Web lists-archives.com

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Gunnar Wolf writes ("Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing"):
> Pirate Praveen dijo [Wed, Oct 04, 2017 at 04:52:37PM +0530]:
> > But debian buildds already prohibit network access during build and
> > these packages has to be binary included always. So the theoretical
> > security issue never manifests in practice.
> So, what happens currently? Do the affected packages FTBFS? (that,
> IMHO, would be a *good* thing, as we would only need to patch Policy
> to reflect reality)

AIUI right now the packages are not being built on the buildds,
because they've been uploaded with the binaries (which are arch:all).
Anyway, Pirate says he's going to get rid of the downloading at build
so this is a non-issue for these packages.

I'm not sure what you think is wrong with policy.  Sean quoted the
statement forbidding network access during build.

> No. It does not only change the perception. You ship a pre-built
> binary as part of your sources, then the build process (with, yes, a
> piece of untrusted blob... But still, that's as far as we can get)
> will happen across our buildds, or by whoever wants to NMU, or even by
> yourself days or weeks later, with a piece of software known to yield
> the package as it got built. We will not be bitten by a random site
> being unexpectedly offline, or by a transpiler changing some
> command-line options without notifying us (to mention only two
> possible issues)

These are all very good reasons, and including a prebuilt blob in the
source package(s) is clearly much better.  But I still think this is
not what contrib/sid is for.