[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#905401: permit access to apt repositories during builds

On Sat, 4 Aug 2018 06:06:22 +0100 Ian Jackson <ijackson@chiark.greenend.org.uk> wrote:
> Package: debian-policy
> Version: 4.2.0.1
> Tags: patch
> 
> Apropos of discussion in #813471:
> 
> Paul writes:
> > In addition, d-i relies on access to the apt repo for the system.
> > I can imagine other uses of that, so I added a carve-out for that.
> 
> In general I think this should be done by saying that packages may
> access the apt repository.  Binaries, and sources, because packages
> cannot depend on each others' sources and implementing that is a lot
> of work.
> 
> See
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813471#126
> for a more extended rationale for permitting access to sources
> as well as binaries.
> 
> 
> diff --git a/policy/ch-source.rst b/policy/ch-source.rst
> index d6a21b8..2d6f9ea 100644
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -288,6 +288,13 @@ For packages in the main archive, no required targets may attempt
>  network access, except, via the loopback interface, to services on the
>  build host that have been started by the build.
>  
> +Nevertheless, required targets may use ``apt`` to access the apt
> +repositories provided by the build environment (which are those which
> +were used to resolve the package's build-dependencies).  If
> +appropriate, :ref:`Built-Using <s-built-using>`` must then be
> +declared.  It is permitted to download both binaries and/or sources.
> +However, this facility should not normally be used.
> +

This seems potentially quite problematic.

First of all, this isn't something we should allow arbitrary packages to
use. If we have to do this at all, I'd suggest that we explicitly say
that packages should *not* do this in general, and that if they must do
so, any such usage should be explicitly discussed and approved on
debian-devel first, and only after determining that no other mechanism
will work.

Second, I don't think it's appropriate to guarantee that any package
*other* than those with declared Build-Depends will exist. It's
completely reasonable to build a package with a repository containing
nothing other than its build-dependencies.

Third, under normal circumstances you are *not* required to have deb-src
lines in sources.list. This would be the first instance I'm aware of
that would require that.

In the absence of some specific dependency mechanism, this seems like a
fast way to end up with packages that will only build in particular
environments that aren't fully described by their declared requirements
in debian/control.

Why don't we make a specific exception for d-i in the short term, in the
hopes that in the long term we'll have a way to handle dependencies on
sources (and, for that matter, ways to incorporate the Build-Depends of
another package into your own Build-Depends, though sometimes you'll
just need a subset).
Reply to: