Date: Wed, 20 Jan 2016 18:18:41 +0000 From: =?ISO-8859-1?Q?Lu=EDs?= Fernando Schultz Xavier da Silveira <schultz@ime.usp.br> To: Jim Ohlstein <jim@ohlste.in> Cc: "Michael B. Eichorn" <ike@michaeleichorn.com>, Polytropon <freebsd@edvax.de>, freebsd-questions@freebsd.org, kpneal@pobox.com Subject: Re: Unexpected dependencies of graphics/libGL Message-ID: <20160120181841.579877fd60b4e225e5753f58@ime.usp.br> In-Reply-To: <569F7EF5.7020707@ohlste.in> References: <20160117031923.ce1f36547351bf07b6fff9a0@ime.usp.br> <20160117070715.1c33732b.freebsd@edvax.de> <20160117162018.964db3b1f2f2133242773e78@ime.usp.br> <20160117220247.69e6774f.freebsd@edvax.de> <20160118161235.GA92637@neutralgood.org> <20160119050806.cd08ca0687e76a4b09a701e3@ime.usp.br> <20160119062345.5402e98b.freebsd@edvax.de> <20160119063438.ca57c8a3bd8ba6781a58b040@ime.usp.br> <20160119141257.GA64358@neutralgood.org> <20160120031432.cd8793f3626c07fc803ee308@ime.usp.br> <1453263751.6711.61.camel@michaeleichorn.com> <20160120055108.b9516e8b6ddf576a5239370c@ime.usp.br> <569F7EF5.7020707@ohlste.in>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree that this thread should stop. It was not meant to discuss Poudriere in the first place. Why would I be trolling using my real name? No, I am no troll, but the thought of using partial solutions instead of solving problems properly bothers me significantly. What bothers me even more is people feel good about these solutions, feel smart about themselves and quickly forget they are only partial. On Wed, 20 Jan 2016 07:35:01 -0500 Jim Ohlstein <jim@ohlste.in> wrote: > On 1/20/16 12:51 AM, Lu=EDs Fernando Schultz Xavier da Silveira wrote: > > Hello, > > > > You are correct. As you described and as I pointed out before, Poudriere > > is the right tool for creating package repositories. It prevents badly > > written ports from interfering with the host system. > > > > However, in a system where the packages built this way are then > > installed into it, this tidyness/security benefit vanishes. This is > > my use case and, thus, for my personal use, Poudriere does not make > > sense. >=20 > I've read through this entire thread. At first I was torn between=20 > whether you're plain dumb or just playin' dumb. >=20 > Your answers boil down to "I don't like it because I don't like it."=20 > You've come up with *nothing* concrete in terms of real world evidence=20 > to support your suppositions. Rather you keep repeating the same rant,=20 > perhaps thinking if you say it enough times people will actually buy it. >=20 > Clearly you're playin' dumb and you're a troll. >=20 > Folks, please stop feeding the troll. Eventually it'll go troll elsewhere. >=20 > > > > On Tue, 19 Jan 2016 23:22:31 -0500 > > "Michael B. Eichorn" <ike@michaeleichorn.com> wrote: > > > >> On Wed, 2016-01-20 at 03:14 +0000, Lu=EDs Fernando Schultz Xavier da > >> Silveira wrote: > >>> Hi, > >>> > >>> In a nutshell, the point is that the build dependencies should not be > >>> there at all. Keeping them in a jail is not a proper solution because > >>> they can still influence the host system (since the packages > >>> resulting > >>> from computations done in the jail will be installed in the host). > >> > >> There is nothing inherently wrong about this. The jail is not insecure, > >> it runs no external services. In the case of poudriere we trust the > >> build jails in the exact same way we trust software built on the the > >> host from ports. > >> > >> The jails are used not so much for security as for isolating the build > >> from the host environment. Do recall that jails are in a way secure > >> extensions of the chroot concept; and that chroot was developed not for > >> security, but for compling software in a controlled environment. This > >> is what poudriere does, complie software in a controlled environment. > >> > >> Further the complied packages are not 'kept' in a jail, after running > >> poudriere all jails are stopped and compliation jails are destroyed. > >> Poudriere creates a package repository on the host system where built > >> packages are kept. > >> > >> One big advantage to poudriere is that since you are building this repo > >> you can confirm the whole build went well before installing any new > >> package on a production system. For a complex build like x11/gnome3 > >> this can be a major advantage. > >> > >> TLDR: Poudriere is at least as secure as building from ports. (Exactly > >> as kpneal and Polytropon said.) > >> > >>> > >>> On Tue, 19 Jan 2016 09:12:57 -0500 > >>> kpneal@pobox.com wrote: > >>> > >>>> On Tue, Jan 19, 2016 at 06:34:38AM +0000, Lu=EDs Fernando Schultz > >>>> Xavier da Silveira wrote: > >>>>> Hello, > >>>>> > >>>>>> But this is not different from how ports are being built in > >>>>>> the regular ports tree: Compilation tools could be compromized > >>>>>> or package content could be affected. The typical "make > >>>>>> install" > >>>>>> will generate a package which is then installed via pkg. > >>>>> > >>>>> Indeed, it is not different, and that is my point. > >>>> > >>>> Huh? When did this turn into a discussion about security? > >>>> > >>>> You can do a small amount of work and have security concerns or you > >>>> can > >>>> do much more work and have the exact same security concerns. I > >>>> really don't > >>>> see how this reflects badly on Poudriere. > >>>> > >>>> I thought this was a discussion about how to avoid having build > >>>> dependencies > >>>> installed when all you wanted was the run-time dependencies. > >>>> Poudriere > >>>> handles this nicely without all that mucking about with locking > >>>> packages, > >>>> keeping your ports tree in sync with the one checked out at > >>>> freebsd.org, > >>>> etc. > >>>> >=20 > --=20 > Jim Ohlstein >=20 >=20 > "Never argue with a fool, onlookers may not be able to tell the=20 > difference." - Mark Twain >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160120181841.579877fd60b4e225e5753f58>