Bug#905401: permit access to apt repositories during builds

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: 905401@bugs.debian.org
Subject: Bug#905401: permit access to apt repositories during builds
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Fri, 3 Aug 2018 23:25:16 -0700
Message-id: <[🔎] 20180804062516.GC55869@aiede.svl.corp.google.com>
Reply-to: Jonathan Nieder <jrnieder@gmail.com>, 905401@bugs.debian.org
In-reply-to: <[🔎] 23397.17306.279334.874003@chiark.greenend.org.uk>
References: <[🔎] 23397.13390.61757.896086@chiark.greenend.org.uk> <[🔎] 20180804055857.GA55869@aiede.svl.corp.google.com> <[🔎] 23397.17306.279334.874003@chiark.greenend.org.uk> <[🔎] 23397.13390.61757.896086@chiark.greenend.org.uk>

Ian Jackson wrote:
> Jonathan Nieder writes ("Re: permit access to apt repositories during builds"):

>> My feeling is that this should be an outside-policy carveout, since it
>> makes many applications (e.g., analyzing the build graph, especially
>> when needed for bootstrapping) no longer possible.
>
> I don't really agree with the basic concept of an "outside-policy
> carveout".

That's reasonable.  Tool authors may want to know what they can count
on, and using policy to document what we need to support, even when it is
for a small number of special-case packages, can be useful for that
purpose.

One way to limit the harm is to be more explicit about this being a
discouraged practice, for example by naming the limited set of use
cases where we permit it.

>             Also, this is the only way to implement many important and
> useful things.

Can you list some of them?

You mentioned the Xen package not wanting to bother package
maintainers to introduce -source packages to build-depend on, and I
don't find this particularly compelling --- most package maintainers
don't feel bothered when a feature request comes with a patch. ;-)  On
the other hand, I do agree with a related reason: a -source package
that is only useful for satisfying build-depends clutters up the
package list and makes it harder for a system administrator to find
the packages they need.

So I'd be very happy to see a way to declare a Build-Depends on a
source package.

The udeb case seems similar --- it's working around a lack of support
for declaring a Build-Depends on a udeb.

Am I understanding correctly?  Can we handle the full set of use cases
with some improvements in what Build-Depends supports?

> But I think you do have a legitimate concern.  I think we probably
> want to add a mechanism for a package to declare (eg in its buildinfo
> or changes maybe?) what it got from apt.  What do you think ?

If we're going that far, I think we might as well do a before-the-fact
declaration in Build-Depends.

>> Seconded.
>
> Thanks.

Thank you for writing the patch.  Even despite what I've written
above, having the existing practice documented seems preferable over
leaving it undocumented.

Sincerely,
Jonathan

Reply to:

References:
- Bug#905401: permit access to apt repositories during builds
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#905401: permit access to apt repositories during builds
  - From: Jonathan Nieder <jrnieder@gmail.com>
- Bug#905401: permit access to apt repositories during builds
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Repo to accept translations
Next by Date: Debian Policy Manual now accepting translations
Previous by thread: Bug#905401: permit access to apt repositories during builds
Next by thread: How to ensure the consultation of stakeholders (was: Bug#905401: permit access to apt repositories during builds)
Index(es):
- Date
- Thread