FS#49965 : [makepkg] Build packages in isolation

FS#49965 - [makepkg] Build packages in isolation

Attached to Project: Pacman
Opened by TesX (tesfabpel) - Wednesday, 06 July 2016, 06:30 GMT
Last edited by Allan McRae (Allan) - Friday, 30 December 2016, 02:41 GMT

Task Type	Feature Request
Category	makepkg
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Medium
Priority	Normal
Reported Version	5.0.1
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Moabit (Moabit) (2016-07-06)
Private	No

Details

Summary and Info:
When trying to install the AUR package `itch` (https://aur.archlinux.org/packages/itch/), the PKGBUILD executes some actions that will affect the system and escape the package manager's control, as reported in comments by some users...

Could this be fixed by limiting write access only to the build directory of makepkg?
Is there any reason not to?

Steps to Reproduce:
Try to install some misbehaving package (for example, itch)

This task depends upon

Closed by Allan McRae (Allan)
Friday, 30 December 2016, 02:41 GMT
Reason for closing: Deferred
Additional comments about closing: devtools is the current solution.

Comment by Dave Reisner (falconindy) - Wednesday, 06 July 2016, 10:50 GMT

devtools already provides this by maintaining and building in a separate chroot.

Comment by Frederik “Freso” S. Olesen (Freso) - Tuesday, 23 August 2016, 13:50 GMT

Building some packages will write to e.g., $HOME. It would be really nice if makepkg would completely sandbox its filesystem.

Comment by Doug Newgard (Scimmia) - Tuesday, 23 August 2016, 13:56 GMT

Which is what devtools does.

PKGBUILDs are Bash, they can do stupid things. The one in question does stupid things (npm install)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#49965 - [makepkg] Build packages in isolation

Details

Loading...