Re: "Arch: all" package FTBFS due to test needing network access - RC?
(Cced the relevant bug report)
On 31/10/06 at 23:50 -0500, Anthony DeRobertis wrote:
> Lucas Nussbaum wrote:
>
> > Some packages (e.g choose-mirror) fetch a newer version of a file during
> > build if it's possible to fetch that file. I don't think this is RC,
> > since the file is not missing from the package if the network is not
> > available.
> >
>
> In general, I strongly suspect that fetching updated source during build
> is RC due to a violation of the Social Contract: the source we are
> shipping intentionally does not correspond to the binary package.
>
> I'm not sure if the above applies to choose-mirror. In particular, if
> the file shipped in the binary is its own source, then it doesn't.
> However, I'd still say it's bad idea, and a bug (maybe even RC). Some
> more general reasons (not all necessarily apply to choose-mirror)
>
> * changes to the package are not reflected in the changelog
> * random network or remote server issues can cause a broken (or
> worse) build. What happens if the file on the server is corrupted?
> * builds are no longer repeatable. Different source may even wind up
> built on different architectures.
> * the package is much harder to NMU. What should be a spelling fix
> suddenly becomes a large change (due to the automated source
> pull), unbeknown to the NMU-er. Same problem for the security team.
> * the supposedly-signed source package isn't really; it's pulling
> unsigned source for the build
>
> Also, depending on what is being downloaded from the network, there
> could be security issues. What happens if the server is compromised?
While I fully agree with you on all points, I think that this should be
discussed post-etch with the general question of "in which environment
are packages supposed to build ?". There are other similar issue, like:
- should packages allow to build as root ? (aegis, bazaar, subversion
don't)
- should packages build the same if they are built in a minimal debian
environment only satisfying their b-dep, and in a system with lots of
useless packages installed ?
There are RC bugs to fix now ;)
--
| Lucas Nussbaum
| lucas@lucas-nussbaum.net http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr GPG: 1024D/023B3F4F |
Reply to: