On Sun, Jul 12, 2015 at 05:56:08PM +0200, Luca Bruno wrote:
> However, as this seems to be part of repro-build (which I do care about), you
> can find a patch here that should fix it. Let me know if it works.
> > If you have CAP_DAC_OVERRIDE (e.g. you're running the build as root),
> Isn't this an incredibly bad practice?
That builder (one I'm in the middle of writing!) runs stuff as "uid 0"
inside an unprivileged LXC (i.e. in a new uid/pid/mount/... namespace),
which is (I believe) supported for security, i.e. it should be safe.
It's easy enough to flip the builder over to using a normal user
inside the container, in the future.
I was under the impression that there was a policy entry requiring stuff
to be buildable as root, so I thought I'd let it run as root for now.
Otoh, I can't actually find said policy entry, nor one for requiring
packages to build without networking; perhaps the latter covered simply
by the requirement that there's no dependency on anything outside of