Re: Network access during build

To: debian-devel@lists.debian.org
Subject: Re: Network access during build
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 7 Sep 2016 23:17:04 -0700
Message-id: <[🔎] 20160908061704.GA24388@virgil.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 871t0vzneq.fsf@hope.eyrie.org>
References: <[🔎] m3inu8nva7.fsf@neo.luffy.cx> <[🔎] 21d02162-d4e0-509c-221f-79d7c1b15ecc@debian.org> <[🔎] 871t0vzneq.fsf@hope.eyrie.org>

On Wed, Sep 07, 2016 at 09:26:37AM -0700, Russ Allbery wrote:
> Thomas Goirand <zigo@debian.org> writes:

> > While I do agree that a package *must* be able to build without Internet
> > access (for example, the test suite should never mandate access to a
> > working DNS, or a query to a google search, both of which are real world
> > cases...), I'm not sure about the severity: serious.

> I will go farther: I am quite certain that severity: serious is simply
> wrong for things like this.

> I'm sure this is not the only package that attempts to test DNS functions
> by looking up some well-known name.  The information leak of looking up a
> well-known DNS name is minimal to nonexistent.  (What conclusions is
> someone really going to draw from a query for www.google.com or some
> similar host?)  Those test suites should ideally be made robust against
> that DNS query not working, but I don't even see a point in patching out
> attempting to run the test provided that the test tolerates the lack of
> network access to a DNS server.  In other words, as long as the test is
> okay with DNS not being available or not having access to public DNS, I
> don't think just attempting the query is a bug of any kind.  If the
> current Policy wording says that it is, well, that's a bug in Policy, IMO.

Right.  There's a difference between "must not require a network connection
in order to build", and "must not access the network during build".

The former should be a serious bug, because if your package requires the
network to build, we have a hard time auditing to make sure that the package
actually contains the source for what's built.  While some failures may
"just" be test cases, it's better to enforce a blanket policy that packages
should build without a connection to the public Internet rather than waste
time figuring out which failures "really" impact the package contents.

The latter is not a serious bug.  A build attempting to send packets to the
network may be considered a bug, but certainly not a serious one.  If you
don't want packages in your build environment talking to the Internet, you
take away their network connection, you don't try to use policy to enforce
it.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Network access during build
  - From: Vincent Bernat <bernat@debian.org>
- Re: Network access during build
  - From: Thomas Goirand <zigo@debian.org>
- Re: Network access during build
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Network access during build
Next by Date: Re: Network access during build
Previous by thread: Re: Network access during build
Next by thread: Re: Network access during build
Index(es):
- Date
- Thread