04-03 12:37, Philipp Kern wrote:
> > Hi,
> > 
> > On Tue, Apr 02, 2024 at 06:58:35AM +0200, Aurelien Jarno wrote:
> > > On 2024-04-02 09:21, Sean Whitton wrote:
> > > > Hello,
> > > > 
> > > > On Mon 01 Apr 2024 at 05:29pm +02, Aurelien Jarno wrote:
> > > > 
> > > > > The debian policy, section 4.9, forbids network access for packages in
> > > > > the main archive, which implicitly means they are authorized for
> > > > > packages in contrib and non-free (and non-free-firmware once #1029211 
> > > > > is
> > > > > fixed).
> > > > >
> > > > > This gives constraints on the build daemons infrastructure and also
> > > > > brings some security concerns. Would it be possible to extend this
> > > > > restriction to all archives?
> > > > 
> > > > We need to know if this is going to break existing packages and allow
> > > > some input from their maintainers.  Are you able to prepare a list of
> > > > the affected packages?
> > > 
> > > Fair enough. I can work on that, but help would be welcome as my
> > > resources are limited.
> > 
> > I did a test rebuild of contrib, non-free and non-free-firmware packages
> > in sid with both stable sbuild schroot and unshare backends and could
> > not find a difference in build success (i.e. what failed failed in both,
> > what succeeded succeeded in both).
> 
> Thanks Philipp. Following that result, please find a patch proposal: 
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,9 +338,9 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> -network access, except, via the loopback interface, to services on the
> -build host that have been started by the build.
> +Required targets must not attempt network access, except, via the
> +loopback interface, to services on the build host that have been started
> +by the build.
>  
>  Required targets must not attempt to write outside of the unpacked
>  source package tree.  There are two exceptions.  Firstly, the binary
> 
> Regards
> Aurelien

LGTM, Seconded.

> -- 
> Aurelien Jarno  GPG: 4096R/1DDD8C9B
> aurel...@aurel32.net http://aurel32.net




signature.asc
Description: PGP signature