[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages removed from frozen

On Wed, Feb 09, 2000 at 05:45:12AM -0600, Manoj Srivastava wrote:
> >>"Marcus" == Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> writes:
>  Marcus> On Mon, Feb 07, 2000 at 10:20:20PM -0600, Manoj Srivastava wrote:
>  >> 
>  >> gcc would be something that I would be willing to give special
>  >> dispensation for - espescially since I know it tests itself on
>  >> passes 2 and 3. Gcc is, therefore, part of the set of packages we
>  >> call build essentials.
>  >> 
>  >> However, this is not a dispensation that should be lightly
>  >> given. Bootstrapping from scratch should be kept to a bare minimum of
>  >> preinstalled packages -- the build essentials.
>  Marcus> Sounds easy, but it isn't, unfortunately.  There are not only
>  Marcus> packages that build-depend on themselves (as compilers),
>  Marcus> there are lots of other packages which can't be bootstrapped
>  Marcus> within Debian because of longer cycles.
>         Fairwnough. But you realize that these packages can't be
>  audited by just looking at teh source code -- trojans may be
>  propogated unbeknownst to the developers.

Well, for the compilers this is true (and thanks for pointing out).
For many of the longer cycles, it is only a technical difficulty related
to the simple static packaging rules (you can bootstrap by manually building
packages without all doc formats first, and later recompile to get the full

>         I would suggest we document these packages (hence the
>  requirement for dispensation -- that way we can be sure all these
>  packages are indeed recoreded).

Agreed, for the cases where this is relevant (compilers etc, as opposed to
doc formats see above).

>  Marcus> I am all for working out loops and trying to find ways out of them, but
>  Marcus> getting anal over this is not going to work for the next time.
>         Depends on what you mean by going anal. I think we should be
>  very anal about recording every one of these security risks. Any less
>  would be a disservice to our users.

Yes. Sometimes there is a bootstrap compileri/interpreter available 
or similar. In this case this should be documented as well,
and it should be used to bootstrap the compiler on a new port.


Reply to: