- Date: Thu, 05 Oct 2017 21:03:54 +0200
- From: Didier 'OdyX' Raboud <odyx@xxxxxxxxxx>
Le jeudi, 5 octobre 2017, 13.29:16 h CEST Ian Jackson a écrit :
> I have also heard of packages which do "apt-get source" in their rules
debian-installer-netboot-images does a similar thing, but it's more of a shell
re-implementation of a trust chain check:
(Patches welcome, of course)
The reason for that (and #807168 documents this) is that:
* d-i-n-i binary packages are arch:all packages with arch-specific content;
because we want to ship any arch's netboot images on all architectures; and
forcing the use of multiarch for that is overkill.
* building these arch:all packages in an arch:any build (such as d-i's) is not
supported and would be a heavy arm-twisting of our buildd infrastructure.
tl;dr; It's certainly no good, but it's the best we have.
> I think that both of these activities are reasonable things to do.
> They don't violate the self-containedness of Debian. If they are
> technically forbidden by policy then policy should be changed.
Well. #807312 tracks a way to eventually do the above in a policy-compliant
way: build arch:any packages containing netboot images and build d-i-n-i using
As for changing Policy; what matters is that we ultimately build things from
known and DFSG-free _sources_, in a reproducible way. dpkg, apt and sbuilds
are just (_FANTASTIC_) means to that end. So we either need better tooling
than the above hideous shell, or massage everything into existing tooling. I
prefer the "there's a RC bug to fix" situation over a "weaker policy", for now.