Web lists-archives.com

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Sean Whitton <spwhitton@xxxxxxxxxxxxxx> writes:

> Hello Jérémy,
> On Tue, Oct 03 2017, Jérémy Lal wrote:
>> It might be a good idea to make policy more explicit about downloads
>> during build.
> I'm not sure how it could be more explicit:
>     For packages in the main archive, no required targets may attempt
>     network access.

The problem seems to be that Praveen reads that prohibition as implying
that it is totally OK to do this when not in main.

This strikes me as equivalent to reading:

  All men are mortal, 
  Socrates is a man,

and concluding that women are immortal.

The correct way to read this bit of policy is that network access during
build is considered such a bad idea that it is not allowed under any
circumstances in Debian proper (main).

That being the case, it is a safe bet to assume that it's a bad idea in
packages in contrib and non-free too.

If one wants to vary from that, the reason should be made very clear

I don't believe that Praveen has provided any real justification for
needing network access, beyond his opinion that policy allows it.

I suspect that in the particular case of using rollup, it is even worse
than Simon McVittie eloquently describes in his mail to this thread.

A quick read of rollup's changelog shows that they have had about 30
releases since July, that they've recently had a major refactoring, and
that every release since that refactoring has involved fixing that

They had a release within a day of Praveen's changelog entry for the
package, so it's not completely obvious which version of rollup would
have been used for the package build, but chances are that he used one
version, and that within 24 hours nobody, not even Praveen, would be
certain of being able to reproduce that package because it would then be
using a new version of rollup to do all the work.

They've had another release since -- more fixups for the refactoring.

I'm astonished that Praveen thinks it is sensible to build on these
shifting sands.  My astonishment is then only magnified at every step:

  o  When it is pointed out, still not realising the folly of this.
  o  Running to policy, looking for excuses.
  o  Blaming ftp masters for not noticing these flaws.
  o  Insisting that the TC needs to be involved to fix the mess

Should we really try to make policy forbid all the foolish ways in which
one might try to assemble a package, in order to ensure that there is
nowhere for people to hide in policy?  I think not.

It would seem much more straightforward to remove the upload rights from
people who insist on repeating this sort of behaviour incessantly.

Praveen, please don't do it again.

Cheers, Phil.
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature