cvs commit: ports/databases/pg_filedump Makefile

Baptiste Daroussin bapt at FreeBSD.org
Wed May 23 14:06:15 UTC 2012 

On Wed, May 23, 2012 at 03:53:58PM +0200, Pav Lucistnik wrote:
> Bernhard Froehlich píše v st 23. 05. 2012 v 15:47 +0200:
> > On 23.05.2012 15:39, Pav Lucistnik wrote:
> > > Martin Wilke píše v st 23. 05. 2012 v 13:34 +0000:
> > >> miwi        2012-05-23 13:34:12 UTC
> > >>
> > >>   FreeBSD ports repository
> > >>
> > >>   Modified files:
> > >>     databases/pg_filedump Makefile
> > >>   Log:
> > >>   - Switch to FETCH_DEPENDS to fix fetch during build
> > >
> > > How is this supposed to work? The log message makes no sense.
> > 
> > The problem that this fixes is when you are building in jails
> > and restrict internet access to the "fetch" target like
> > pointyhat-west, redports.org and poudriere already do.
> 
> Well, the restriction was put in place for a reason 1*), and now you're
> working around that very reason. So just remove the restriction from
> pointyhat and problem solved.
> 
> What you are doing now is a nonsensical hack and I have to ask you to
> back it out.
> 
> 
> 1*) To have full control over what is being fetched from Internets, with
> help of checksums and distinfo lists.
> 

Maybe, in that case it will be good to define what we really wants/need and what
clusteradm and security people will accept.

Should network access be restricted at any moment during the package building,
on automated build environment, if yes what phases are to be expected to be
restricted?

Possibilities are:
- plain access until build target and no access from build target to the end?
  (what about tests that needs network access should we allow them?)
- plain access during the whole phases but build?
- plain access all the time?
- [insert your proposition here :)]

the restricttion in case of redports was a requirement (Bernhard has more
information about this than I do)

Once it is decided changing pointyhat, redports, poudriere and upcoming jailed
tinderbox is easy.

In my mind I see the fetch target as all I need to build that package should be
done by it and that is why it has been implemented that way.

Now if there is something more clever to do please share and we will do that,
(and update the porters handbook accordingly)

keep in mind the security requirements.

regards,
Bapt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20120523/aa2900d3/attachment.pgp

More information about the cvs-all mailing list