Le jeudi, 5 octobre 2017, 13.29:16 h CEST Ian Jackson a écrit : > I have also heard of packages which do "apt-get source" in their rules > files.
debian-installer-netboot-images does a similar thing, but it's more of a shell re-implementation of a trust chain check: http://sources.debian.net/src/debian-installer-netboot-images/ 20170615%2Bdeb9u1/get-images.sh/ (Patches welcome, of course) The reason for that (and #807168 documents this) is that: * d-i-n-i binary packages are arch:all packages with arch-specific content; because we want to ship any arch's netboot images on all architectures; and forcing the use of multiarch for that is overkill. * building these arch:all packages in an arch:any build (such as d-i's) is not supported and would be a heavy arm-twisting of our buildd infrastructure. tl;dr; It's certainly no good, but it's the best we have. > I think that both of these activities are reasonable things to do. > They don't violate the self-containedness of Debian. If they are > technically forbidden by policy then policy should be changed. Well. #807312 tracks a way to eventually do the above in a policy-compliant way: build arch:any packages containing netboot images and build d-i-n-i using multiarch Build-Depends. As for changing Policy; what matters is that we ultimately build things from known and DFSG-free _sources_, in a reproducible way. dpkg, apt and sbuilds are just (_FANTASTIC_) means to that end. So we either need better tooling than the above hideous shell, or massage everything into existing tooling. I prefer the "there's a RC bug to fix" situation over a "weaker policy", for now. Cheers, OdyX
