Web lists-archives.com

Re: What can Debian do to provide complex applications to its users?

On 19/02/2018 14:28, Samuel Thibault wrote:
> Raphael Hertzog, on lun. 19 févr. 2018 15:19:59 +0100, wrote:
>> On Fri, 16 Feb 2018, Jonathan Carter (highvoltage) wrote:
>>>> - we could relax our requirements and have a way to document the
>>>>   limitations of those packages (wrt our usual policies)
>>> Which requirements are you referring to? If it's relaxing the need for
>>> source for minified javascript, then no thanks.
>> Instead of requiring the source to be provided in the source package as a
>> non-minified file, we could require the packager to document in
>> debian/README.source where the upstream sources actually are.
> But what if that upstream website goes down? We don't have the source
> any more. Better at least keep a copy of the tarball.

I second this, for multiple reasons. If we go to a 'container capturing
a non-Debian build' approach we should always capture the sources
involved - for security tracking at least. e.g. Maven for Java seems to
be particularly bad at pulling JARs and other components randomly, often
over HTTP not HTTPS and without signatures, etc.  Gradle even does <pull
fragment of code from http:x and insert here> which is scary.

One step towards a fully proper Debian build and packaging is an 
infrastructure to at least capture all the sources involved in
containers and track them.

> Samuel


Alastair McKinstry, <alastair@xxxxxxxx>, <mckinstry@xxxxxxxxxx>, https://diaspora.sceal.ie/u/amckinstry
Commander Vimes didn’t like the phrase “The innocent have nothing to fear,”
 believing the innocent had everything to fear, mostly from the guilty but in the longer term
 even more from those who say things like “The innocent have nothing to fear.”
 - T. Pratchett, Snuff