On Wed, Sep 07, 2016 at 09:26:37AM -0700, Russ Allbery wrote: > Thomas Goirand <z...@debian.org> writes:
> > While I do agree that a package *must* be able to build without Internet > > access (for example, the test suite should never mandate access to a > > working DNS, or a query to a google search, both of which are real world > > cases...), I'm not sure about the severity: serious. > I will go farther: I am quite certain that severity: serious is simply > wrong for things like this. > I'm sure this is not the only package that attempts to test DNS functions > by looking up some well-known name. The information leak of looking up a > well-known DNS name is minimal to nonexistent. (What conclusions is > someone really going to draw from a query for www.google.com or some > similar host?) Those test suites should ideally be made robust against > that DNS query not working, but I don't even see a point in patching out > attempting to run the test provided that the test tolerates the lack of > network access to a DNS server. In other words, as long as the test is > okay with DNS not being available or not having access to public DNS, I > don't think just attempting the query is a bug of any kind. If the > current Policy wording says that it is, well, that's a bug in Policy, IMO. Right. There's a difference between "must not require a network connection in order to build", and "must not access the network during build". The former should be a serious bug, because if your package requires the network to build, we have a hard time auditing to make sure that the package actually contains the source for what's built. While some failures may "just" be test cases, it's better to enforce a blanket policy that packages should build without a connection to the public Internet rather than waste time figuring out which failures "really" impact the package contents. The latter is not a serious bug. A build attempting to send packets to the network may be considered a bug, but certainly not a serious one. If you don't want packages in your build environment talking to the Internet, you take away their network connection, you don't try to use policy to enforce it. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature