Am Mittwoch, 7. März 2012, 07:52:01 schrieb Helio Chissini de Castro:
Hello
On Wednesday 07 March 2012 09:43:08 Adrian Schröter wrote:
Am Dienstag, 6. März 2012, 08:17:27 schrieb Helio Chissini de Castro:
...
I'm open to opinions, ideas of how far we can go, improve the script and if maybe we can adapt this to upstream in future.
Having a first look, it seems you do not install VMINSTALL packages, but do install all packages in preinstall phase.
Fr the first test, i ignored VMINSTALL, since we're using only chroot based installs, but as soon this progress, of course VMINSTALL will be put in the lop. Is just i just not handled that yet
Also, are you sure that debootstrap is really never executing scripts during this phase ? I doubt that. But when it is executing scripts this approach is actually a security problem, because you can take over the worker. debootstrap is an old reliable tool in debian, andd is a single shell script that can easily been read. I understand your security concerns, but debootstrap puts everything inside chroot from doenloaded packages and then i return the control for init_buildsystem.
chroot is not enough to be secure.
The proper way would be debootstrap download packages itself, making the my life easier, but this would ignore completly the cache system of obs, which is not desired.
But does it call dpkg to install the packages and that calls the scripts from the package ? There is no way how you can make that secure. It always means as consequence that any user from any project as full control over your worker easily. That means also as consequence that he can deliver build results for any project/repo and you can't even trace it from where it comes.
Also, I think you can not enforce anymore to ignore dependencies or to downgrade versions which is required in some situations.
The packages to install is passed by init_buildsystem list, so debootstrap knows how to handle this. If not works, the error is in the packaging, not the tool. If in the package list provided by init_buildsystem we have dowgraded packages, it supposes to work.
It does no dependency resolution on its own ?
[]'s -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org