Gunnar Wolf writes ("Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing"): > Pirate Praveen dijo [Wed, Oct 04, 2017 at 04:52:37PM +0530]: > > But debian buildds already prohibit network access during build and > > these packages has to be binary included always. So the theoretical > > security issue never manifests in practice. > > So, what happens currently? Do the affected packages FTBFS? (that, > IMHO, would be a *good* thing, as we would only need to patch Policy > to reflect reality)
AIUI right now the packages are not being built on the buildds, because they've been uploaded with the binaries (which are arch:all). Anyway, Pirate says he's going to get rid of the downloading at build so this is a non-issue for these packages. I'm not sure what you think is wrong with policy. Sean quoted the statement forbidding network access during build. > No. It does not only change the perception. You ship a pre-built > binary as part of your sources, then the build process (with, yes, a > piece of untrusted blob... But still, that's as far as we can get) > will happen across our buildds, or by whoever wants to NMU, or even by > yourself days or weeks later, with a piece of software known to yield > the package as it got built. We will not be bitten by a random site > being unexpectedly offline, or by a transpiler changing some > command-line options without notifying us (to mention only two > possible issues) These are all very good reasons, and including a prebuilt blob in the source package(s) is clearly much better. But I still think this is not what contrib/sid is for. Ian.