[Distutils] Preventing downloading for package requirements

Barry Warsaw barry at python.org
Thu Feb 24 00:25:31 CET 2011

On Feb 23, 2011, at 02:25 PM, Toshio Kuratomi wrote:

>What Barry's talking about is slightly different I think.  When running
>python setup.py test, setup.py may download additional modules that should
>have been specified in the system package (thus the download should never be
>tried).  This occurs before the software is installed anywhere.

Right on, Toshio.

>For Fedora we deal with this by preventing processes related to the build
>from making any non-localhost network connnections.  That doesn't catch
>things when a packager is building on their local machine but it does catch
>things when the package is built on the builders
>There's two pieces that work on that:
>1) The build hosts themselves are configured with a firewall that prevents
>   a lot of packets from leaving the box, and prevent any packets from going
>   to a non-local network.
>2) We build in a chroot and part of chroot construction is to create an
>   empty resolv.conf.  This prevents DNS lookups from succeeding and
>   controls the automatic downloading among other things.
>Neither of these are especially well adapted to being run by a casual
>packager but the second (a chroot with empty resolv.conf) could be done
>without too much trouble (we have a tool called mock that creates chroots,
>it was based on a tool called mach which can use apt and might be better for
>a Debian usage).  Both 1 and 2 could be performed on a VM if you can get
>your packagers to go that far or are dealing with a build system rather than
>individual packagers.

I believe our builders prevent external connections too.  I'm not positive
about it but it wouldn't be too difficult to test.  Still, as you point out,
it's more difficult to enforce with local builders, and that's where packagers
are going to be more able to quickly fix any such problems.  One difficultly
for Debian/Ubuntu local build environments (aside from the fact that there are
several ways people do it ;), is that at least with some of the local
builders, they *have* to do external connections, e.g. to download build
dependencies into the chroot the build is done from.  You could of course
tightly control that, but given the geographical archive mirroring, it just
makes things more complicated.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20110223/4060ec09/attachment.pgp>

More information about the Distutils-SIG mailing list