> I think not. IMHO dpb would be a far better place to control privs. > > The current scaffold calls systrace for individual build stages that > have reduced privileges. A diff to remove it gets rid of calls to > _SYSTRACE_CMD or to variables including _SYSTRACE_CMD in 29 places. > Coverage is variable and it's a pain to have different policies for > different things so we have things like "make patch" is protected > but "make fetch" isn't.
And it gets worse when ports redefine some targets. -- Antoine
