Thomas Goirand <z...@debian.org> writes: > While I do agree that a package *must* be able to build without Internet > access (for example, the test suite should never mandate access to a > working DNS, or a query to a google search, both of which are real world > cases...), I'm not sure about the severity: serious.
I will go farther: I am quite certain that severity: serious is simply wrong for things like this. I'm sure this is not the only package that attempts to test DNS functions by looking up some well-known name. The information leak of looking up a well-known DNS name is minimal to nonexistent. (What conclusions is someone really going to draw from a query for www.google.com or some similar host?) Those test suites should ideally be made robust against that DNS query not working, but I don't even see a point in patching out attempting to run the test provided that the test tolerates the lack of network access to a DNS server. In other words, as long as the test is okay with DNS not being available or not having access to public DNS, I don't think just attempting the query is a bug of any kind. If the current Policy wording says that it is, well, that's a bug in Policy, IMO. Now, that said, assuming that "fail" is not a valid host in the local domain isn't a good assumption and makes the build fragile. My packages that perform a similar test use the DNS name addrinfo-test.invalid to force a failure, which is guaranteed by IANA reservations to not exist. So I think there's legitimately a bug here, but I think it's a bug of normal severity, not some sort of emergency that would otherwise require removing the package from Debian. Full disclosure: several of my packages in the archive have similar tests. Those tests are part of the upstream test suite for the getaddrinfo and getnameinfo replacement functions for OSes that are too old to have them. They check the results of the replacement getaddrinfo function against the results of gethostbyname, and similarly with getnameinfo and gethostbyaddr, and tolerate environments with no DNS by skipping the tests. I intentionally run those tests on all builds, even ones that have getaddrinfo and getnameinfo, because otherwise they would never run for me (I have no ancient hosts around) and I wouldn't know if the portability code bit rotted for some reason. While I could put in some sort of elaborate workaround to avoid running those tests in a Debian package build environment, I see no point in doing so, don't really like the additional complexity, see no particular reason why Debian should require this, and would probably just close any bugs asking for that. (That said, I'm open to being convinced by good arguments.) > I don't think it is a so big issue if a package is doing some network > operation, but doesn't fail building if there's no Internet > connectivity. Exactly. > The only problem (as Christian mentioned) would be a privacy concern in > some cases. In such a case, the severity would be "important", but not > "serious" (ie: probably not serious enough to be an RC bug), and it'd be > nice if the subject of the bug was reflecting the privacy concern rather > than the "no network during build" policy thing (though I can imagine > it'd be harder to file the bug). "normal" is the correct severity, IMO. Even "important" strikes me as significant severity inflation. And it would need a real justification as to why this is a privacy concern, since typically a DNS request that's part of a standard test suite of a free software package would not be one. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>