enforce sudo= as the only place to call sudo
I just thought of a simple way to enforce that sudo is only ever called in the sudo=
build field: after fdroid build --on-server
finishes executing the sudo=
, it should just rm -f /usr/bin/sudo
. This will prevent anything after that point from executing sudo, and since the buildserver VM is reset for each build, every new build will have sudo again.
Edited by Hans-Christoph Steiner