Simon McVittie writes ("Re: Bug#877212: [Pkg-javascript-devel] Bug#877212:
node-d3-color: B-D npm not available in testing"):
> As far as I'm aware, they currently don't. Policy says it would be valid
> if they did, and some derivatives and unofficial rebuilds actually do
> so, but the "real" Debian buildds allow network access because otherwise
> debian-installer wouldn't work. (This is a known and long-standing Policy
> violation, but nobody is sure how else to make d-i builds work, and at
> least they only download known-good files from Debian infrastructure;
> d-i is a really weird package anyway.)
I have also heard of packages which do "apt-get source" in their rules
files.
I think that both of these activities are reasonable things to do.
They don't violate the self-containedness of Debian. If they are
technically forbidden by policy then policy should be changed. There
should be an exception saying that a package build may access the
Debian archive (and ideally it should specify how this should be
done.) If someone cares enough to document this situation then they
can file the bug against policy.
Of course it would be better if we had a more declarative way of
saying "this package needs foo.deb to build - and we mean the .deb,
not for foo to be installed", and the corresponding "this package
needs the source code for bar". But this is rather a niche, and it
doesn't seem to cause trouble in practice. So AFAICT it's no-one
priority.
Ian.
