Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 May 2012 16:11:20 +0200
From:      Pav Lucistnik <pav@FreeBSD.org>
To:        Baptiste Daroussin <bapt@FreeBSD.org>
Cc:        cvs-ports@FreeBSD.org, ports-committers@FreeBSD.org, Bernhard Froehlich <decke@FreeBSD.org>, cvs-all@FreeBSD.org, Martin Wilke <miwi@FreeBSD.org>
Subject:   Re: cvs commit: ports/databases/pg_filedump Makefile
Message-ID:  <1337782280.2024.10.camel@pav.hide.vol.cz>
In-Reply-To: <20120523140611.GA64580@ithaqua.etoilebsd.net>
References:  <201205231334.q4NDYCMQ078804@repoman.freebsd.org> <1337780396.2024.2.camel@pav.hide.vol.cz> <9b15e44319f017bff90bc3caa1de79d9@bluelife.at> <1337781238.2024.7.camel@pav.hide.vol.cz> <20120523140611.GA64580@ithaqua.etoilebsd.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Baptiste Daroussin píše v st 23. 05. 2012 v 16:06 +0200:
> On Wed, May 23, 2012 at 03:53:58PM +0200, Pav Lucistnik wrote:
> > Bernhard Froehlich píše v st 23. 05. 2012 v 15:47 +0200:
> > > On 23.05.2012 15:39, Pav Lucistnik wrote:
> > > > Martin Wilke píše v st 23. 05. 2012 v 13:34 +0000:
> > > >> miwi        2012-05-23 13:34:12 UTC
> > > >>
> > > >>   FreeBSD ports repository
> > > >>
> > > >>   Modified files:
> > > >>     databases/pg_filedump Makefile
> > > >>   Log:
> > > >>   - Switch to FETCH_DEPENDS to fix fetch during build
> > > >
> > > > How is this supposed to work? The log message makes no sense.
> > > 
> > > The problem that this fixes is when you are building in jails
> > > and restrict internet access to the "fetch" target like
> > > pointyhat-west, redports.org and poudriere already do.
> > 
> > Well, the restriction was put in place for a reason 1*), and now you're
> > working around that very reason. So just remove the restriction from
> > pointyhat and problem solved.
> > 
> > What you are doing now is a nonsensical hack and I have to ask you to
> > back it out.
> > 
> > 
> > 1*) To have full control over what is being fetched from Internets, with
> > help of checksums and distinfo lists.
> > 
> 
> Maybe, in that case it will be good to define what we really wants/need and what
> clusteradm and security people will accept.
> 
> Should network access be restricted at any moment during the package building,
> on automated build environment, if yes what phases are to be expected to be
> restricted?
> 
> Possibilities are:
> - plain access until build target and no access from build target to the end?
>   (what about tests that needs network access should we allow them?)
> - plain access during the whole phases but build?
> - plain access all the time?
> - [insert your proposition here :)]
> 
> the restricttion in case of redports was a requirement (Bernhard has more
> information about this than I do)
> 
> Once it is decided changing pointyhat, redports, poudriere and upcoming jailed
> tinderbox is easy.
> 
> In my mind I see the fetch target as all I need to build that package should be
> done by it and that is why it has been implemented that way.

I think the current level of restrictions is OK. The systematic problem
is that triple-tuple dependency targets (ie foo:port:build) invokes a
build inside a build and thus does not respect the separation to
fetch/build/... stages.

This should be fixed, somehow. Not sure how.

The whole triple-tuple feature is a pain, really.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1337782280.2024.10.camel>