Details in https://github.com/gentoo/devmanual.gentoo.org/pull/21 Reproducible: Always
This definitely cannot be enforced for pkg_fetch or src_fetch, or whatever people finally standardize on. It also cannot be enforced for src_unpack since some of the eclasses use this for downloading at the present. Also it may not be wise to enforce for src_test, as some tests may need to access local resources (like a postgres database or something), although maybe we don't want that?
also disallowing network access like with FEATURES=network_sandbox will prevent distcc from being useful as it won't be able to connect to other hosts.
(In reply to Rick Farina (Zero_Chaos) from comment #1) > This definitely cannot be enforced for pkg_fetch or src_fetch, or whatever > people finally standardize on. Which is why my commit message mentions those functions, points out that they haven't landed, and suggests we relax the restriction when they do [1]. > It also cannot be enforced for src_unpack since some of the eclasses use this for downloading at the present. Which is why I have a live-ebuild caveat in my restriction [1]. > Also it may not be wise to enforce for src_test, as some tests may need to > access local resources (like a postgres database or something), although > maybe we don't want that? That was one of the problems mgorny pointed out when motivating the network-sandbox feature [2]: > Secondly, this will prevent any kind of communication between host > network and ebuild, including services running on 127.0.0.1. That is, > ebuild will no longer be able to access production services running > on the host. This affects e.g. old mongodb frontend ebuilds which used > to run tests on the live database server (yep, create and delete > databases there). but I think *enforcing* the policy is less important than *adopting* a policy. If we can agree on how we want ebuild-initiated network-access to work (in this issue), we can open follow-up issues figuring out if/how we want to automate enforcement. [1]: https://github.com/wking/devmanual.gentoo.org/commit/2a7d19973f0713e66b38b7af04a263ae248fe7ca [2]: http://article.gmane.org/gmane.linux.gentoo.devel/87641
(In reply to Rick Farina (Zero_Chaos) from comment #2) > also disallowing network access like with FEATURES=network_sandbox will > prevent distcc from being useful as it won't be able to connect to other > hosts. I've added a comment about distcc to the commit message and PR. I don't think it's a deal-breaker though, since the change I'm suggesting is that ebuild authors avoid initiating network access (or allowing the package's build system to initiate it). It's ok for the package manager to enable network access for things like distcc.
(In reply to W. Trevor King from comment #0) > Details in https://github.com/gentoo/devmanual.gentoo.org/pull/21 This pull request was just merged.
