Bug#905401: permit access to apt repositories during builds
Hi,
Ian Jackson wrote:
> Apropos of discussion in #813471:
>
> Paul writes:
>> In addition, d-i relies on access to the apt repo for the system.
>> I can imagine other uses of that, so I added a carve-out for that.
>
> In general I think this should be done by saying that packages may
> access the apt repository. Binaries, and sources, because packages
> cannot depend on each others' sources and implementing that is a lot
> of work.
>
> See
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813471#126
> for a more extended rationale for permitting access to sources
> as well as binaries.
My feeling is that this should be an outside-policy carveout, since it
makes many applications (e.g., analyzing the build graph, especially
when needed for bootstrapping) no longer possible.
That said,
[...]
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -288,6 +288,13 @@ For packages in the main archive, no required targets may attempt
> network access, except, via the loopback interface, to services on the
> build host that have been started by the build.
>
> +Nevertheless, required targets may use ``apt`` to access the apt
> +repositories provided by the build environment (which are those which
> +were used to resolve the package's build-dependencies). If
> +appropriate, :ref:`Built-Using <s-built-using>`` must then be
> +declared. It is permitted to download both binaries and/or sources.
> +However, this facility should not normally be used.
> +
> The targets are as follows:
Seconded.
This doesn't mean I like the change. It just means that I think this
reflects the outcome of the discussion you cited. My understanding is
that the current policy process doesn't require me to check that the
main relevant stakeholders among those who haven't spoken up have
weighed in, since they can propose additional changes to address any
harms.
Thanks and hope that helps,
Jonathan
Reply to: