Re: Packages removed from frozen
On Wed, Feb 09, 2000 at 05:45:12AM -0600, Manoj Srivastava wrote:
> >>"Marcus" == Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> writes:
>
> Marcus> On Mon, Feb 07, 2000 at 10:20:20PM -0600, Manoj Srivastava wrote:
> >>
> >> gcc would be something that I would be willing to give special
> >> dispensation for - espescially since I know it tests itself on
> >> passes 2 and 3. Gcc is, therefore, part of the set of packages we
> >> call build essentials.
> >>
> >> However, this is not a dispensation that should be lightly
> >> given. Bootstrapping from scratch should be kept to a bare minimum of
> >> preinstalled packages -- the build essentials.
>
> Marcus> Sounds easy, but it isn't, unfortunately. There are not only
> Marcus> packages that build-depend on themselves (as compilers),
> Marcus> there are lots of other packages which can't be bootstrapped
> Marcus> within Debian because of longer cycles.
>
> Fairwnough. But you realize that these packages can't be
> audited by just looking at teh source code -- trojans may be
> propogated unbeknownst to the developers.
Well, for the compilers this is true (and thanks for pointing out).
For many of the longer cycles, it is only a technical difficulty related
to the simple static packaging rules (you can bootstrap by manually building
packages without all doc formats first, and later recompile to get the full
package).
> I would suggest we document these packages (hence the
> requirement for dispensation -- that way we can be sure all these
> packages are indeed recoreded).
Agreed, for the cases where this is relevant (compilers etc, as opposed to
doc formats see above).
> Marcus> I am all for working out loops and trying to find ways out of them, but
> Marcus> getting anal over this is not going to work for the next time.
>
> Depends on what you mean by going anal. I think we should be
> very anal about recording every one of these security risks. Any less
> would be a disservice to our users.
Yes. Sometimes there is a bootstrap compileri/interpreter available
or similar. In this case this should be documented as well,
and it should be used to bootstrap the compiler on a new port.
Thanks,
Marcus
Reply to: