[pacman-dev] [suggestion] Sandboxed package building
It is well known that Gentoo builds packages in a sandbox environment. It protects from badly written build scripts [1] as well as some other threats. I suggest that ArchLinux can build packages in such a sandbox, and this behavior can be easily configured via makepkg.conf. It seems that sandbox and lib32-sandbox ported from Gentoo in AUR works fine on Arch.[2] So why don't Arch build packages in a sandbox? I admit that sandbox is not always safe, but it does protects. Notes: [1]: scripts like this: rm -Rf ${pkgdirr}/home since ${pkgdirr} is mistyped, it will be `rm -Rf /home` [2]: https:///aur.archlinux.org/packages/sandbox/ ... and https:///aur.archlinux.org/packages/lib32-sandbox/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 BlissSam <m13253@hotmail.com> wrote:
It is well known that Gentoo builds packages in a sandbox environment. It protects from badly written build scripts [1] as well as some other threats.
I suggest that ArchLinux can build packages in such a sandbox, and this behavior can be easily configured via makepkg.conf.
It seems that sandbox and lib32-sandbox ported from Gentoo in AUR works fine on Arch.[2] So why don't Arch build packages in a sandbox? I admit that sandbox is not always safe, but it does protects.
Notes: [1]: scripts like this: rm -Rf ${pkgdirr}/home since ${pkgdirr} is mistyped, it will be `rm -Rf /home`
[2]: https:///aur.archlinux.org/packages/sandbox/ ... and https:///aur.archlinux.org/packages/lib32-sandbox/
Have you looked at devtools? Extra-*-build builds in a clean chroot. Besides, users should be reading pkgbuilds before running makepkg. - -- Sent from my Android Phone. Daniel Wallace Arch Linux Trusted User GTManfred -----BEGIN PGP SIGNATURE----- Version: APG v1.0.8 iQFUBAEBCAA+BQJRk8KGNxxEYW5pZWwgV2FsbGFjZSAoZ3RtYW5mcmVkKSA8ZGFu aWVsLndhbGxhY2VAZ2F0ZWNoLmVkdT4ACgkQX6XlVE8BDUheWAgAl8o6DEyRLoWO 01KXSUs9OSxhJrj1gRyZdUVAASAG9s7/aeed013ebuxuzgc7aNS4EdarZE8Qdouy 22LswIWWGYEFmmLHEFCgx6CJSCEKg7BRWctKDpiIfmbsBg1EfgdmdBM4g+Yu9Dzb jJ4lq8DtXSH9LR3E9bIitn6aaY+F0qaYu5FZou5XOIhbbXDcczT9X8GxqhfizHg3 Bji05o+DitSqGV87cIrHhNnSFZWIW1gb3bNE+9Cn0FduKFgupaMbPTubxgzvs3Tt /sIpgOYeJadrYNEoXpWuGgYOpe7g8b/8WpZno8cGFOTsRYaZZlEo49J5iA51ySga NxOK78/X6A== =MfIV -----END PGP SIGNATURE-----
On Wed, 15 May 2013 12:14:46 -0500, <danielwallace@gtmanfred.com> wrote:
Have you looked at devtools? Extra-*-build builds in a clean chroot. Besides, users should be reading pkgbuilds before running makepkg.
It is true as you have said, however: 1. Does providing this feature cost a lot of time developing? If so, it is really better to give up implementing such a tiny function. IMHO, it is similar as implementing fakeroot during package(). 2. Not all PKGBUILDs with something badly written can be recognized by user at first glance. I have once met a poor Makefile which even wrote temporary files in my home dir. (Though this kind of Makefile is hard to meet, it does cause troubles.) It is really hard to figure out if only by reading the PKGBUILD. 3. Chrooted building is necessary for maintainers, however sandbox is useful for normal users (non-maintainers) as they do not have time to maintain a separate chroot environment. 4. 'Users should be reading PKGBUILDs.' It is true. I read every PKGBUILDs when I make packages. But isn't it better if there is another protective layer such as sandbox?
On Wed, May 15, 2013 at 7:31 PM, BlissSam <m13253@hotmail.com> wrote:
On Wed, 15 May 2013 12:14:46 -0500, <danielwallace@gtmanfred.com> wrote:
Have you looked at devtools? Extra-*-build builds in a clean chroot. Besides, users should be reading pkgbuilds before running makepkg.
It is true as you have said, however:
1. Does providing this feature cost a lot of time developing? If so, it is really better to give up implementing such a tiny function. IMHO, it is similar as implementing fakeroot during package().
2. Not all PKGBUILDs with something badly written can be recognized by user at first glance. I have once met a poor Makefile which even wrote temporary files in my home dir. (Though this kind of Makefile is hard to meet, it does cause troubles.) It is really hard to figure out if only by reading the PKGBUILD.
3. Chrooted building is necessary for maintainers, however sandbox is useful for normal users (non-maintainers) as they do not have time to maintain a separate chroot environment.
4. 'Users should be reading PKGBUILDs.' It is true. I read every PKGBUILDs when I make packages. But isn't it better if there is another protective layer such as sandbox?
Just my 2 cents, but building in a chroot using devtools isn't exactly more time consuming than doing it with makepkg. It is as simple as running 'sudo repo-arch-build' followed by 'pacman -U path_to_package' instead of 'makepkg -cis'. Put this in a nice shell function and you're good to go (I use 'chbuild repo arch [-options]' from a function defined in my .zshrc). Cheers. -- Maxime
Am 15.05.2013 19:31, schrieb BlissSam:
3. Chrooted building is necessary for maintainers, however sandbox is useful for normal users (non-maintainers) as they do not have time to maintain a separate chroot environment.
You clearly have not looked at devtools at all. Please do so before continuing.
On Wed, May 15, 2013 at 6:26 PM, BlissSam <m13253@hotmail.com> wrote:
It is well known that Gentoo builds packages in a sandbox environment. It protects from badly written build scripts [1] as well as some other threats.
I suggest that ArchLinux can build packages in such a sandbox, and this behavior can be easily configured via makepkg.conf.
It seems that sandbox and lib32-sandbox ported from Gentoo in AUR works fine on Arch.[2] So why don't Arch build packages in a sandbox? I admit that sandbox is not always safe, but it does protects.
Notes: [1]: scripts like this: rm -Rf ${pkgdirr}/home since ${pkgdirr} is mistyped, it will be `rm -Rf /home`
Seriously, but isn't that why makepkg shouldn't be executed as root user? Arch's build system essentially does this by implementing the temporary root dir in $pkgdir. This is a terrible example, since I'm fairly sure pkgdir is not available in *.install functions, and you're not supposed to meddle with installed files in that part. Please first read about abs and how it comes with its own safeties. cheers! mar77i
participants (5)
-
BlissSam
-
Daniel Wallace
-
Martti Kühne
-
Maxime GAUDUIN
-
Thomas Bächler