On 09/07/2016 07:43 AM, Christian Seiler wrote: > On 09/07/2016 07:17 AM, Vincent Bernat wrote: >> One of the package that I maintain (python-asyncssh) makes a DNS request >> during build and expects it to fail. Since Policy 4.9 forbids network >> access (in a rather confusing wording "may not"), I got this serious >> bug: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830568 >> >> The fix is easy: just disable the test. >> >> However, I have a hard time to find this useful for anyone. To sum up: >> >> - patching the test suite requires maintaining the patch forever >> - both pbuilder and sbuild are using an isolated network namespace >> - package builds reproducibly with or without network access >> >> I have the impression that enforcing every word of the policy in the >> hard sense can bring endless serious bugs. This particular occurrence >> affected about 70 packages. I appear as a bad maintainer because I don't >> feel this is an important bug. >> >> Any thoughts? > > Well, the problem mentioned in the bug report is not only the > package itself, but the information leak created by the DNS > request. And I think that really is something you should fix, > because package builds should really not cause _any_ network > traffic, even if said traffic doesn't actually affect the > result of the build. I don't think this is an overly strict > interpretation of the policy, but rather it's intention. > > However, instead of disabling the test via a patch, there is a > solution where you can have your cake and eat it too. And it's > even in Debian. :-) > > There's a piece of software called nss_wrapper, written by the > Samba people, that allows you to modify glibc's DNS functions' > (getaddrinfo, gethostbyname, ...) behavior via an LD_PRELOAD > library. It's called nss_wrapper; > > Upstream website: > https://cwrap.org/nss_wrapper.html > > Debian package: > https://packages.debian.org/unstable/libnss-wrapper > > That way, you can force host name resolution to not use DNS for > your test suite (via just using a hosts file), then there will > be no network access during package build, and you don't have > to keep rebasing a patch. And, even better, IF there is a host > name called 'fail' on the local network, using nss_wrapper the > package build will still succeed. > > Hope that helps. > > Regards, > Christian
This seem a pretty good solution to the problem. Could you show an example in a package that does that, or maybe a patch for this kind of bug that Lamby opened? Cheers, Thomas Goirand (zigo)
