From owner-cvs-all@FreeBSD.ORG  Wed May 23 14:06:15 2012
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E55681065670;
	Wed, 23 May 2012 14:06:14 +0000 (UTC)
	(envelope-from bapt@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id C4D1F8FC0A;
	Wed, 23 May 2012 14:06:14 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4NE6Eox091612;
	Wed, 23 May 2012 14:06:14 GMT (envelope-from bapt@FreeBSD.org)
Received: (from bapt@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4NE6EdK091611;
	Wed, 23 May 2012 14:06:14 GMT (envelope-from bapt@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: bapt set sender to
	bapt@FreeBSD.org using -f
Date: Wed, 23 May 2012 16:06:11 +0200
From: Baptiste Daroussin <bapt@FreeBSD.org>
To: Pav Lucistnik <pav@FreeBSD.org>
Message-ID: <20120523140611.GA64580@ithaqua.etoilebsd.net>
References: <201205231334.q4NDYCMQ078804@repoman.freebsd.org>
	<1337780396.2024.2.camel@pav.hide.vol.cz>
	<9b15e44319f017bff90bc3caa1de79d9@bluelife.at>
	<1337781238.2024.7.camel@pav.hide.vol.cz>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j"
Content-Disposition: inline
In-Reply-To: <1337781238.2024.7.camel@pav.hide.vol.cz>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: cvs-ports@FreeBSD.org, ports-committers@FreeBSD.org,
	Bernhard Froehlich <decke@FreeBSD.org>, cvs-all@FreeBSD.org,
	Martin Wilke <miwi@FreeBSD.org>
Subject: Re: cvs commit: ports/databases/pg_filedump Makefile
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the entire tree
	<cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2012 14:06:15 -0000


--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 23, 2012 at 03:53:58PM +0200, Pav Lucistnik wrote:
> Bernhard Froehlich p=C3=AD=C5=A1e v st 23. 05. 2012 v 15:47 +0200:
> > On 23.05.2012 15:39, Pav Lucistnik wrote:
> > > Martin Wilke p=C3=AD=C5=A1e v st 23. 05. 2012 v 13:34 +0000:
> > >> miwi        2012-05-23 13:34:12 UTC
> > >>
> > >>   FreeBSD ports repository
> > >>
> > >>   Modified files:
> > >>     databases/pg_filedump Makefile
> > >>   Log:
> > >>   - Switch to FETCH_DEPENDS to fix fetch during build
> > >
> > > How is this supposed to work? The log message makes no sense.
> >=20
> > The problem that this fixes is when you are building in jails
> > and restrict internet access to the "fetch" target like
> > pointyhat-west, redports.org and poudriere already do.
>=20
> Well, the restriction was put in place for a reason 1*), and now you're
> working around that very reason. So just remove the restriction from
> pointyhat and problem solved.
>=20
> What you are doing now is a nonsensical hack and I have to ask you to
> back it out.
>=20
>=20
> 1*) To have full control over what is being fetched from Internets, with
> help of checksums and distinfo lists.
>=20

Maybe, in that case it will be good to define what we really wants/need and=
 what
clusteradm and security people will accept.

Should network access be restricted at any moment during the package buildi=
ng,
on automated build environment, if yes what phases are to be expected to be
restricted?

Possibilities are:
- plain access until build target and no access from build target to the en=
d?
  (what about tests that needs network access should we allow them?)
- plain access during the whole phases but build?
- plain access all the time?
- [insert your proposition here :)]

the restricttion in case of redports was a requirement (Bernhard has more
information about this than I do)

Once it is decided changing pointyhat, redports, poudriere and upcoming jai=
led
tinderbox is easy.

In my mind I see the fetch target as all I need to build that package shoul=
d be
done by it and that is why it has been implemented that way.

Now if there is something more clever to do please share and we will do tha=
t,
(and update the porters handbook accordingly)

keep in mind the security requirements.

regards,
Bapt

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAk+87tMACgkQ8kTtMUmk6ExxQQCfVmYakoz/BzqNVpV6UMsDJsav
7M0AnAuY1jIAUWRb91nXNbeaSjshfFEA
=8UN8
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--