-
-
Notifications
You must be signed in to change notification settings - Fork 194
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow build-time tests to be run in environments where bwrap can't work #1498
Allow build-time tests to be run in environments where bwrap can't work #1498
Conversation
We have We can just check for |
They do, indirectly, control whether the sandbox is used (the logic might not be 100% ideal, but it's good enough, and improving it is out-of-scope for #1497 or for this PR). But, that doesn't solve my problem. If I was willing to ship a version of x-d-p in Debian that had insecure, non-sandboxed validation, that would be fine, and I could already do that. (But that would be doing a disservice to our users, so I don't want to.) The problem I have is that I want a version of x-d-p that by default enforces sandboxing for its validators, so that they will be secure-by-default on end-user systems; but during build-time testing I need an escape hatch that lets me turn that off, because in the distro's automated build environment it's impossible, and I'd prefer to run build-time tests with imperfect coverage rather than no build-time tests at all. |
I agree with the rationale. Would be nice if we could auto-detect this in the tests. The python tests will have the same problem but are currently not installed. |
I also agree that an escape hatch for build time testing is a good idea. @smcv should the environment variables also be documented somewhere, for other downstream packagers running in the same issue? |
FWIW, we already have This is something the test setup sets itself though so we should figure out if we want the test setup to detect the bwrap situation and set the env accordingly and leave it an implementation detail. |
For "as-installed" tests like Debian's autopkgtest and GNOME's installed-tests concept, this is not actually such a concern: in autopkgtest we can flag certain test suites as It's specifically build-time tests via
Yeah, probably. Any suggestions for where?
That would be nice, but making the escape hatch exist seems like a prerequisite for making use of it automatically, and is considerably simpler. Auto-detection would look a lot like |
Do we want to have a man page for the validation tools? I assume Debian will ask for one. In the meantime, we can have a |
They aren't in the
Sure, that would make sense. |
We already have a bunch of undocumented environment variables and the changes in this PR LGTM so I'm in favor of merging this as is. |
Signed-off-by: Simon McVittie <[email protected]>
OS distributions often compile packages and run their build-time tests in a chroot environment or an unprivileged container, and bubblewrap cannot usually work in either of those environments. Signed-off-by: Simon McVittie <[email protected]>
Signed-off-by: Simon McVittie <[email protected]>
Same reasoning as for the icon validator. Signed-off-by: Simon McVittie <[email protected]>
Signed-off-by: Simon McVittie <[email protected]>
6ee7053
to
73a13aa
Compare
Added, no further changes (except for rebasing). |
Resolves #1497.
In limited build environments, the tests can be run as:
(variable names chosen to discourage users from making use of this in production to validate genuinely untrusted icons/sounds).
xdp_validate_icon: Assign argument indices automatically
xdp_validate_icon: Allow sandboxing of the validator to be disabled
OS distributions often compile packages and run their build-time tests
in a chroot environment or an unprivileged container, and bubblewrap
cannot usually work in either of those environments.
xdp_validate_sound: Assign argument indices automatically
xdp_validate_sound: Allow sandboxing of the validator to be disabled
Same reasoning as for the icon validator.