Bug#1037064: maven-verifier depends on downloading sources at build time
tony mancill
tmancill at debian.org
Fri Jun 16 05:52:24 BST 2023
On Sat, Jun 03, 2023 at 12:58:17PM +0200, gregor herrmann wrote:
> On Fri, 02 Jun 2023 21:40:10 -0700, Steve Langasek wrote:
>
> > While this is not a build failure, it does mean building the package has a
> > dependency on software outside of main, which I believe is a serious policy
> > violation.
>
> The network access during build is a policy violation in itself:
>
> 4.9
> …
> For packages in the main archive, required targets must not
> attempt network access, except, via the loopback interface, to
> services on the build host that have been started by the build.
For posterity, I tested locally using network namespaces and described
here [1]. Specifically:
# create a chroot including the build-deps
# (maybe there's an easier way?)
sudo sbuild-createchroot --no-deb-src --chroot-mode=schroot \
--chroot-prefix=1037064 \
--include=debhelper,default-jdk,junit4,libeclipse-sisu-maven-plugin-java,libmaven-parent-java,libmaven-resolver-transport-http-java,libmaven-shared-utils-java,libmodello-maven-plugin-java,maven-debian-helper \
unstable /data/chroot/1037064-amd64-sbuild http://localhost:3142/debian
# create the namespace
sudo ip netns add no-net
# build
sudo ip netns exec no-net sbuild --no-apt-update --no-apt-upgrade \
--no-apt-distupgrade --no-run-lintian --chroot=1037064-amd64-sbuild
# clean up
/usr/sbin/sbuild-destroychroot 1037064-amd64-sbuild
[1] https://wiki.debian.org/sbuild#Disabling_network_access_for_dpkg-buildpackage
More information about the pkg-java-maintainers
mailing list