On 09/07/2016 07:17 AM, Vincent Bernat wrote: > One of the package that I maintain (python-asyncssh) makes a DNS request > during build and expects it to fail. Since Policy 4.9 forbids network > access (in a rather confusing wording "may not"), I got this serious > bug: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830568 > > The fix is easy: just disable the test. > > However, I have a hard time to find this useful for anyone. To sum up: > > - patching the test suite requires maintaining the patch forever > - both pbuilder and sbuild are using an isolated network namespace > - package builds reproducibly with or without network access > > I have the impression that enforcing every word of the policy in the > hard sense can bring endless serious bugs. This particular occurrence > affected about 70 packages. I appear as a bad maintainer because I don't > feel this is an important bug. > > Any thoughts?
Well, the problem mentioned in the bug report is not only the package itself, but the information leak created by the DNS request. And I think that really is something you should fix, because package builds should really not cause _any_ network traffic, even if said traffic doesn't actually affect the result of the build. I don't think this is an overly strict interpretation of the policy, but rather it's intention. However, instead of disabling the test via a patch, there is a solution where you can have your cake and eat it too. And it's even in Debian. :-) There's a piece of software called nss_wrapper, written by the Samba people, that allows you to modify glibc's DNS functions' (getaddrinfo, gethostbyname, ...) behavior via an LD_PRELOAD library. It's called nss_wrapper; Upstream website: https://cwrap.org/nss_wrapper.html Debian package: https://packages.debian.org/unstable/libnss-wrapper That way, you can force host name resolution to not use DNS for your test suite (via just using a hosts file), then there will be no network access during package build, and you don't have to keep rebasing a patch. And, even better, IF there is a host name called 'fail' on the local network, using nss_wrapper the package build will still succeed. Hope that helps. Regards, Christian