Bug#1037064: maven-verifier depends on downloading sources at build time
On Sat, Jun 03, 2023 at 12:58:17PM +0200, gregor herrmann wrote: > On Fri, 02 Jun 2023 21:40:10 -0700, Steve Langasek wrote: > > > While this is not a build failure, it does mean building the package has a > > dependency on software outside of main, which I believe is a serious policy > > violation. > > The network access during build is a policy violation in itself: > > 4.9 > … > For packages in the main archive, required targets must not > attempt network access, except, via the loopback interface, to > services on the build host that have been started by the build. For posterity, I tested locally using network namespaces and described here [1]. Specifically: # create a chroot including the build-deps # (maybe there's an easier way?) sudo sbuild-createchroot --no-deb-src --chroot-mode=schroot \ --chroot-prefix=1037064 \ --include=debhelper,default-jdk,junit4,libeclipse-sisu-maven-plugin-java,libmaven-parent-java,libmaven-resolver-transport-http-java,libmaven-shared-utils-java,libmodello-maven-plugin-java,maven-debian-helper \ unstable /data/chroot/1037064-amd64-sbuild http://localhost:3142/debian # create the namespace sudo ip netns add no-net # build sudo ip netns exec no-net sbuild --no-apt-update --no-apt-upgrade \ --no-apt-distupgrade --no-run-lintian --chroot=1037064-amd64-sbuild # clean up /usr/sbin/sbuild-destroychroot 1037064-amd64-sbuild [1] https://wiki.debian.org/sbuild#Disabling_network_access_for_dpkg-buildpackage
Bug#1037064: maven-verifier depends on downloading sources at build time
On Fri, 02 Jun 2023 21:40:10 -0700, Steve Langasek wrote: > While this is not a build failure, it does mean building the package has a > dependency on software outside of main, which I believe is a serious policy > violation. The network access during build is a policy violation in itself: 4.9 … For packages in the main archive, required targets must not attempt network access, except, via the loopback interface, to services on the build host that have been started by the build. Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `- signature.asc Description: Digital Signature
Bug#1037064: maven-verifier depends on downloading sources at build time
Source: maven-verifier Version: 1.8.0-1 Severity: serious Justification: package in main has dependency on external software User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu mantic Dear maintainers, maven-verifier 1.8.0-1 has been failing to build in Ubuntu, because its build-time tests depend on downloading software from the Internet: [...] [ERROR] testWithMavenHome(org.apache.maven.it.Embedded3xLauncherTest) Time elapsed: 0.581 s <<< FAILURE! java.lang.AssertionError: exit code unexpected, build log: [INFO] Scanning for projects... Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/18/maven-shared-components-18.pom [ERROR] [ERROR] Some problems were encountered while processing the POMs: [FATAL] Non-resolvable parent POM for org.apache.maven.shared:maven-verifier:1.4-SNAPSHOT: Could not transfer artifact org.apache.maven.shared:maven-shared-components:pom:18 from/to central (https://repo.maven.apache.org/maven2): transfer failed for https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/18/maven-shared-components-18.pom and 'parent.relativePath' points at wrong local POM @ line 23, column 11 @ [...] (https://launchpad.net/ubuntu/+source/maven-verifier/1.8.0-1/+build/26010073) This fails because Launchpad does not allow network access during package builds, unlike Debian buildds which usually have network access. While this is not a build failure, it does mean building the package has a dependency on software outside of main, which I believe is a serious policy violation. libmaven-parent-java ships maven-shared-components-35.pom and maven-verifier build-depends on libmaven-parent-java. So perhaps src/test/resources/pom.xml simply needs updated to point at the current version instead of version 18? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature
