Bug#1021390: nvda2speechd: downloads source from the network during build
On 10.10.22 22:02, Samuel Thibault wrote: I think in its current state the package is anyway non-free since it does not fulfill the DFSG for the contents it ships in its binary packages. Ok, let's move it to non-free then. I admit that I'm surprised that policy 4.9 actually provides a carve-out for this - only targeting network access restrictions to "main": For packages in the main archive, required targets must not attempt network access, except, via the loopback interface, to services on the build host that have been started by the build. Pulling external code during the build from a package in the archive is still super surprising to me. Do we have other precedents? I can see how it's a pragmatic solution but [1] together with [2] kinda scares me. ;-) At that point, couldn't we ship the cross-build target compiler prebuilt in non-free? That being said, that would unfortunately still not help with buildds, given that we still don't support build-dependencies on non-free packages unfortunately. :( Kind regards Philipp Kern [1] https://sources.debian.org/src/nvda2speechd/0.1-5/debian/rules/#L29 [2] https://github.com/rust-lang/rustup/issues/2028
Bug#1021390: nvda2speechd: downloads source from the network during build
Control: tag -1 pending Adrian Bunk, le lun. 10 oct. 2022 22:53:22 +0300, a ecrit: > On Mon, Oct 10, 2022 at 09:20:52PM +0200, Samuel Thibault wrote: > > Adrian Bunk, le lun. 10 oct. 2022 21:51:25 +0300, a ecrit: > > > Control: severity -1 serious > > > > > > [ adding debian-wb-team to Cc ] > > > > > > On Fri, Oct 07, 2022 at 01:55:41PM +0200, Samuel Thibault wrote: > > > > Control: severity -1 important > > > > > > > > Andreas Beckmann, le ven. 07 oct. 2022 13:38:15 +0200, a ecrit: > > > > > Justification: fails to build from source (but built successfully in > > > > > the past) > > > > > > > > > > During a local rebuild of contrib and non-free (w/o network access > > > > > permitted), I noticed > > > > > > > > It can build the source, just not without the network. That's why it's > > > > in contrib, not main. > > > > > > AFAIK accessing the network from the buildds is simply forbidden. > > > > Ok. > > > > Can "XS-Autobuild: no" be used to disable building on buildds? > > I think in its current state the package is anyway non-free since it > does not fulfill the DFSG for the contents it ships in its binary > packages. Ok, let's move it to non-free then. > Is there a good reason why the package is packaged this way and not > in main packaged like other rust packages in the archive? Because there is no cross-build-to-windows support shipped by Debian currently, and no plans to do it, details are in #1019234. Samuel
Bug#1021390: nvda2speechd: downloads source from the network during build
On Mon, Oct 10, 2022 at 09:20:52PM +0200, Samuel Thibault wrote: > Adrian Bunk, le lun. 10 oct. 2022 21:51:25 +0300, a ecrit: > > Control: severity -1 serious > > > > [ adding debian-wb-team to Cc ] > > > > On Fri, Oct 07, 2022 at 01:55:41PM +0200, Samuel Thibault wrote: > > > Control: severity -1 important > > > > > > Andreas Beckmann, le ven. 07 oct. 2022 13:38:15 +0200, a ecrit: > > > > Justification: fails to build from source (but built successfully in > > > > the past) > > > > > > > > During a local rebuild of contrib and non-free (w/o network access > > > > permitted), I noticed > > > > > > It can build the source, just not without the network. That's why it's > > > in contrib, not main. > > > > AFAIK accessing the network from the buildds is simply forbidden. > > Ok. > > Can "XS-Autobuild: no" be used to disable building on buildds? I think in its current state the package is anyway non-free since it does not fulfill the DFSG for the contents it ships in its binary packages. Is there a good reason why the package is packaged this way and not in main packaged like other rust packages in the archive? > Samuel cu Adrian
Bug#1021390: nvda2speechd: downloads source from the network during build
Adrian Bunk, le lun. 10 oct. 2022 21:51:25 +0300, a ecrit: > Control: severity -1 serious > > [ adding debian-wb-team to Cc ] > > On Fri, Oct 07, 2022 at 01:55:41PM +0200, Samuel Thibault wrote: > > Control: severity -1 important > > > > Andreas Beckmann, le ven. 07 oct. 2022 13:38:15 +0200, a ecrit: > > > Justification: fails to build from source (but built successfully in the > > > past) > > > > > > During a local rebuild of contrib and non-free (w/o network access > > > permitted), I noticed > > > > It can build the source, just not without the network. That's why it's > > in contrib, not main. > > AFAIK accessing the network from the buildds is simply forbidden. Ok. Can "XS-Autobuild: no" be used to disable building on buildds? Samuel
Bug#1021390: nvda2speechd: downloads source from the network during build
Control: severity -1 serious [ adding debian-wb-team to Cc ] On Fri, Oct 07, 2022 at 01:55:41PM +0200, Samuel Thibault wrote: > Control: severity -1 important > > Andreas Beckmann, le ven. 07 oct. 2022 13:38:15 +0200, a ecrit: > > Justification: fails to build from source (but built successfully in the > > past) > > > > During a local rebuild of contrib and non-free (w/o network access > > permitted), I noticed > > It can build the source, just not without the network. That's why it's > in contrib, not main. AFAIK accessing the network from the buildds is simply forbidden. And what your package does is even worse: It executes a script downloaded from the internet, compromising the security of the buildds. Whoever controls sh.rustup.rs could for example provide a special version of the script for Debian buildds that tries to find and upload the private keys used on the buildds. > Samuel cu Adrian
Bug#1021390: nvda2speechd: downloads source from the network during build
Control: severity -1 important Andreas Beckmann, le ven. 07 oct. 2022 13:38:15 +0200, a ecrit: > Justification: fails to build from source (but built successfully in the past) > > During a local rebuild of contrib and non-free (w/o network access > permitted), I noticed It can build the source, just not without the network. That's why it's in contrib, not main. Samuel
Bug#1021390: nvda2speechd: downloads source from the network during build
Source: nvda2speechd Version: 0.1-2 Severity: serious Tags: ftbfs Justification: fails to build from source (but built successfully in the past) During a local rebuild of contrib and non-free (w/o network access permitted), I noticed debian/rules override_dh_auto_build make[1]: Entering directory '/build/nvda2speechd-0.1' blhc: ignore-line-regexp: \ \ \ Compiling .* # Don't do this at home, kids! curl --cacert /etc/ssl/certs/Amazon_Root_CA_1.pem --proto '=https' --tlsv1.2 -f https://sh.rustup.rs > rustup.sh % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed ^M 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: sh.rustup.rs make[1]: *** [debian/rules:27: override_dh_auto_build] Error 6 Andreas