On 01/05/2020 20:31, Elmar Stellnberger wrote:
https isnĀ“t any more secure than http as long as you do not have a
verifiably trustworthy server certificate that you can check for. As we
know the certification authority system is totally broken.
Imperfect yes, but still better than nothing.
It is a bug
if a build script tries to download something.
This is already policy (and enforced by blocking network access) for
official Debian package builds: dependencies must be installed by the
package manager, not the build script.
https://www.debian.org/doc/debian-policy/ch-source.html#main-building-script-debian-rules
However, not all of these scripts are build scripts, and not all builds
are .deb builds.
I do not see any way than to rewrite these build scripts and pack
all the necessary sources into the package for compiling it offline.
If you mean vendored dependencies (embedded code copies), that's
specifically *not* recommended, partly because these dependencies might
need a security update.
https://www.debian.org/doc/debian-policy/ch-source.html#embedded-code-copies
