On ഞായര് 08 ഒക്ടോബര് 2017 05:57 വൈകു, Pirate Praveen wrote:
> Though it will require updating npm to a newer version [3] and/or
> packaging yarn [4] (both are in progress).
Yesterday Sruthi launched a crowd funding campaign to update npm.
Philipp Kern writes:
> On 10/04/2017 05:50 AM, Sean Whitton wrote:
>> I'm not sure how it could be more explicit:
>> For packages in the main archive, no required targets may attempt
>> network access.
> And then again it should allow for network access (including
On Sun, 08 Oct 2017 at 17:09:13 +0200, Bastian Blank wrote:
> On Sun, Oct 08, 2017 at 04:03:22PM +0200, Adam Borowski wrote:
> > * link-local
>
> For which purpose?
telepathy-salut (an implementation of a link-local multicast chat
protocol) has build-time tests in which the test and
On Sun, 08 Oct 2017 at 17:31:45 +0530, Pirate Praveen wrote:
> I always assumed bug reports like this [1] [2] to be caused by failure
> in buildd, apparently these builds are not from the official buildd.
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710940
> [2]
On Sun, Oct 08, 2017 at 04:03:22PM +0200, Adam Borowski wrote:
> Yeah, this part should be written more explicitly.
> >From what I've seen, usual confusion is:
> * external traffic on port 53 (people sometimes argue DNS "is not network
> access")
… to the resolver configured in /etc/resolv.conf
On Sun, Oct 08, 2017 at 01:50:30PM +0200, Philipp Kern wrote:
> On 10/04/2017 05:50 AM, Sean Whitton wrote:
> > On Tue, Oct 03 2017, Jérémy Lal wrote:
> >> It might be a good idea to make policy more explicit about downloads
> >> during build.
> > I'm not sure how it could be more explicit:
> >
On Sun, Oct 8, 2017 at 8:27 AM, Pirate Praveen wrote:
> If I were to use one of these lock files so build process becomes
> reproduce-able, would it be agreeable for you? (not an immediate option.
> but may be possible in future).
This has already been mentioned but let
On ബുധന് 04 ഒക്ടോബര് 2017 09:57 വൈകു, Gunnar Wolf wrote:
> So, what happens currently? Do the affected packages FTBFS? (that,
> IMHO, would be a *good* thing, as we would only need to patch Policy
> to reflect reality)
It seems the FTBFS is not on the official buildds, but other archive
wide
On വ്യാഴം 05 ഒക്ടോബര് 2017 08:35 രാവിലെ, Paul Wise wrote:
> On Wed, Oct 4, 2017 at 9:17 PM, Pirate Praveen wrote:
>
>> I regularly get FTBFS when tests that require network access fail on
>> buildds. So I'm not sure what is the basis of your assertion.
>
> Do you have an example build log
On 10/04/2017 05:50 AM, Sean Whitton wrote:
> On Tue, Oct 03 2017, Jérémy Lal wrote:
>> It might be a good idea to make policy more explicit about downloads
>> during build.
> I'm not sure how it could be more explicit:
> For packages in the main archive, no required targets may attempt
>
On Thu, 05 Oct 2017 12:39:42 -0500, Gunnar Wolf wrote:
> Ian Jackson dijo [Thu, Oct 05, 2017 at 01:29:16PM +0100]:
> > I have also heard of packages which do "apt-get source" in their rules
> > files.
[..]
> > Of course it would be better if we had a more declarative way of
> > saying "this
Hello Ian,
On Thu, Oct 05 2017, Ian Jackson wrote:
> I'm not sure what you think is wrong with policy. Sean quoted the
> statement forbidding network access during build.
I believe that Gunnar thinks that this statement should be extended to
include contrib. Currently, it covers only main.
Le jeudi, 5 octobre 2017, 13.29:16 h CEST Ian Jackson a écrit :
> I have also heard of packages which do "apt-get source" in their rules
> files.
debian-installer-netboot-images does a similar thing, but it's more of a shell
re-implementation of a trust chain check:
Gunnar Wolf writes ("Re: Bug#877212: [Pkg-javascript-devel] Bug#877212:
node-d3-color: B-D npm not available in testing"):
> Ian Jackson dijo [Thu, Oct 05, 2017 at 01:29:16PM +0100]:
> > I think that both of these activities are reasonable things to do.
> > Th
Ian Jackson dijo [Thu, Oct 05, 2017 at 01:29:16PM +0100]:
> I have also heard of packages which do "apt-get source" in their rules
> files.
>
> I think that both of these activities are reasonable things to do.
> They don't violate the self-containedness of Debian. If they are
> technically
On Thu, Oct 05, 2017 at 02:42:30PM +0200, Marco d'Itri wrote:
On Oct 03, Gunnar Wolf wrote:
So, contrib is _explicitly_ meant for software that does not meet the
DFSG, not for random stuff that cannot be packaged for convenience or
different issues.
I am almost sure that
On Oct 03, Gunnar Wolf wrote:
> So, contrib is _explicitly_ meant for software that does not meet the
> DFSG, not for random stuff that cannot be packaged for convenience or
> different issues.
I am almost sure that when I joined the project contrib was also the
place for
Gunnar Wolf writes ("Re: [Pkg-javascript-devel] Bug#877212: node-d3-color: B-D
npm not available in testing"):
> Pirate Praveen dijo [Wed, Oct 04, 2017 at 04:52:37PM +0530]:
> > But debian buildds already prohibit network access during build and
> > these packages has to
Simon McVittie writes ("Re: Bug#877212: [Pkg-javascript-devel] Bug#877212:
node-d3-color: B-D npm not available in testing"):
> As far as I'm aware, they currently don't. Policy says it would be valid
> if they did, and some derivatives and unofficial rebuilds actually do
>
On Wed, Oct 4, 2017 at 9:17 PM, Pirate Praveen wrote:
> I regularly get FTBFS when tests that require network access fail on
> buildds. So I'm not sure what is the basis of your assertion.
Do you have an example build log illustrating this?
--
bye,
pabs
https://wiki.debian.org/PaulWise
Pirate Praveen dijo [Wed, Oct 04, 2017 at 04:52:37PM +0530]:
> > However, that verification isn't really sufficient if a rebuild
> > on the buildds could download an entirely different version of the
> > out-of-archive tools: a sufficiently inventive attacker who had gained
> > control over
Sean Whitton writes:
> Hello Jérémy,
>
> On Tue, Oct 03 2017, Jérémy Lal wrote:
>
>> It might be a good idea to make policy more explicit about downloads
>> during build.
>
> I'm not sure how it could be more explicit:
>
> For packages in the main archive, no
On ബുധന് 04 ഒക്ടോബര് 2017 06:28 വൈകു, Simon McVittie wrote:
> As far as I'm aware, they currently don't. Policy says it would be valid
> if they did, and some derivatives and unofficial rebuilds actually do
> so, but the "real" Debian buildds allow network access because otherwise
>
On Wed, 04 Oct 2017 at 17:05:03 +0530, Pirate Praveen wrote:
> As these packages are always uploaded as binary included and never built
> on the buildd (as buildds already prohibit network access during build).
As far as I'm aware, they currently don't. Policy says it would be valid
if they did,
Pirate Praveen writes ("Re: [Pkg-javascript-devel] Bug#877212: node-d3-color:
B-D npm not available in testing"):
> Lets take the two issues separately.
>
> 1. Whether they are suitable for contrib
I don't think that this is what contrib is for. Contrib exists as
par
On Wed, Oct 04, 2017 at 05:05:03PM +0530, Pirate Praveen wrote:
> Because the shown folly is only in theory and it is never in practice.
> As these packages are always uploaded as binary included and never built
> on the buildd (as buildds already prohibit network access during build).
> If I
On ബുധന് 04 ഒക്ടോബര് 2017 09:27 രാവിലെ, Sean Whitton wrote:
> This is not a fair response.
>
> If your work involved fixing bugs in software that is already in the
> archive, you could quite fairly call others out for demanding changes,
> but not being willing to put in the effort.
>
> In this
On ചൊവ്വ 03 ഒക്ടോബര് 2017 11:04 വൈകു, Gunnar Wolf wrote:
> I *do* take note, however, of:
>
> Examples of packages which would be included in contrib are:
>
> • free packages which require contrib, non-free packages or packages
> which are not in our archive at all for compilation
On ബുധന് 04 ഒക്ടോബര് 2017 02:07 വൈകു, Philip Hands wrote:
> The problem seems to be that Praveen reads that prohibition as implying
> that it is totally OK to do this when not in main.
>
> This strikes me as equivalent to reading:
>
> All men are mortal,
> Socrates is a man,
>
> and
On ചൊവ്വ 03 ഒക്ടോബര് 2017 03:02 വൈകു, Simon McVittie wrote:
> Presumably you verified that at the time *you* built the package, the
> out-of-archive tools were of a non-malicious version, and were producing
> compiled binaries (minified JavaScript, rather than actually binaries?)
> that
Hello Pirate,
On Tue, Oct 03 2017, Pirate Praveen wrote:
> Alternatively, those who care enough about the issue can help get
> these tools into main. I have been doing just that over the last years
> (grunt, gulp, babel, jison, webpack to name a few, each with 100s of
> dependencies) so many of
Hello Jérémy,
On Tue, Oct 03 2017, Jérémy Lal wrote:
> It might be a good idea to make policy more explicit about downloads
> during build.
I'm not sure how it could be more explicit:
For packages in the main archive, no required targets may attempt
network access.
--
Sean Whitton
Jérémy Lal dijo [Tue, Oct 03, 2017 at 07:46:43PM +0200]:
> It might be a good idea to make policy more explicit about downloads during
> build.
I completely agree. This led me to look at #813471 ("network access to
the loopback device should be allowed"), and... Well, it seems to set
the stage to
2017-10-03 19:34 GMT+02:00 Gunnar Wolf :
> Pirate Praveen dijo [Tue, Oct 03, 2017 at 12:12:54PM +0530]:
> > > I am completely with Sean here; I read the following messages, and am
> > > happy a better resolution was found. But, FWIW, I'll support Sean's
> > > interpretation -
Pirate Praveen dijo [Tue, Oct 03, 2017 at 12:12:54PM +0530]:
> > I am completely with Sean here; I read the following messages, and am
> > happy a better resolution was found. But, FWIW, I'll support Sean's
> > interpretation - Contrib and non-free are *not* places where we can
> > happily breach
On Tue, 03 Oct 2017 at 12:12:54 +0530, Pirate Praveen wrote:
> I cannot accept arbitrary interpretations of policy. When build tools
> are not available in main, they cannot go to main, and if the software
> itself is Free Software, it can go to contrib. If you disagree, please
> get the policy
On ചൊവ്വ 03 ഒക്ടോബര് 2017 10:10 രാവിലെ, Gunnar Wolf wrote:
> I am completely with Sean here; I read the following messages, and am
> happy a better resolution was found. But, FWIW, I'll support Sean's
> interpretation - Contrib and non-free are *not* places where we can
> happily breach any bits
Sean Whitton dijo [Sat, Sep 30, 2017 at 12:10:54PM -0700]:
> > The whole purpose of having contrib and non-free is to host packages
> > that can't be in main, either permanently or temporarily. I fail to
> > see how it is against the spirit.
>
> To my mind, at least, the purpose of contrib and
On ഞായര് 01 ഒക്ടോബര് 2017 01:21 രാവിലെ, Sean Whitton wrote:
> Hello,
>
> On Sat, Sep 30 2017, Christian Seiler wrote:
>
>> Ack. Wouldn't it be preferable to just include a copy of the prebuilt
>> node-d3-color "binary" alongside its actual source tarball and have
>> debian/rules just copy the
Hello,
On Sat, Sep 30 2017, Christian Seiler wrote:
> Ack. Wouldn't it be preferable to just include a copy of the prebuilt
> node-d3-color "binary" alongside its actual source tarball and have
> debian/rules just copy the prebuilt "binary" for now? That would
> fulfill one of the widely
On 09/30/2017 09:10 PM, Sean Whitton wrote:
> On Sun, Oct 01 2017, Pirate Praveen wrote:
>> Packaging of rollup is stuck [1] and I can make progress with gitlab
>> package with node-d3-color in contrib. Quite a lot of work can happen
>> even with gitlab in contrib, like making sure everything is
Hello Pirate,
On Sun, Oct 01 2017, Pirate Praveen wrote:
> On 09/30/2017 09:26 PM, Sean Whitton wrote:
>> To my mind, this complies with the letter of Policy but not its
>> spirit.
>
> The whole purpose of having contrib and non-free is to host packages
> that can't be in main, either
On 09/30/2017 09:26 PM, Sean Whitton wrote:
> To my mind, this complies with the letter of Policy but not its spirit.
The whole purpose of having contrib and non-free is to host packages
that can't be in main, either permanently or temporarily. I fail to see
how it is against the spirit.
> Could
Hello Pirate,
On Sat, Sep 30 2017, Pirate Praveen wrote:
> On വെള്ളി 29 സെപ്റ്റംബര് 2017 11:04 വൈകു, Jérémy Lal wrote:
>>
>> Build-Depending on npm is a sign something very wrong,
>> policy-breaking, is happening, like downloading a npm module during
>> build.
>
> Hence this is in contrib and
Le 29 septembre 2017 19:34:24 GMT+02:00, "Jérémy Lal" a
écrit :
>2017-09-29 19:24 GMT+02:00 Andreas Beckmann :
>
>> Package: node-d3-color
>> Version: 1.0.3-1
>> Severity: serious
>> Justification: Build-Depends not satisfiable in testing
>> Control: block
On വെള്ളി 29 സെപ്റ്റംബര് 2017 11:04 വൈകു, Jérémy Lal wrote:
>
> Build-Depending on npm is a sign something very wrong, policy-breaking,
> is happening, like downloading a npm module during build.
Hence this is in contrib and not main (hence complying with policy), and
this is a temporary step
2017-09-29 19:24 GMT+02:00 Andreas Beckmann :
> Package: node-d3-color
> Version: 1.0.3-1
> Severity: serious
> Justification: Build-Depends not satisfiable in testing
> Control: block -1 with 857986
> Control: clone -1 -2 -3 -4 -5 -6 -7 -8 -9 -10
> Control: reassign -2
47 matches
Mail list logo