Bug#1104643: Don't consider tests during build that can use internet if available as rc buggy
On Mon, May 05, 2025 at 11:19:09AM +0200, Bill Allombert wrote:
> On Sat, May 03, 2025 at 09:11:21PM +0530, Pirate Praveen wrote:
> > Package: debian-policy
> > Version: 4.7.2.0
>
> > Current policy text says:
> >
> > > Except for packages in the non-free archive with the Autobuild control
> > field unset or set to no,
> > > required targets must not attempt network access, except, via the loopback
> > interface,
> > > to services on the build host that have been started by the build.
> >
> > I think it should be changed to,
> >
> > > Except for packages in the non-free archive with the Autobuild control
> > field unset or set to no,
> > > required targets must not require network access, except, via the loopback
> > interface,
> > > to services on the build host that have been started by the build.
> >
> > I think enforcing there is no internet access is a better way to achieve the
> > goal of actually ensuring there is no internet during build rather than
> > considering packages that can use internet when available for tests as rc
> > buggy.
>
> I disagree. This was not the consensus at the time I made this change to policy, and
> I do not think it is the consensus now. We want more reproducible builds, not
> depending on external resources that are bound to change, and not being tracked via
> server logs. In your case building the package with internet access
> - fails if timestamp.digicert.com is down
> - leaks the system IP to DIGICERT
I agree.
> Completly disabling access to internet during a build is harder than it sound.
I believe it is irrelevant how hard it is to disable Internet access
at build time. Even if it was easy, we did not want to require
disabling Internet access.
What we wanted, was that packages do not require, and also not
optionally talk to services on the Internet by default, at least at
build time.
IMO the policy wording is fine, and 1104509 needs to be fixed in the
package.
Best,
Chris
Reply to: