On ബുധന് 04 ഒക്ടോബര് 2017 09:57 വൈകു, Gunnar Wolf wrote: > So, what happens currently? Do the affected packages FTBFS? (that, > IMHO, would be a *good* thing, as we would only need to patch Policy > to reflect reality) It seems the FTBFS is not on the official buildds, but other archive wide build services have a stricter policy on network access and will result in a serious bug. > No. It does not only change the perception. You ship a pre-built > binary as part of your sources, then the build process (with, yes, a > piece of untrusted blob... But still, that's as far as we can get) > will happen across our buildds, or by whoever wants to NMU, or even by > yourself days or weeks later, with a piece of software known to yield > the package as it got built. We will not be bitten by a random site > being unexpectedly offline, or by a transpiler changing some > command-line options without notifying us (to mention only two > possible issues) > It is always npmjs.com, which is depended on by entire nodejs community. While it is not impossible for this to go down, the chances are less. And even if it fails at some point, a rebuild later would produce the exact same binary. And for getting predictable builds, we can lock down the dependencies to exact versions with cryptographic checksums. yarn [1] and [2] npm, both support this. Though it will require updating npm to a newer version [3] and/or packaging yarn [4] (both are in progress). If I were to use one of these lock files so build process becomes reproduce-able, would it be agreeable for you? (not an immediate option. but may be possible in future). In the short term, I will switch to including pre-built files and will revisit this situation when/if either npm or yarn with locking feature is available in the archive. [1] https://yarnpkg.com/lang/en/docs/yarn-lock/ [2] https://docs.npmjs.com/files/package-lock.json [3] https://wiki.debian.org/Javascript/Nodejs/Tasks/npm [4] https://wiki.debian.org/Javascript/Nodejs/Tasks/yarn
Attachment:
signature.asc
Description: OpenPGP digital signature