Lucas Nussbaum wrote:
> Some packages (e.g choose-mirror) fetch a newer version of a file during
> build if it's possible to fetch that file. I don't think this is RC,
> since the file is not missing from the package if the network is not
> available.
>
In general, I strongly suspect that fetching updated source during build
is RC due to a violation of the Social Contract: the source we are
shipping intentionally does not correspond to the binary package.
I'm not sure if the above applies to choose-mirror. In particular, if
the file shipped in the binary is its own source, then it doesn't.
However, I'd still say it's bad idea, and a bug (maybe even RC). Some
more general reasons (not all necessarily apply to choose-mirror)
* changes to the package are not reflected in the changelog
* random network or remote server issues can cause a broken (or
worse) build. What happens if the file on the server is corrupted?
* builds are no longer repeatable. Different source may even wind up
built on different architectures.
* the package is much harder to NMU. What should be a spelling fix
suddenly becomes a large change (due to the automated source
pull), unbeknown to the NMU-er. Same problem for the security team.
* the supposedly-signed source package isn't really; it's pulling
unsigned source for the build
Also, depending on what is being downloaded from the network, there
could be security issues. What happens if the server is compromised?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
