Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Russ Allbery]

Sean Whitton  writes:

> We have two seconded solutions, so you and I should perhaps break the
> tie.  I prefer the Bill's 'Autobuild: no' solution as the more
> conservative change: we only have data about packages that are currently
> autobuilt, not those that aren't, so we might be making those buggy if
> we just ban network access for all non-free packages.  How about you?

Yup, let's go with Bill's change since it's a bit more conservative.  I
think it accomplishes the same goal.

-- 
Russ Allbery (r...@debian.org)  

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Holger Levsen]

On Fri, Apr 05, 2024 at 09:49:58PM +0200, Aurelien Jarno wrote:
> If we go that route, here is a proposed alternative patch:
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,7 +338,8 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> +Except for packages in the non-free archive with the ``Autobuild``
> +control field unset or set to ``no``, required targets must not attempt
>  network access, except, via the loopback interface, to services on the
>  build host that have been started by the build.

seconded as well.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

There never has been more knowledge in the world with less conclusions.
(Die Goldenen Zitronen, 1996 or so)


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Tobias Frost]

On Fri, Apr 05, 2024 at 09:49:58PM +0200, Aurelien Jarno wrote:
> On 2024-04-04 22:38, Bill Allombert wrote:
> > On Thu, Apr 04, 2024 at 01:22:19PM -0700, Russ Allbery wrote:
> > > I'm not sure what I think about that.  We have a general escape hatch
> > > already for non-free packages in Policy 2.2.3 that says they may not fully
> > > comply with Policy, which may be sufficient. 
> > 
> > But precisely, we _do_ want non-free packages that are built on the 
> > autobuilders
> > to comply with this requirement. So we do not want 2.2.3 to apply in that
> > specific case. It seems cleaner to say that the requirement only apply if
> > Autobuild: yes is declared.
> 
> If we go that route, here is a proposed alternative patch:
> 
> --- a/policy/ch-source.rst
> +++ b/policy/ch-source.rst
> @@ -338,7 +338,8 @@
>  For example, the build target should pass ``--disable-silent-rules``
>  to any configure scripts.  See also :ref:`s-binaries`.
>  
> -For packages in the main archive, required targets must not attempt
> +Except for packages in the non-free archive with the ``Autobuild``
> +control field unset or set to ``no``, required targets must not attempt
>  network access, except, via the loopback interface, to services on the
>  build host that have been started by the build.

Seconded as well. 

(I think the other version is fine too; Another thought: Can't (some) non-free
non-autobuildable be tought not do download at build time? I think it should 
be encouraged to download only if there is no other way…)

-- 
tobi

> -- 
> Aurelien Jarno  GPG: 4096R/1DDD8C9B
> aurel...@aurel32.net http://aurel32.net


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Sean Whitton]

Hello,

On Sat 06 Apr 2024 at 12:15pm +08, Sean Whitton wrote:

> Hi Russ,
>
> We have two seconded solutions, so you and I should perhaps break the
> tie.  I prefer the Bill's 'Autobuild: no' solution as the more
> conservative change: we only have data about packages that are currently
> autobuilt, not those that aren't, so we might be making those buggy if
> we just ban network access for all non-free packages.  How about you?

(It's not actually a tie in terms of number of seconds, but we don't do
this quantatively.)

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Sean Whitton]

Hi Russ,

We have two seconded solutions, so you and I should perhaps break the
tie.  I prefer the Bill's 'Autobuild: no' solution as the more
conservative change: we only have data about packages that are currently
autobuilt, not those that aren't, so we might be making those buggy if
we just ban network access for all non-free packages.  How about you?

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Sam Hartman]

> "Aurelien" == Aurelien Jarno  writes:

Aurelien> If we go that route, here is a proposed alternative patch:

Aurelien> --- a/policy/ch-source.rst
Aurelien> +++ b/policy/ch-source.rst
Aurelien> @@ -338,7 +338,8 @@
Aurelien>  For example, the build target should pass 
``--disable-silent-rules``
Aurelien>  to any configure scripts.  See also :ref:`s-binaries`.
 
Aurelien> -For packages in the main archive, required targets must not 
attempt
Aurelien> +Except for packages in the non-free archive with the 
``Autobuild``
Aurelien> +control field unset or set to ``no``, required targets must not 
attempt
Aurelien>  network access, except, via the loopback interface, to services 
on the
Aurelien>  build host that have been started by the build.

Seconded.


signature.asc
Description: PGP signature

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Aurelien Jarno]

On 2024-04-04 22:38, Bill Allombert wrote:
> On Thu, Apr 04, 2024 at 01:22:19PM -0700, Russ Allbery wrote:
> > I'm not sure what I think about that.  We have a general escape hatch
> > already for non-free packages in Policy 2.2.3 that says they may not fully
> > comply with Policy, which may be sufficient. 
> 
> But precisely, we _do_ want non-free packages that are built on the 
> autobuilders
> to comply with this requirement. So we do not want 2.2.3 to apply in that
> specific case. It seems cleaner to say that the requirement only apply if
> Autobuild: yes is declared.

If we go that route, here is a proposed alternative patch:

--- a/policy/ch-source.rst
+++ b/policy/ch-source.rst
@@ -338,7 +338,8 @@
 For example, the build target should pass ``--disable-silent-rules``
 to any configure scripts.  See also :ref:`s-binaries`.
 
-For packages in the main archive, required targets must not attempt
+Except for packages in the non-free archive with the ``Autobuild``
+control field unset or set to ``no``, required targets must not attempt
 network access, except, via the loopback interface, to services on the
 build host that have been started by the build.

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Bill Allombert]

On Thu, Apr 04, 2024 at 01:22:19PM -0700, Russ Allbery wrote:
> I'm not sure what I think about that.  We have a general escape hatch
> already for non-free packages in Policy 2.2.3 that says they may not fully
> comply with Policy, which may be sufficient. 

But precisely, we _do_ want non-free packages that are built on the autobuilders
to comply with this requirement. So we do not want 2.2.3 to apply in that
specific case. It seems cleaner to say that the requirement only apply if
Autobuild: yes is declared.

Cheers,
-- 
Bill. 

Imagine a large red swirl here. 

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Russ Allbery]

Philipp Kern  writes:
> On 04.04.24 20:51, Bill Allombert wrote:

>> I still think we should allow Autobuild: no as an escape hatch.  If we
>> want to require non-free package to be autobuildable, we should be more
>> explicit about it (and probably require more feedback from
>> debian-devel).

> There is no requirement for non-free to be autobuildable today. This
> change also does not introduce this, except for everything that is to be
> built on official builders to not require network access.

I think Bill's point is that the section of Policy being changed here
isn't only for autobuilt packages.  It sets general requirements for all
Debian packages, including non-free packages that are never autobuilt, and
therefore arguably prohibits network use during the build of a non-free
package that was never intended to build on the autobuilders, which is a
bit outside the scope of the original motivation for this change.

(I didn't understand that point at first.)

I'm not sure what I think about that.  We have a general escape hatch
already for non-free packages in Policy 2.2.3 that says they may not fully
comply with Policy, which may be sufficient.  Builds that use the network
seem like a bad idea even in non-free packages because it means we may not
be able to rebuild them since all of the relevant data is not in the
Debian source package.

-- 
Russ Allbery (r...@debian.org)  

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Philipp Kern]

Hi,

On 04.04.24 20:51, Bill Allombert wrote:

I still think we should allow Autobuild: no as an escape hatch.
If we want to require non-free package to be autobuildable, we should
be more explicit about it (and probably require more feedback from
debian-devel).


There is no requirement for non-free to be autobuildable today. This 
change also does not introduce this, except for everything that is to be 
built on official builders to not require network access.


There are even two stages of allowlisting today (file-based and the dsc 
field).


Kind regards
Philipp Kern

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Bill Allombert]

On Thu, Apr 04, 2024 at 09:25:36PM +0200, Philipp Kern wrote:
> Hi,
> 
> On 04.04.24 20:51, Bill Allombert wrote:
> > I still think we should allow Autobuild: no as an escape hatch.
> > If we want to require non-free package to be autobuildable, we should
> > be more explicit about it (and probably require more feedback from
> > debian-devel).
> 
> There is no requirement for non-free to be autobuildable today. This change
> also does not introduce this, except for everything that is to be built on
> official builders to not require network access.

Sorry, could you point me where the diff is limiting its scope to "everything
that is to be built on official builders"  ?

Cheers,
-- 
Bill. 

Imagine a large red swirl here. 

Bug#1068192: debian-policy: extended forbidden network access to contrib and non-freeo

[Bill Allombert]

On Thu, Apr 04, 2024 at 11:42:34AM -0700, Russ Allbery wrote:
> Tobias Frost  writes:
> > On Wed, Apr 03, 2024 at 10:58:37PM +0200, Aurelien Jarno wrote:
> 
> >> Thanks Philipp. Following that result, please find a patch proposal: 
> >> 
> >> --- a/policy/ch-source.rst
> >> +++ b/policy/ch-source.rst
> >> @@ -338,9 +338,9 @@
> >>  For example, the build target should pass ``--disable-silent-rules``
> >>  to any configure scripts.  See also :ref:`s-binaries`.
> >>  
> >> -For packages in the main archive, required targets must not attempt
> >> -network access, except, via the loopback interface, to services on the
> >> -build host that have been started by the build.
> >> +Required targets must not attempt network access, except, via the
> >> +loopback interface, to services on the build host that have been started
> >> +by the build.
> >>  
> >>  Required targets must not attempt to write outside of the unpacked
> >>  source package tree.  There are two exceptions.  Firstly, the binary
> 
> > LGTM, Seconded.
> 
> Also looks good to me.  Seconded.

I still think we should allow Autobuild: no as an escape hatch.
If we want to require non-free package to be autobuildable, we should
be more explicit about it (and probably require more feedback from
debian-devel).

Cheers,
-- 
Bill. 

Imagine a large red swirl here.