Re: Access to online resources in maintainer scripts

To: debian-policy@lists.debian.org
Subject: Re: Access to online resources in maintainer scripts
From: Stuart Prescott <stuart@debian.org>
Date: Mon, 28 Jul 2014 10:20:08 +1000
Message-id: <[🔎] lr450e$pb1$1@ger.gmane.org>
References: <[🔎] 53D57814.2080901@gmail.com>

Hi!

I do like the idea of policy giving a very strong steer to maintainers that 
there are some minimum things that must be done correctly in downloader 
packages like these.

> * Access to network from maintainer scripts should be only allowed for
> non-free packages, only to download data that can't be included into the
> package for legal reasons. Such download should take place at configure
> time. 

To be strictly correct, most of these packages are in contrib not non-free. 
What is in the package is the downloader which is free software (it's a 
script written by the maintainer) while it relies on things outside the 
archive so cannot be in main. (just s/non-free/contrib or non-free/ over 
your text and it's all fine)


> * Integrity of all downloaded data should be checked, probably by
> using cryptographic hashes stored in the package itself. 

Can we split that in two? 

  * Integrity of data must be checked.

  * It (may|should) be checked against cryptographic hashes stored in the 
package itself. 

Note that packages like flashplugin-nonfree keep the hashes on 
people.debian.org which allows the package to keep pace with upstream 
changes without needing to update the package in stable all the time. (this 
is both good and bad, of course, as recently discussed on d-devel)

> There should probably also be some helper script which maintainer scripts
> could use to easily do all of the above.

So here we're going to hit up against disagreements about what policy is 
supposed to do. On one hand, it is supposed to document current standard 
practice while on the other hand it is able to provide leadership. Whether 
things are current and standard or a matter of leadership is often a matter 
of opinion but policy clearly can't mandate or even recommend the use of 
non-existent code. 

Working with the maintainers of a couple of these downloader packages to 
develop a suitable amount of shareable code to then be able to do this 
properly across all packages would be the first step; there was an offer 
from the maintainer of a game data downloader on d-devel to work towards 
this goal.

    https://lists.debian.org/debian-devel/2014/06/msg00261.html

cheers
Stuart


-- 
Stuart Prescott    http://www.nanonanonano.net/   stuart@nanonanonano.net
Debian Developer   http://www.debian.org/         stuart@debian.org
GPG fingerprint    90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7

Reply to:

References:
- Access to online resources in maintainer scripts
  - From: Evgeny Kapun <abacabadabacaba@gmail.com>

Prev by Date: Access to online resources in maintainer scripts
Next by Date: Re: where to maintain DEP8^W autopkgtest spec now
Previous by thread: Access to online resources in maintainer scripts
Next by thread: Re: Access to online resources in maintainer scripts
Index(es):
- Date
- Thread