Jonathan Nieder writes ("Re: permit access to apt repositories during builds"):
> Ian Jackson wrote:
> > See
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813471#126
> > for a more extended rationale for permitting access to sources
> > as well as binaries.
>
> My feeling is that this should be an outside-policy carveout, since it
> makes many applications (e.g., analyzing the build graph, especially
> when needed for bootstrapping) no longer possible.
I don't really agree with the basic concept of an "outside-policy
carveout". Also, this is the only way to implement many important and
useful things.
But I think you do have a legitimate concern. I think we probably
want to add a mechanism for a package to declare (eg in its buildinfo
or changes maybe?) what it got from apt. What do you think ?
> Seconded.
Thanks.
> This doesn't mean I like the change. It just means that I think this
> reflects the outcome of the discussion you cited. My understanding is
> that the current policy process doesn't require me to check that the
> main relevant stakeholders among those who haven't spoken up have
> weighed in, since they can propose additional changes to address any
> harms.
I'll let Sean weigh in on process.
Thanks,
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
