Re: Debian package security policies

To: debian-devel@lists.debian.org
Subject: Re: Debian package security policies
From: Paul Wise <pabs@debian.org>
Date: Sun, 5 Apr 2015 18:49:24 +0800
Message-id: <[🔎] CAKTje6FEN7vWpjK8MVvZLygRtckB_VtK_wHJ+1Um-y_Tb5e-Fw@mail.gmail.com>
In-reply-to: <[🔎] 2213774.hSPHtGL0S9@ubuntu>
References: <[🔎] 2213774.hSPHtGL0S9@ubuntu>

On Sun, Apr 5, 2015 at 6:20 PM, Esokrates wrote:

> * Are source packages of free software packages required to only contain
> source code without binaries (maybe with the exception of the linux kernel and
> its firmware blobs)?

Yes. The Debian version of the Linux kernel is also required to only
contain source code without binaries.

https://www.debian.org/social_contract#guidelines
https://www.debian.org/News/2010/20101215

> * Inspired by the following:
> https://code.google.com/p/chromium/issues/detail?id=350913 I am asking myself
> if debian source packages are (required to be able to) build offline? Or could
> it be that a package pulls in binaries/(source code) as part of the build
> process?
> Is Debian one of the "distributions having a strict "build from source"
> requirement. Packages are built in a restricted environment and are required
> to declare in some way what binaries they need to build. The network is not
> available"

Yes, Debian source packages are required to be able to build offline.
Not being able to do so would be an RC bug. I'm not sure if the
buildds enforce that yet though. Of course developer-built packages
might be built with online machines. pbuilder blocks network by
default, not sure about sbuild or qemubuilder though.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- Debian package security policies
  - From: Esokrates <esokrarkose@gmail.com>

Prev by Date: Debian package security policies
Next by Date: Minified javascripts in packages
Previous by thread: Debian package security policies
Next by thread: Minified javascripts in packages
Index(es):
- Date
- Thread