On Sun, Jul 12, 2015 at 05:56:08PM +0200, Luca Bruno wrote: > However, as this seems to be part of repro-build (which I do care about), you > can find a patch here that should fix it. Let me know if it works.
Woo, thanks! > > If you have CAP_DAC_OVERRIDE (e.g. you're running the build as root), > > Isn't this an incredibly bad practice? That builder (one I'm in the middle of writing!) runs stuff as "uid 0" inside an unprivileged LXC (i.e. in a new uid/pid/mount/... namespace), which is (I believe) supported for security, i.e. it should be safe. It's easy enough to flip the builder over to using a normal user inside the container, in the future. I was under the impression that there was a policy entry requiring stuff to be buildable as root, so I thought I'd let it run as root for now. Otoh, I can't actually find said policy entry, nor one for requiring packages to build without networking; perhaps the latter covered simply by the requirement that there's no dependency on anything outside of main. _______________________________________________ Pkg-javascript-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
