Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#35350 - Sandboxed package building
Attached to Project:
Pacman
Opened by Star Brilliant (m13253) - Saturday, 18 May 2013, 12:31 GMT
Last edited by Allan McRae (Allan) - Saturday, 18 May 2013, 12:37 GMT
Opened by Star Brilliant (m13253) - Saturday, 18 May 2013, 12:31 GMT
Last edited by Allan McRae (Allan) - Saturday, 18 May 2013, 12:37 GMT
|
DetailsSummary and Info:
It is well known that Gentoo builds packages in a sandbox environment. It protects from badly written build scripts [1] as well as some other threats. I suggest that ArchLinux can build packages in such a sandbox, and this behavior can be easily configured via makepkg.conf. It seems that sandbox and lib32-sandbox ported from Gentoo in AUR works fine on Arch.[2] So why don't Arch build packages in a sandbox? I admit that sandbox is not always safe and is easy to break out[3], but it does protects. Many other developers suggest using chroot to build a task. But I think it is far beyond necessity. Maintaining a chroot environment is far complicated than executing sandbox before makepkg. P.S.: I have posted here as well as the maillist[4], though it may not be appropriate to post multiple times, I just want more comments on my idea. Notes: [1]: If you have a PKGBUILD script like this: rm -Rf ${pkgdirr}/home since ${pkgdirr} is mistyped, it will be `rm -Rf /home` [2]: https://aur.archlinux.org/packages/sandbox/ ... and https://aur.archlinux.org/packages/lib32-sandbox/ [3]: export SANDBOX_ON="0" [4]: https://mailman.archlinux.org/pipermail/pacman-dev/2013-May/017186.html |
This task depends upon
Closed by Allan McRae (Allan)
Saturday, 18 May 2013, 12:37 GMT
Reason for closing: Won't implement
Additional comments about closing: Use devtools.
Saturday, 18 May 2013, 12:37 GMT
Reason for closing: Won't implement
Additional comments about closing: Use devtools.
and I have also seen the contents of devtools,
however I have not figured out how to build a package in a protected environment without using chroot.
Would you please tell me how to get my point?
Okay... I do not expect to change your idea but I will myself type 'sandbox' before I execute yaourt.
Thank you a lot, anyway.
it's not meant to be a secure sandbox though
For people who are familiar with the Debian "fakeroot" project or the RPM based
"InstallWatch", sandbox is in the same vein of projects.
We use fakeroot for packaging and run as the user for building. I'm not sure what extra you want to achieve here.
> devtools uses systemd-nspawn now, so it's more than just a chroot
That's cool! Thanks! I have read the source code but thought that it was just chroot... How silly I am!
Thank you and I will stop discussing this topic.