GNU bug report logs - #46641
process-tests assume network connection

Previous Next

Package: emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Fri, 19 Feb 2021 18:00:02 UTC

Severity: normal

Tags: fixed

Found in version 27.1

Fixed in version 28.1

Done: Robert Pluim <rpluim <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #30 received at 46641 <at> debbugs.gnu.org (full text, mbox):

From: Philipp <p.stephani2 <at> gmail.com>
To: Robert Pluim <rpluim <at> gmail.com>
Cc: Glenn Morris <rgm <at> gnu.org>, 46641 <at> debbugs.gnu.org
Subject: Re: bug#46641: process-tests assume network connection
Date: Sun, 21 Feb 2021 20:40:59 +0100


> Am 21.02.2021 um 17:21 schrieb Robert Pluim <rpluim <at> gmail.com>:
> 
>>>>>> On Sun, 21 Feb 2021 15:37:27 +0100, Philipp <p.stephani2 <at> gmail.com> said:
> 
>    Philipp> This is pretty common for CI systems.  Accessing the network is a
>    Philipp> security risk, and in addition tends to make tests unreproducible.
> 
> I can give you the second one, but in what way is eg doing a DNS lookup a
> 'security risk'? Weʼre not talking about setting up a listening server
> on a public IP here.

A CI system will typically run arbitrary code that’s not under the control of the CI system itself.  Therefore, the CI system needs to prevent any malicious behavior of the system under test.  Since the code being tested is opaque, the CI system can’t really decide whether it’s malicious or not, so it has to conservatively assume that any network access is malicious.  While it might be possible to prevent more specific behavior (like creating a listening socket), that tends to be more complex, so the simpler and safer „no network at all“ tends to be a reasonable choice.
This bug report was last modified 4 years and 173 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.