[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "Arch: all" package FTBFS due to test needing network access - RC?

Lucas Nussbaum wrote:

> Some packages (e.g choose-mirror) fetch a newer version of a file during
> build if it's possible to fetch that file. I don't think this is RC,
> since the file is not missing from the package if the network is not
> available.

In general, I strongly suspect that fetching updated source during build
is RC due to a violation of the Social Contract: the source we are
shipping intentionally does not correspond to the binary package.

I'm not sure if the above applies to choose-mirror. In particular, if
the file shipped in the binary is its own source, then it doesn't.
However, I'd still say it's bad idea, and a bug (maybe even RC). Some
more general reasons (not all necessarily apply to choose-mirror)

    * changes to the package are not reflected in the changelog
    * random network or remote server issues can cause a broken (or
      worse) build. What happens if the file on the server is corrupted?
    * builds are no longer repeatable. Different source may even wind up
      built on different architectures.
    * the package is much harder to NMU. What should be a spelling fix
      suddenly becomes a large change (due to the automated source
      pull), unbeknown to the NMU-er. Same problem for the security team.
    * the supposedly-signed source package isn't really; it's pulling
      unsigned source for the build

Also, depending on what is being downloaded from the network, there
could be security issues. What happens if the server is compromised?

Reply to: