Sean Whitton <spwhitton@spwhitton.name> writes: > Hello Jérémy, > > On Tue, Oct 03 2017, Jérémy Lal wrote: > >> It might be a good idea to make policy more explicit about downloads >> during build. > > I'm not sure how it could be more explicit: > > For packages in the main archive, no required targets may attempt > network access. The problem seems to be that Praveen reads that prohibition as implying that it is totally OK to do this when not in main. This strikes me as equivalent to reading: All men are mortal, Socrates is a man, and concluding that women are immortal. The correct way to read this bit of policy is that network access during build is considered such a bad idea that it is not allowed under any circumstances in Debian proper (main). That being the case, it is a safe bet to assume that it's a bad idea in packages in contrib and non-free too. If one wants to vary from that, the reason should be made very clear indeed. I don't believe that Praveen has provided any real justification for needing network access, beyond his opinion that policy allows it. I suspect that in the particular case of using rollup, it is even worse than Simon McVittie eloquently describes in his mail to this thread. A quick read of rollup's changelog shows that they have had about 30 releases since July, that they've recently had a major refactoring, and that every release since that refactoring has involved fixing that refactoring. They had a release within a day of Praveen's changelog entry for the package, so it's not completely obvious which version of rollup would have been used for the package build, but chances are that he used one version, and that within 24 hours nobody, not even Praveen, would be certain of being able to reproduce that package because it would then be using a new version of rollup to do all the work. They've had another release since -- more fixups for the refactoring. I'm astonished that Praveen thinks it is sensible to build on these shifting sands. My astonishment is then only magnified at every step: o When it is pointed out, still not realising the folly of this. o Running to policy, looking for excuses. o Blaming ftp masters for not noticing these flaws. o Insisting that the TC needs to be involved to fix the mess Should we really try to make policy forbid all the foolish ways in which one might try to assemble a package, in order to ensure that there is nowhere for people to hide in policy? I think not. It would seem much more straightforward to remove the upload rights from people who insist on repeating this sort of behaviour incessantly. Praveen, please don't do it again. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature