Date: Wed, 23 May 2012 16:06:11 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Pav Lucistnik <pav@FreeBSD.org> Cc: cvs-ports@FreeBSD.org, ports-committers@FreeBSD.org, Bernhard Froehlich <decke@FreeBSD.org>, cvs-all@FreeBSD.org, Martin Wilke <miwi@FreeBSD.org> Subject: Re: cvs commit: ports/databases/pg_filedump Makefile Message-ID: <20120523140611.GA64580@ithaqua.etoilebsd.net> In-Reply-To: <1337781238.2024.7.camel@pav.hide.vol.cz> References: <201205231334.q4NDYCMQ078804@repoman.freebsd.org> <1337780396.2024.2.camel@pav.hide.vol.cz> <9b15e44319f017bff90bc3caa1de79d9@bluelife.at> <1337781238.2024.7.camel@pav.hide.vol.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
--nFreZHaLTZJo0R7j Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 23, 2012 at 03:53:58PM +0200, Pav Lucistnik wrote: > Bernhard Froehlich p=C3=AD=C5=A1e v st 23. 05. 2012 v 15:47 +0200: > > On 23.05.2012 15:39, Pav Lucistnik wrote: > > > Martin Wilke p=C3=AD=C5=A1e v st 23. 05. 2012 v 13:34 +0000: > > >> miwi 2012-05-23 13:34:12 UTC > > >> > > >> FreeBSD ports repository > > >> > > >> Modified files: > > >> databases/pg_filedump Makefile > > >> Log: > > >> - Switch to FETCH_DEPENDS to fix fetch during build > > > > > > How is this supposed to work? The log message makes no sense. > >=20 > > The problem that this fixes is when you are building in jails > > and restrict internet access to the "fetch" target like > > pointyhat-west, redports.org and poudriere already do. >=20 > Well, the restriction was put in place for a reason 1*), and now you're > working around that very reason. So just remove the restriction from > pointyhat and problem solved. >=20 > What you are doing now is a nonsensical hack and I have to ask you to > back it out. >=20 >=20 > 1*) To have full control over what is being fetched from Internets, with > help of checksums and distinfo lists. >=20 Maybe, in that case it will be good to define what we really wants/need and= what clusteradm and security people will accept. Should network access be restricted at any moment during the package buildi= ng, on automated build environment, if yes what phases are to be expected to be restricted? Possibilities are: - plain access until build target and no access from build target to the en= d? (what about tests that needs network access should we allow them?) - plain access during the whole phases but build? - plain access all the time? - [insert your proposition here :)] the restricttion in case of redports was a requirement (Bernhard has more information about this than I do) Once it is decided changing pointyhat, redports, poudriere and upcoming jai= led tinderbox is easy. In my mind I see the fetch target as all I need to build that package shoul= d be done by it and that is why it has been implemented that way. Now if there is something more clever to do please share and we will do tha= t, (and update the porters handbook accordingly) keep in mind the security requirements. regards, Bapt --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk+87tMACgkQ8kTtMUmk6ExxQQCfVmYakoz/BzqNVpV6UMsDJsav 7M0AnAuY1jIAUWRb91nXNbeaSjshfFEA =8UN8 -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120523140611.GA64580>