(Cced the relevant bug report) On 31/10/06 at 23:50 -0500, Anthony DeRobertis wrote: > Lucas Nussbaum wrote: > > > Some packages (e.g choose-mirror) fetch a newer version of a file during > > build if it's possible to fetch that file. I don't think this is RC, > > since the file is not missing from the package if the network is not > > available. > > > > In general, I strongly suspect that fetching updated source during build > is RC due to a violation of the Social Contract: the source we are > shipping intentionally does not correspond to the binary package. > > I'm not sure if the above applies to choose-mirror. In particular, if > the file shipped in the binary is its own source, then it doesn't. > However, I'd still say it's bad idea, and a bug (maybe even RC). Some > more general reasons (not all necessarily apply to choose-mirror) > > * changes to the package are not reflected in the changelog > * random network or remote server issues can cause a broken (or > worse) build. What happens if the file on the server is corrupted? > * builds are no longer repeatable. Different source may even wind up > built on different architectures. > * the package is much harder to NMU. What should be a spelling fix > suddenly becomes a large change (due to the automated source > pull), unbeknown to the NMU-er. Same problem for the security team. > * the supposedly-signed source package isn't really; it's pulling > unsigned source for the build > > Also, depending on what is being downloaded from the network, there > could be security issues. What happens if the server is compromised?
While I fully agree with you on all points, I think that this should be discussed post-etch with the general question of "in which environment are packages supposed to build ?". There are other similar issue, like: - should packages allow to build as root ? (aegis, bazaar, subversion don't) - should packages build the same if they are built in a minimal debian environment only satisfying their b-dep, and in a system with lots of useless packages installed ? There are RC bugs to fix now ;) -- | Lucas Nussbaum | [EMAIL PROTECTED] http://www.lucas-nussbaum.net/ | | jabber: [EMAIL PROTECTED] GPG: 1024D/023B3F4F | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
