On Sun, Jul 12, 2015 at 05:56:08PM +0200, Luca Bruno wrote:
> However, as this seems to be part of repro-build (which I do care about), you 
> can find a patch here that should fix it. Let me know if it works.

Woo, thanks!


> > If you have CAP_DAC_OVERRIDE (e.g. you're running the build as root),
> 
> Isn't this an incredibly bad practice?

That builder (one I'm in the middle of writing!) runs stuff as "uid 0"
inside an unprivileged LXC (i.e. in a new uid/pid/mount/... namespace),
which is (I believe) supported for security, i.e. it should be safe.
It's easy enough to flip the builder over to using a normal user
inside the container, in the future.

I was under the impression that there was a policy entry requiring stuff
to be buildable as root, so I thought I'd let it run as root for now.
Otoh, I can't actually find said policy entry, nor one for requiring
packages to build without networking; perhaps the latter covered simply
by the requirement that there's no dependency on anything outside of
main.


_______________________________________________
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to