Solved Poudriere as a Security risk ? (may be not, based on the replies)

[Sivan!]

Somewhat duplicating portions of what I posted on a different thread, to provide context :

Tried installation from the Ports tree, I was doing that to understand the process of installing software from source using the Ports collection. There were error messages while running /usr/ports/sysutlis/lsof # make, tried to fix it by following instructions from page https://docs.freebsd.org/en/books/handbook/ports/#ports-using-portsnap-method then watched the terminal flash what was happening after portmaster -a compile, run, build software I haven't even heard about, rustc, CARGO ... I was puzzled at what was happening for the next 5 hours. In thread

In response to the thread grahamperrin helpfully suggested

Aim for (or create) a topic with poudriere in the title. Meantime, in as few words as possible: ports-mgmt/poudriere-devel is our friend.

Port installed Poudriere with the command cd /usr/ports/ports-mgmt/poudriere-devel/ && make install clean The warnings are: Files in usr/local/libexec/poudriere/jexecd may act as network servers and may pose a remote security risk and scripts in /usr/local/etc/rc.d/poudriered would start network servers at boot time,
What happens when I stop netif? Does netif stop jexecd and poudriered too?
And, what do I do with Poudriere if I want to use it to understand Port Management?

Thank you

 

[zirias@]

Every network service is a potential security risk, therefore you'll always get this same warning whenever you install something that calls APIs to listen on a socket. I'm not sure whet jexecd is doing, but the name suggests it's just used to execute something in a jail, so most likely works local only. poudriered, OTOH, isn't even needed to run poudriere (and won't run if you don't enable it manually). Whether you want to trust poudriere in general is up to you, I don't see any reason not to.

What happens when I stop netif? Does netif stop jexecd and poudriered too?

It stops any networking, so ports won't be able to fetch distfiles → not advisable for running poudriere.

 

[Sivan!]

Every network service is a potential security risk, therefore you'll always get this same warning whenever you install something that calls APIs to listen on a socket. I'm not sure whet jexecd is doing, but the name suggests it's just used to execute something in a jail, so most likely works local only. poudriered, OTOH, isn't even needed to run poudriere (and won't run if you don't enable it manually). Whether you want to trust poudriere in general is up to you, I don't see any reason not to.


It stops any networking, so ports won't be able to fetch distfiles → not advisable for running poudriere.

Thank you Zirias. More comfortable with Poudriere after your reply. You mentioned netif is not advisable for running poudiere. I don't understand what you meant. I use the netif command before moving away from my computer (it is not a 'network', no other user), my question was to ask if doas service netif stop stops network completely, or if it still keeps poudriere related sockets open, requiring a separate command, in addition to netif.

Thank you.

 

[SirDice]

my question was to ask if doas service netif stop stops network completely, or if it still keeps poudriere related sockets open, requiring a separate command, in addition to netif.

It stops the entire network interface. Which would result in poudriere failing because it will be unable to fetch distfiles. You could fetch all those distfiles in advance, which would let poudriere build everything without having the need to fetch anything.

On a 'normal' poudriere run a build jail only momentarily gets network access during the fetch phase. Once the actual build in that jail is started the network is closed off. This is to prevent a port from fetching remote files during the build phase, which is not allowed to happen.

 

[Sivan!]

It stops the entire network interface. Which would result in poudriere failing because it will be unable to fetch distfiles.

Thank you SirDice.