[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Running webservices during build

On Thu, Apr 16, 2015, at 02:38, Marc Haber wrote:
> On Thu, 16 Apr 2015 00:08:32 +0200, Mattia Rizzolo
> >https://www.debian.org/doc/debian-policy/ch-archive.html#s-main
> >policy section 2.2.1
> >"packages in main must not require or recommend a package outside of
> >main for compilation or execution (thus, the package must not declare
> >a "Pre-Depends", "Depends", "Recommends", "Build-Depends", or
> >"Build-Depends-Indep" relationship on a non-main package),"
> >
> >this also includes resources over the internet.
> 
> It is mildly weird to define arbitrary Internet resources as
> "package". This is in dire need of clarification.

That clarification is already being worked on debian-policy.

The fact is that you cannot use webservices during build, even if they're non-interactive. The very specific case of starting one on localhost for the build would be fine as far as policy goes, I think (I didn't check), but it could easily cause operational problems in the autobuilders, so it is likely to be a very bad idea anyway.

We had issues in large numbers of packages in the past due to that. I recall validating XML parsers that would attempt to download schemans or DTDs even when they were already in the local catalog, for example.  And that was not even something that could change the build result, as at most it could cause the build to stop.  The one where the XML parsers were downloading external entities during build, well, THAT one was much worse as it could cause the build results to change.

It is fine to have a source package that has a *properly documented in debian/README.source* preparation phase that must be done by the maintainer when downloading a new upstream version, though.  It is not a problem if the maintainer has to run a manual debian/rules target that will hit the net, use webservices, whatever (even if he has to do it interactively, although that's obviously sub-optimal).  As long as the maintainer can check the results for any trojans that might have crept in (i.e. there is no difference from what one is already supposed to do with any new source release from upstream), there is no problem.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique de Moraes Holschuh <hmh@debian.org>
Reply to: