Date: Wed, 20 Jan 2016 05:51:08 +0000 From: =?ISO-8859-1?Q?Lu=EDs?= Fernando Schultz Xavier da Silveira <schultz@ime.usp.br> To: "Michael B. Eichorn" <ike@michaeleichorn.com> Cc: kpneal@pobox.com, Polytropon <freebsd@edvax.de>, freebsd-questions@freebsd.org Subject: Re: Unexpected dependencies of graphics/libGL Message-ID: <20160120055108.b9516e8b6ddf576a5239370c@ime.usp.br> In-Reply-To: <1453263751.6711.61.camel@michaeleichorn.com> References: <20160117031923.ce1f36547351bf07b6fff9a0@ime.usp.br> <20160117070715.1c33732b.freebsd@edvax.de> <20160117162018.964db3b1f2f2133242773e78@ime.usp.br> <20160117220247.69e6774f.freebsd@edvax.de> <20160118161235.GA92637@neutralgood.org> <20160119050806.cd08ca0687e76a4b09a701e3@ime.usp.br> <20160119062345.5402e98b.freebsd@edvax.de> <20160119063438.ca57c8a3bd8ba6781a58b040@ime.usp.br> <20160119141257.GA64358@neutralgood.org> <20160120031432.cd8793f3626c07fc803ee308@ime.usp.br> <1453263751.6711.61.camel@michaeleichorn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, You are correct. As you described and as I pointed out before, Poudriere is the right tool for creating package repositories. It prevents badly written ports from interfering with the host system. However, in a system where the packages built this way are then installed into it, this tidyness/security benefit vanishes. This is my use case and, thus, for my personal use, Poudriere does not make sense. On Tue, 19 Jan 2016 23:22:31 -0500 "Michael B. Eichorn" <ike@michaeleichorn.com> wrote: > On Wed, 2016-01-20 at 03:14 +0000, Lu=EDs Fernando Schultz Xavier da > Silveira wrote: > > Hi, > >=20 > > In a nutshell, the point is that the build dependencies should not be > > there at all. Keeping them in a jail is not a proper solution because > > they can still influence the host system (since the packages > > resulting > > from computations done in the jail will be installed in the host). >=20 > There is nothing inherently wrong about this. The jail is not insecure, > it runs no external services. In the case of poudriere we trust the > build jails in the exact same way we trust software built on the the > host from ports. >=20 > The jails are used not so much for security as for isolating the build > from the host environment. Do recall that jails are in a way secure > extensions of the chroot concept; and that chroot was developed not for > security, but for compling software in a controlled environment. This > is what poudriere does, complie software in a controlled environment. >=20 > Further the complied packages are not 'kept' in a jail, after running > poudriere all jails are stopped and compliation jails are destroyed. > Poudriere creates a package repository on the host system where built > packages are kept. >=20 > One big advantage to poudriere is that since you are building this repo > you can confirm the whole build went well before installing any new > package on a production system. For a complex build like x11/gnome3 > this can be a major advantage. >=20 > TLDR: Poudriere is at least as secure as building from ports. (Exactly > as kpneal and Polytropon said.) >=20 > >=20 > > On Tue, 19 Jan 2016 09:12:57 -0500 > > kpneal@pobox.com wrote: > >=20 > > > On Tue, Jan 19, 2016 at 06:34:38AM +0000, Lu=EDs Fernando Schultz > > > Xavier da Silveira wrote: > > > > Hello, > > > >=20 > > > > > But this is not different from how ports are being built in > > > > > the regular ports tree: Compilation tools could be compromized > > > > > or package content could be affected. The typical "make > > > > > install" > > > > > will generate a package which is then installed via pkg. > > > >=20 > > > > Indeed, it is not different, and that is my point. > > >=20 > > > Huh? When did this turn into a discussion about security? > > >=20 > > > You can do a small amount of work and have security concerns or you > > > can > > > do much more work and have the exact same security concerns. I > > > really don't > > > see how this reflects badly on Poudriere. > > >=20 > > > I thought this was a discussion about how to avoid having build > > > dependencies > > > installed when all you wanted was the run-time dependencies. > > > Poudriere > > > handles this nicely without all that mucking about with locking > > > packages, > > > keeping your ports tree in sync with the one checked out at > > > freebsd.org, > > > etc. > > >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160120055108.b9516e8b6ddf576a5239370c>