Bug#395262: "Arch: all" package FTBFS due to test needing network access - RC?

To: Anthony DeRobertis <anthony@derobert.net>
Cc: Magnus Holmgren <holmgren@lysator.liu.se>, debian-devel@lists.debian.org, 395262@bugs.debian.org
Subject: Bug#395262: "Arch: all" package FTBFS due to test needing network access - RC?
From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
Date: Wed, 1 Nov 2006 08:02:22 +0100
Message-id: <[🔎] 20061101070222.GA13863@ox.lucas-nussbaum.net>
Reply-to: Lucas Nussbaum <lucas@lucas-nussbaum.net>, 395262@bugs.debian.org
In-reply-to: <454827B2.3020204@derobert.net>
References: <200610301636.58282@proffe.kibibyte.se> <20061030171855.GA426@ox.lucas-nussbaum.net> <454827B2.3020204@derobert.net>

(Cced the relevant bug report)

On 31/10/06 at 23:50 -0500, Anthony DeRobertis wrote:
> Lucas Nussbaum wrote:
> 
> > Some packages (e.g choose-mirror) fetch a newer version of a file during
> > build if it's possible to fetch that file. I don't think this is RC,
> > since the file is not missing from the package if the network is not
> > available.
> >   
> 
> In general, I strongly suspect that fetching updated source during build
> is RC due to a violation of the Social Contract: the source we are
> shipping intentionally does not correspond to the binary package.
> 
> I'm not sure if the above applies to choose-mirror. In particular, if
> the file shipped in the binary is its own source, then it doesn't.
> However, I'd still say it's bad idea, and a bug (maybe even RC). Some
> more general reasons (not all necessarily apply to choose-mirror)
> 
>     * changes to the package are not reflected in the changelog
>     * random network or remote server issues can cause a broken (or
>       worse) build. What happens if the file on the server is corrupted?
>     * builds are no longer repeatable. Different source may even wind up
>       built on different architectures.
>     * the package is much harder to NMU. What should be a spelling fix
>       suddenly becomes a large change (due to the automated source
>       pull), unbeknown to the NMU-er. Same problem for the security team.
>     * the supposedly-signed source package isn't really; it's pulling
>       unsigned source for the build
> 
> Also, depending on what is being downloaded from the network, there
> could be security issues. What happens if the server is compromised?

While I fully agree with you on all points, I think that this should be
discussed post-etch with the general question of "in which environment
are packages supposed to build ?". There are other similar issue, like:
- should packages allow to build as root ? (aegis, bazaar, subversion
  don't)
- should packages build the same if they are built in a minimal debian
  environment only satisfying their b-dep, and in a system with lots of
  useless packages installed ?

There are RC bugs to fix now ;)
-- 
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |

Reply to:

Follow-Ups:
- Bug#395262: "Arch: all" package FTBFS due to test needing network access - RC?
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: Info on partman/auto format
Next by Date: Re: http://wiki.debian.org/SvenLutherAndDI (Was: Open Letter to Anthony Towns about the d-i mediation ...)
Previous by thread: Re: Info on partman/auto format
Next by thread: Bug#395262: "Arch: all" package FTBFS due to test needing network access - RC?
Index(es):
- Date
- Thread