xsuchy
commented
3 months ago Comment by Zbigniew from devel ML: If we wanted to pursue that, I'd suggest the following: remount $RPM_BUILD_ROOT read-only for the %check phase (or maybe overmount it with a writable overlayfs that is thrown away after %check finishes, and warn if any modifications were made.) %check is executed after %install, so everything should be in place before %check, and %check may be skipped, so no modifications to installed files should be done in %check.
Considering possible implemention details, machinectl has 'bind' and 'bind --read-only' that might be useful here. But mock uses systemd-nspawn in a way that does register the container with machined. So maybe it'd be more reasonable to just execute a mount command directly from mock.
The apocalypXZe just started, but we can learn a thing from that: trust of whole upstream tarball is not granted. We can minimize such attacks in future when we run tests in isolation without ability to affect final artifacts.
Now we run all phases of rpmbuild. Including %check and then offers the artifacts for next use. And I am looking at Koji, Copr and other build system, not just cli-user.
What we can change is that we can run %build, %install - pause build system can fetch artifacts - and run %check and report status.