Re: Packages removed from frozen

To: Manoj Srivastava <srivasta@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Packages removed from frozen
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Wed, 9 Feb 2000 14:51:44 +0100
Message-id: <20000209145144.E593@ulysses.alg.ruhr-uni-bochum.de>
In-reply-to: <87g0v2zjjr.fsf@glaurung.green-gryphon.com>; from srivasta@debian.org on Wed, Feb 09, 2000 at 05:45:12AM -0600
References: <20000128161610.A13321@xs4all.nl> <8766w1557j.fsf@raven.localnet> <87900wsu4l.fsf@glaurung.green-gryphon.com> <20000207142942.A14269@x8b4e53cd.dhcp.okstate.edu> <87emaoqq9n.fsf@glaurung.green-gryphon.com> <20000208155206.C494@ulysses.alg.ruhr-uni-bochum.de> <87g0v2zjjr.fsf@glaurung.green-gryphon.com>

On Wed, Feb 09, 2000 at 05:45:12AM -0600, Manoj Srivastava wrote:
> >>"Marcus" == Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> writes:
> 
>  Marcus> On Mon, Feb 07, 2000 at 10:20:20PM -0600, Manoj Srivastava wrote:
>  >> 
>  >> gcc would be something that I would be willing to give special
>  >> dispensation for - espescially since I know it tests itself on
>  >> passes 2 and 3. Gcc is, therefore, part of the set of packages we
>  >> call build essentials.
>  >> 
>  >> However, this is not a dispensation that should be lightly
>  >> given. Bootstrapping from scratch should be kept to a bare minimum of
>  >> preinstalled packages -- the build essentials.
> 
>  Marcus> Sounds easy, but it isn't, unfortunately.  There are not only
>  Marcus> packages that build-depend on themselves (as compilers),
>  Marcus> there are lots of other packages which can't be bootstrapped
>  Marcus> within Debian because of longer cycles.
> 
>         Fairwnough. But you realize that these packages can't be
>  audited by just looking at teh source code -- trojans may be
>  propogated unbeknownst to the developers.

Well, for the compilers this is true (and thanks for pointing out).
For many of the longer cycles, it is only a technical difficulty related
to the simple static packaging rules (you can bootstrap by manually building
packages without all doc formats first, and later recompile to get the full
package).

>         I would suggest we document these packages (hence the
>  requirement for dispensation -- that way we can be sure all these
>  packages are indeed recoreded).

Agreed, for the cases where this is relevant (compilers etc, as opposed to
doc formats see above).

>  Marcus> I am all for working out loops and trying to find ways out of them, but
>  Marcus> getting anal over this is not going to work for the next time.
> 
>         Depends on what you mean by going anal. I think we should be
>  very anal about recording every one of these security risks. Any less
>  would be a disservice to our users.

Yes. Sometimes there is a bootstrap compileri/interpreter available 
or similar. In this case this should be documented as well,
and it should be used to bootstrap the compiler on a new port.

Thanks,
Marcus

Reply to:

Follow-Ups:
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Packages removed from frozen
  - From: Rob Browning <rlb@cs.utexas.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: David Starner <dvdeug@x8b4e53cd.dhcp.okstate.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: mandb wrapper scripts
Next by Date: Debian for kids
Previous by thread: Re: Packages removed from frozen
Next by thread: Re: Packages removed from frozen
Index(es):
- Date
- Thread