On Sat, May 03, 2025 at 09:11:21PM +0530, Pirate Praveen wrote: > Package: debian-policy > Version: 4.7.2.0
Dear Pirate, > Control: block 1104509 by -1 As a general policy, such block is inappropriate. Package are supposed to comply with policy at the time they are uploaded. They cannot depend on future potential policy update. > Current policy text says: > > > Except for packages in the non-free archive with the Autobuild control > field unset or set to no, > > required targets must not attempt network access, except, via the loopback > interface, > > to services on the build host that have been started by the build. > > I think it should be changed to, > > > Except for packages in the non-free archive with the Autobuild control > field unset or set to no, > > required targets must not require network access, except, via the loopback > interface, > > to services on the build host that have been started by the build. > > I think enforcing there is no internet access is a better way to achieve the > goal of actually ensuring there is no internet during build rather than > considering packages that can use internet when available for tests as rc > buggy. I disagree. This was not the consensus at the time I made this change to policy, and I do not think it is the consensus now. We want more reproducible builds, not depending on external resources that are bound to change, and not being tracked via server logs. In your case building the package with internet access - fails if timestamp.digicert.com is down - leaks the system IP to DIGICERT Completly disabling access to internet during a build is harder than it sound. Cheers, -- Bill. <ballo...@debian.org> Imagine a large red swirl here.
