Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ഞായര്‍ 08 ഒക്ടോബര്‍ 2017 05:57 വൈകു, Pirate Praveen wrote: > Though it will require updating npm to a newer version [3] and/or > packaging yarn [4] (both are in progress). Yesterday Sruthi launched a crowd funding campaign to update npm.

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Philipp Kern writes: > On 10/04/2017 05:50 AM, Sean Whitton wrote: >> I'm not sure how it could be more explicit: >> For packages in the main archive, no required targets may attempt >> network access. > And then again it should allow for network access (including

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Sun, 08 Oct 2017 at 17:09:13 +0200, Bastian Blank wrote: > On Sun, Oct 08, 2017 at 04:03:22PM +0200, Adam Borowski wrote: > > * link-local > > For which purpose? telepathy-salut (an implementation of a link-local multicast chat protocol) has build-time tests in which the test and

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Sun, 08 Oct 2017 at 17:31:45 +0530, Pirate Praveen wrote: > I always assumed bug reports like this [1] [2] to be caused by failure > in buildd, apparently these builds are not from the official buildd. > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710940 > [2]

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Sun, Oct 08, 2017 at 04:03:22PM +0200, Adam Borowski wrote: > Yeah, this part should be written more explicitly. > >From what I've seen, usual confusion is: > * external traffic on port 53 (people sometimes argue DNS "is not network > access") … to the resolver configured in /etc/resolv.conf

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Sun, Oct 08, 2017 at 01:50:30PM +0200, Philipp Kern wrote: > On 10/04/2017 05:50 AM, Sean Whitton wrote: > > On Tue, Oct 03 2017, Jérémy Lal wrote: > >> It might be a good idea to make policy more explicit about downloads > >> during build. > > I'm not sure how it could be more explicit: > >

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Sun, Oct 8, 2017 at 8:27 AM, Pirate Praveen wrote: > If I were to use one of these lock files so build process becomes > reproduce-able, would it be agreeable for you? (not an immediate option. > but may be possible in future). This has already been mentioned but let

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ബുധന്‍ 04 ഒക്ടോബര്‍ 2017 09:57 വൈകു, Gunnar Wolf wrote: > So, what happens currently? Do the affected packages FTBFS? (that, > IMHO, would be a *good* thing, as we would only need to patch Policy > to reflect reality) It seems the FTBFS is not on the official buildds, but other archive wide

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On വ്യാഴം 05 ഒക്ടോബര്‍ 2017 08:35 രാവിലെ, Paul Wise wrote: > On Wed, Oct 4, 2017 at 9:17 PM, Pirate Praveen wrote: > >> I regularly get FTBFS when tests that require network access fail on >> buildds. So I'm not sure what is the basis of your assertion. > > Do you have an example build log

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On 10/04/2017 05:50 AM, Sean Whitton wrote: > On Tue, Oct 03 2017, Jérémy Lal wrote: >> It might be a good idea to make policy more explicit about downloads >> during build. > I'm not sure how it could be more explicit: > For packages in the main archive, no required targets may attempt >

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Thu, 05 Oct 2017 12:39:42 -0500, Gunnar Wolf wrote: > Ian Jackson dijo [Thu, Oct 05, 2017 at 01:29:16PM +0100]: > > I have also heard of packages which do "apt-get source" in their rules > > files. [..] > > Of course it would be better if we had a more declarative way of > > saying "this

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Hello Ian, On Thu, Oct 05 2017, Ian Jackson wrote: > I'm not sure what you think is wrong with policy. Sean quoted the > statement forbidding network access during build. I believe that Gunnar thinks that this statement should be extended to include contrib. Currently, it covers only main.

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Le jeudi, 5 octobre 2017, 13.29:16 h CEST Ian Jackson a écrit : > I have also heard of packages which do "apt-get source" in their rules > files. debian-installer-netboot-images does a similar thing, but it's more of a shell re-implementation of a trust chain check:

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Gunnar Wolf writes ("Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing"): > Ian Jackson dijo [Thu, Oct 05, 2017 at 01:29:16PM +0100]: > > I think that both of these activities are reasonable things to do. > > Th

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Ian Jackson dijo [Thu, Oct 05, 2017 at 01:29:16PM +0100]: > I have also heard of packages which do "apt-get source" in their rules > files. > > I think that both of these activities are reasonable things to do. > They don't violate the self-containedness of Debian. If they are > technically

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Thu, Oct 05, 2017 at 02:42:30PM +0200, Marco d'Itri wrote: On Oct 03, Gunnar Wolf wrote: So, contrib is _explicitly_ meant for software that does not meet the DFSG, not for random stuff that cannot be packaged for convenience or different issues. I am almost sure that

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Oct 03, Gunnar Wolf wrote: > So, contrib is _explicitly_ meant for software that does not meet the > DFSG, not for random stuff that cannot be packaged for convenience or > different issues. I am almost sure that when I joined the project contrib was also the place for

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Gunnar Wolf writes ("Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing"): > Pirate Praveen dijo [Wed, Oct 04, 2017 at 04:52:37PM +0530]: > > But debian buildds already prohibit network access during build and > > these packages has to

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Simon McVittie writes ("Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing"): > As far as I'm aware, they currently don't. Policy says it would be valid > if they did, and some derivatives and unofficial rebuilds actually do >

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Wed, Oct 4, 2017 at 9:17 PM, Pirate Praveen wrote: > I regularly get FTBFS when tests that require network access fail on > buildds. So I'm not sure what is the basis of your assertion. Do you have an example build log illustrating this? -- bye, pabs https://wiki.debian.org/PaulWise

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Pirate Praveen dijo [Wed, Oct 04, 2017 at 04:52:37PM +0530]: > > However, that verification isn't really sufficient if a rebuild > > on the buildds could download an entirely different version of the > > out-of-archive tools: a sufficiently inventive attacker who had gained > > control over

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Sean Whitton writes: > Hello Jérémy, > > On Tue, Oct 03 2017, Jérémy Lal wrote: > >> It might be a good idea to make policy more explicit about downloads >> during build. > > I'm not sure how it could be more explicit: > > For packages in the main archive, no

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ബുധന്‍ 04 ഒക്ടോബര്‍ 2017 06:28 വൈകു, Simon McVittie wrote: > As far as I'm aware, they currently don't. Policy says it would be valid > if they did, and some derivatives and unofficial rebuilds actually do > so, but the "real" Debian buildds allow network access because otherwise >

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Wed, 04 Oct 2017 at 17:05:03 +0530, Pirate Praveen wrote: > As these packages are always uploaded as binary included and never built > on the buildd (as buildds already prohibit network access during build). As far as I'm aware, they currently don't. Policy says it would be valid if they did,

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Pirate Praveen writes ("Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing"): > Lets take the two issues separately. > > 1. Whether they are suitable for contrib I don't think that this is what contrib is for. Contrib exists as par

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Wed, Oct 04, 2017 at 05:05:03PM +0530, Pirate Praveen wrote: > Because the shown folly is only in theory and it is never in practice. > As these packages are always uploaded as binary included and never built > on the buildd (as buildds already prohibit network access during build). > If I

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ബുധന്‍ 04 ഒക്ടോബര്‍ 2017 09:27 രാവിലെ, Sean Whitton wrote: > This is not a fair response. > > If your work involved fixing bugs in software that is already in the > archive, you could quite fairly call others out for demanding changes, > but not being willing to put in the effort. > > In this

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ചൊവ്വ 03 ഒക്ടോബര്‍ 2017 11:04 വൈകു, Gunnar Wolf wrote: > I *do* take note, however, of: > > Examples of packages which would be included in contrib are: > > • free packages which require contrib, non-free packages or packages > which are not in our archive at all for compilation

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ബുധന്‍ 04 ഒക്ടോബര്‍ 2017 02:07 വൈകു, Philip Hands wrote: > The problem seems to be that Praveen reads that prohibition as implying > that it is totally OK to do this when not in main. > > This strikes me as equivalent to reading: > > All men are mortal, > Socrates is a man, > > and

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ചൊവ്വ 03 ഒക്ടോബര്‍ 2017 03:02 വൈകു, Simon McVittie wrote: > Presumably you verified that at the time *you* built the package, the > out-of-archive tools were of a non-malicious version, and were producing > compiled binaries (minified JavaScript, rather than actually binaries?) > that

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Hello Pirate, On Tue, Oct 03 2017, Pirate Praveen wrote: > Alternatively, those who care enough about the issue can help get > these tools into main. I have been doing just that over the last years > (grunt, gulp, babel, jison, webpack to name a few, each with 100s of > dependencies) so many of

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Hello Jérémy, On Tue, Oct 03 2017, Jérémy Lal wrote: > It might be a good idea to make policy more explicit about downloads > during build. I'm not sure how it could be more explicit: For packages in the main archive, no required targets may attempt network access. -- Sean Whitton

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Jérémy Lal dijo [Tue, Oct 03, 2017 at 07:46:43PM +0200]: > It might be a good idea to make policy more explicit about downloads during > build. I completely agree. This led me to look at #813471 ("network access to the loopback device should be allowed"), and... Well, it seems to set the stage to

Re: Bug#877212: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

2017-10-03 19:34 GMT+02:00 Gunnar Wolf : > Pirate Praveen dijo [Tue, Oct 03, 2017 at 12:12:54PM +0530]: > > > I am completely with Sean here; I read the following messages, and am > > > happy a better resolution was found. But, FWIW, I'll support Sean's > > > interpretation -

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Pirate Praveen dijo [Tue, Oct 03, 2017 at 12:12:54PM +0530]: > > I am completely with Sean here; I read the following messages, and am > > happy a better resolution was found. But, FWIW, I'll support Sean's > > interpretation - Contrib and non-free are *not* places where we can > > happily breach

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On Tue, 03 Oct 2017 at 12:12:54 +0530, Pirate Praveen wrote: > I cannot accept arbitrary interpretations of policy. When build tools > are not available in main, they cannot go to main, and if the software > itself is Free Software, it can go to contrib. If you disagree, please > get the policy

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ചൊവ്വ 03 ഒക്ടോബര്‍ 2017 10:10 രാവിലെ, Gunnar Wolf wrote: > I am completely with Sean here; I read the following messages, and am > happy a better resolution was found. But, FWIW, I'll support Sean's > interpretation - Contrib and non-free are *not* places where we can > happily breach any bits

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Sean Whitton dijo [Sat, Sep 30, 2017 at 12:10:54PM -0700]: > > The whole purpose of having contrib and non-free is to host packages > > that can't be in main, either permanently or temporarily. I fail to > > see how it is against the spirit. > > To my mind, at least, the purpose of contrib and

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On ഞായര്‍ 01 ഒക്ടോബര്‍ 2017 01:21 രാവിലെ, Sean Whitton wrote: > Hello, > > On Sat, Sep 30 2017, Christian Seiler wrote: > >> Ack. Wouldn't it be preferable to just include a copy of the prebuilt >> node-d3-color "binary" alongside its actual source tarball and have >> debian/rules just copy the

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Hello, On Sat, Sep 30 2017, Christian Seiler wrote: > Ack. Wouldn't it be preferable to just include a copy of the prebuilt > node-d3-color "binary" alongside its actual source tarball and have > debian/rules just copy the prebuilt "binary" for now? That would > fulfill one of the widely

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On 09/30/2017 09:10 PM, Sean Whitton wrote: > On Sun, Oct 01 2017, Pirate Praveen wrote: >> Packaging of rollup is stuck [1] and I can make progress with gitlab >> package with node-d3-color in contrib. Quite a lot of work can happen >> even with gitlab in contrib, like making sure everything is

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Hello Pirate, On Sun, Oct 01 2017, Pirate Praveen wrote: > On 09/30/2017 09:26 PM, Sean Whitton wrote: >> To my mind, this complies with the letter of Policy but not its >> spirit. > > The whole purpose of having contrib and non-free is to host packages > that can't be in main, either

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On 09/30/2017 09:26 PM, Sean Whitton wrote: > To my mind, this complies with the letter of Policy but not its spirit. The whole purpose of having contrib and non-free is to host packages that can't be in main, either permanently or temporarily. I fail to see how it is against the spirit. > Could

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Hello Pirate, On Sat, Sep 30 2017, Pirate Praveen wrote: > On വെള്ളി 29 സെപ്റ്റംബര്‍ 2017 11:04 വൈകു, Jérémy Lal wrote: >> >> Build-Depending on npm is a sign something very wrong, >> policy-breaking, is happening, like downloading a npm module during >> build. > > Hence this is in contrib and

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

Le 29 septembre 2017 19:34:24 GMT+02:00, "Jérémy Lal" a écrit : >2017-09-29 19:24 GMT+02:00 Andreas Beckmann : > >> Package: node-d3-color >> Version: 1.0.3-1 >> Severity: serious >> Justification: Build-Depends not satisfiable in testing >> Control: block

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

On വെള്ളി 29 സെപ്റ്റംബര്‍ 2017 11:04 വൈകു, Jérémy Lal wrote: > > Build-Depending on npm is a sign something very wrong, policy-breaking, > is happening, like downloading a npm module during build. Hence this is in contrib and not main (hence complying with policy), and this is a temporary step

Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D npm not available in testing

2017-09-29 19:24 GMT+02:00 Andreas Beckmann : > Package: node-d3-color > Version: 1.0.3-1 > Severity: serious > Justification: Build-Depends not satisfiable in testing > Control: block -1 with 857986 > Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9 -10 > Control: reassign -2