On Wed, Oct 23, 2013 at 09:53:07AM +0200, Martin Pitt wrote: > Stéphane Graber [2013-10-21 18:45 -0400]: > > That's pretty much my plan, find a way to get schroot to interface with > > LXC (or just unshare the netns directly). Need something a bit more > > clever than just blocking access completely though since you still want > > to grab the build-depends, but passing a socket to a small proxy would > > be a way, creating a veth pair would be another (and using iptables to > > block non-archive traffic). > > Or just calling dpkg-buildpackage within sbuild through unshare -n?
There exist packages that take advantage of the fact that they can talk to the archive even during the build; e.g. grub2-signed. So I think we'd want something that's a more accurate match to the real-world firewalling behaviour. -- Colin Watson [[email protected]] -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
