[pkg-go] Bug#830209: Bugs: "accesses the internet during build" -- strongly disagree on severity
Dmitry Smirnov
onlyjob at debian.org
Mon Jul 11 11:17:45 UTC 2016
On Monday, 11 July 2016 9:59:58 AM AEST Chris Lamb wrote:
> I guess our differences on this issue are three-fold:
I thought the only difference is issues' severity....
> Firstly, network access is not harmless in that it, at the very least, it
> leaks the privacy of the developer building something failing some
> variation of the DFSG "dissident" test.
No disagreement here. Yet I had to remind that build environment is offline
hence this is only a little problem.
> (Furthermore, network access can naturally lead to vulnerabilities,
> although I'm not claiming that any of the CC'd packages are doing so, am
> speaking only to the principle.)
Noted. I'm not against fixing the problem but there are more important issues
to prioritise.
> Secondly, retaining such tests provide little value as checks of the
> correct functioning of the package given that the package does not FTBFS if
> network access is restricted entirely.
Correct. However removing those tests is an effort that can be done without
rush.
> In this sense, they engender a false sense of security about the correct
> working of the package which is, again, not harmless from a quality
> assurance point of view.
Trade-off is simple: either disable tests entirely or (for now) ignore some
tests that try to access network from offline environment. I certainly prefer
the latter until I can find time to selectively disable tests. I certainly do
not want issues with inflated severity in my queue...
> Lastly, they aren't really "post-build" as you suggest - they are surely an
> integral part of build.
Yes, _optional_ part of the build. ;) We don't have to run 'em but we want
to.
> I really don't like to be a stickler for quoting Policy (and using that as
> a blunt and inflexible instrument of change/agenda), but I guess that
> redefining tests as "post-build" does have the sneaky advantage in that
> they aren't simple obvious violations of the paragraph in question. :)
To me it looks more like bureaucratic exercise is enforcing policy:
"prisoners should not attempt to leave locked cells" while reality is that
they can _try_ but attempt would be futile.
I recognise the problems and I agree to fix them but I am not convinced that
those issues should be treated with highest priority. This way or another
practical implications are mild. I hope it makes sense...
--
All the best,
Dmitry Smirnov.
---
Men can only be happy when they do not assume that the object of life is
happiness.
-- George Orwell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-go-maintainers/attachments/20160711/edc5ea2f/attachment.sig>
More information about the Pkg-go-maintainers
mailing list