Mailinglist Archive: opensuse-buildservice (276 mails)

< Previous Next >
Re: [opensuse-buildservice] Debootstrap as a replacement of debian chroot creation in obs
On Wed, Mar 07, 2012 at 12:07:21PM +0100, Adrian Schröter wrote:
Am Mittwoch, 7. März 2012, 07:52:01 schrieb Helio Chissini de Castro:
Hello

On Wednesday 07 March 2012 09:43:08 Adrian Schröter wrote:
Am Dienstag, 6. März 2012, 08:17:27 schrieb Helio Chissini de Castro:

...

I'm open to opinions, ideas of how far we can go, improve the script and
if
maybe we can adapt this to upstream in future.

Having a first look, it seems you do not install VMINSTALL packages, but
do
install all packages in preinstall phase.

Fr the first test, i ignored VMINSTALL, since we're using only chroot based
installs, but as soon this progress, of course VMINSTALL will be put in the
lop. Is just i just not handled that yet

Also, are you sure that debootstrap is really never executing scripts
during this phase ? I doubt that. But when it is executing scripts this
approach is actually a security problem, because you can take over the
worker.
debootstrap is an old reliable tool in debian, andd is a single shell script
that can easily been read. I understand your security concerns, but
debootstrap puts everything inside chroot from doenloaded packages and then
i return the control for init_buildsystem.

chroot is not enough to be secure.

What Adrian means that it's ok to use debootstrap *after* the
preinstall phase, thus in the virtual machine. It mustn't be
done outside the virtual machine for security reasons.

Cheers,
Michael.

--
Michael Schroeder mls@xxxxxxx
SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >