[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPL-licensed software linked against libssl on buildds!

On Wed, Jan 20, 2010 at 10:37:48PM +1300, Lucas Nussbaum wrote:
> On 20/01/10 at 00:48 -0800, Steve Langasek wrote:
> > On Wed, Jan 20, 2010 at 02:22:33PM +1300, Lucas Nussbaum wrote:
> > 
> > > Why spend a lot of time on tasks that provide little benefit, and also
> > > some disadvantages (in some cases, the fixes might be non-obvious, and
> > > requires changes to the packaging that tend to obscure it, for example
> > > by using --disable-foo for each and every option we don't want)?
> > 
> > I'm not asking anyone to spend time on this task, but I still consider
> > missing build-conflicts a bug.  Ignoring these bugs by insisting on clean
> > chroot environments for all official package builds is no solution - what if
> > one of your build-dependencies pulls in one of these other packages,
> > resulting in an undistributable (license-incompatible) misbuild?  If the
> > build-conflicts had been declared, or if the --without-foo option had been
> > passed, we would not have to worry about such a misbuild.
> If the chroot env is clean,

I hate to break the news, but no build environment (look, full word) is
ever clean. There are environment variables, other processes running on
the same system, and various other things that can influence it.
Granted, rogue environment variables are rarely going to be a problem on
a buildd host, but clock skew or rogue processes from previous builds
might not be. Okay, that's a stretch. Still.

At any rate, here are some facts:
- A package that builds differently because something is (or is not)
  installed on the build system is buggy. Period. It has nothing to do
  with the build system, it's the package.
- When a package has a buggy debian/rules and/or debian/control file,
  and it gets built on 11 architectures, surely one of those
  architectures is going to hit that bug.
- A clean chroot takes time and processing power. You need to drop and
  recreate the chroot between builds, upgrade the same Build-Essential
  packages every time you do an upgrade, copy the apt cache in and out
  of the chroot (or keep downloading the same packages over and over),
  and various other things. LVM snapshots fix some, though not all, of
  those problems, and introduce a few of their own.
  I don't know about you, but I'd rather have the buildd spend
  processing power on building packages. Having it fail at producing a
  good package because the maintainer didn't do a good enough job is
  nothing new -- they do that all the time.

As such, I'm rather unconvinced of the merits of this LVM snapshot

The biometric identification system at the gates of the CIA headquarters
works because there's a guard with a large gun making sure no one is
trying to fool the system.

Reply to: