[adding -devel] On 05/05/2025 2:49 pm, Bill Allombert wrote:
It was more like a reference as the other option to declare relationship is affects which only allows mentioning a package and not a specific bug.On Sat, May 03, 2025 at 09:11:21PM +0530, Pirate Praveen wrote:Package: debian-policy Version: 4.7.2.0Dear Pirate,Control: block 1104509 by -1As a general policy, such block is inappropriate. Package are supposed to comply with policy at the time they are uploaded. They cannot depend on future potential policy update.
Current policy text says:Except for packages in the non-free archive with the Autobuild controlfield unset or set to no,required targets must not attempt network access, except, via the loopbackinterface,to services on the build host that have been started by the build.I think it should be changed to,Except for packages in the non-free archive with the Autobuild controlfield unset or set to no,required targets must not require network access, except, via the loopbackinterface,to services on the build host that have been started by the build.I think enforcing there is no internet access is a better way to achieve the goal of actually ensuring there is no internet during build rather than considering packages that can use internet when available for tests as rc buggy.I disagree. This was not the consensus at the time I made this change to policy, and I do not think it is the consensus now. We want more reproducible builds, not depending on external resources that are bound to change, and not being tracked via server logs. In your case building the package with internet access - fails if timestamp.digicert.com is down - leaks the system IP to DIGICERT
I think we have to consider test target in rules differently from build targets as the effect on these on the final binaries we ship is different.
I agree the current policy fit well when applied to the build target. As we don't want to ship anything not present / built from the source package.
But anything runs in the test target does not affect the final binaries. The only difference that makes is more functionalities are tested. Because of the current policy we are unable to test any functionality that needs an internet connection. So I think the current policy is hiding potential problems that could be discovered early if these tests are actually run during build.
Completly disabling access to internet during a build is harder than it sound.
I think sbuild unshare backend does this by default (correct me if I am wrong). I think trying to work around this limitation is actually hurting the quality of our packages since are skipping many tests entirely due to this policy restriction.
I don't think we should be skipping these tests in salsa ci or debci. In my opinion, only buildd need to enforce no internet during build restriction.
Cheers,
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
