Unexpected dependencies of graphics/libGL

Luís Fernando Schultz Xavier da Silveira schultz at ime.usp.br
Wed Jan 20 03:15:53 UTC 2016


In a nutshell, the point is that the build dependencies should not be
there at all. Keeping them in a jail is not a proper solution because
they can still influence the host system (since the packages resulting
from computations done in the jail will be installed in the host).

On Tue, 19 Jan 2016 09:12:57 -0500
kpneal at pobox.com wrote:

> On Tue, Jan 19, 2016 at 06:34:38AM +0000, Luís Fernando Schultz Xavier da Silveira wrote:
> > Hello,
> > 
> > > But this is not different from how ports are being built in
> > > the regular ports tree: Compilation tools could be compromized
> > > or package content could be affected. The typical "make install"
> > > will generate a package which is then installed via pkg.
> > 
> > Indeed, it is not different, and that is my point.
> Huh? When did this turn into a discussion about security?
> You can do a small amount of work and have security concerns or you can
> do much more work and have the exact same security concerns. I really don't
> see how this reflects badly on Poudriere.
> I thought this was a discussion about how to avoid having build dependencies
> installed when all you wanted was the run-time dependencies. Poudriere
> handles this nicely without all that mucking about with locking packages,
> keeping your ports tree in sync with the one checked out at freebsd.org,
> etc.
> -- 
> Kevin P. Neal                                http://www.pobox.com/~kpn/
>    "I like being on The Daily Show." - Kermit the Frog, Feb 13 2001

More information about the freebsd-questions mailing list