Access to online resources in maintainer scripts
There are several packages which download files from the Internet at configuration time. Most of them are non-free packages which can't include these files for legal reasons. In general, such behavior is very inconvenient, because it prevents such packages from being installed on offline systems where package files are transferred using some other mechanism (e.g. offline mirror). Also some of these packages may not verify integrity of these files, which may result in these packages being insecure.
Currently, I haven't found such behavior regulated or even mentioned in Debian Policy Manual or any other regulatory documents. I think that the following rules should be added:
* Access to network from maintainer scripts should be only allowed for non-free packages, only to download data that can't be included into the package for legal reasons. Such download should take place at configure time.
* Integrity of all downloaded data should be checked, probably by using cryptographic hashes stored in the package itself.
* Packages should behave in a certain consistent manner in the case the network is not available.
* There should be a switch that would disable network access for maintainer scripts, in case it is not desirable. There should probably also be a way to transfer these files manually or to provide an alternative location for them.
There should probably also be some helper script which maintainer scripts could use to easily do all of the above.
Alternatively, it may be better to modify the package manager to handle the task of downloading these files. Perhaps a special header in package metadata would include URLs of the necessary files and their checksums.
Any suggestions?
Reply to: