Mailinglist Archive: opensuse-buildservice (170 mails)

< Previous Next >
Re: [opensuse-buildservice] Debootstrap as a replacement of debian chroot creation in obs
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Wed, 07 Mar 2012 12:07:21 +0100
  • Message-id: <1727529.ZBmApLsKN2@scherben>
Am Mittwoch, 7. März 2012, 07:52:01 schrieb Helio Chissini de Castro:
Hello

On Wednesday 07 March 2012 09:43:08 Adrian Schröter wrote:
Am Dienstag, 6. März 2012, 08:17:27 schrieb Helio Chissini de Castro:

...

I'm open to opinions, ideas of how far we can go, improve the script and
if
maybe we can adapt this to upstream in future.

Having a first look, it seems you do not install VMINSTALL packages, but
do
install all packages in preinstall phase.

Fr the first test, i ignored VMINSTALL, since we're using only chroot based
installs, but as soon this progress, of course VMINSTALL will be put in the
lop. Is just i just not handled that yet

Also, are you sure that debootstrap is really never executing scripts
during this phase ? I doubt that. But when it is executing scripts this
approach is actually a security problem, because you can take over the
worker.
debootstrap is an old reliable tool in debian, andd is a single shell script
that can easily been read. I understand your security concerns, but
debootstrap puts everything inside chroot from doenloaded packages and then
i return the control for init_buildsystem.

chroot is not enough to be secure.

The proper way would be debootstrap download packages itself, making the my
life easier, but this would ignore completly the cache system of obs, which
is not desired.

But does it call dpkg to install the packages and that calls the scripts from
the package ?

There is no way how you can make that secure. It always means as consequence
that any user from any project as full control over your worker easily. That
means also as consequence that he can deliver build results for any
project/repo and you can't even trace it from where it comes.

Also, I think you can not enforce anymore to ignore dependencies or to
downgrade versions which is required in some situations.

The packages to install is passed by init_buildsystem list, so debootstrap
knows how to handle this. If not works, the error is in the packaging, not
the tool. If in the package list provided by init_buildsystem we have
dowgraded packages, it supposes to work.

It does no dependency resolution on its own ?

[]'s
--
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups