Ian Jackson wrote: > Jonathan Nieder writes ("Re: permit access to apt repositories during > builds"):
>> My feeling is that this should be an outside-policy carveout, since it >> makes many applications (e.g., analyzing the build graph, especially >> when needed for bootstrapping) no longer possible. > > I don't really agree with the basic concept of an "outside-policy > carveout". That's reasonable. Tool authors may want to know what they can count on, and using policy to document what we need to support, even when it is for a small number of special-case packages, can be useful for that purpose. One way to limit the harm is to be more explicit about this being a discouraged practice, for example by naming the limited set of use cases where we permit it. > Also, this is the only way to implement many important and > useful things. Can you list some of them? You mentioned the Xen package not wanting to bother package maintainers to introduce -source packages to build-depend on, and I don't find this particularly compelling --- most package maintainers don't feel bothered when a feature request comes with a patch. ;-) On the other hand, I do agree with a related reason: a -source package that is only useful for satisfying build-depends clutters up the package list and makes it harder for a system administrator to find the packages they need. So I'd be very happy to see a way to declare a Build-Depends on a source package. The udeb case seems similar --- it's working around a lack of support for declaring a Build-Depends on a udeb. Am I understanding correctly? Can we handle the full set of use cases with some improvements in what Build-Depends supports? > But I think you do have a legitimate concern. I think we probably > want to add a mechanism for a package to declare (eg in its buildinfo > or changes maybe?) what it got from apt. What do you think ? If we're going that far, I think we might as well do a before-the-fact declaration in Build-Depends. >> Seconded. > > Thanks. Thank you for writing the patch. Even despite what I've written above, having the existing practice documented seems preferable over leaving it undocumented. Sincerely, Jonathan