Re: Packages removed from frozen

To: debian-devel@lists.debian.org
Subject: Re: Packages removed from frozen
From: Craig Brozefsky <craig@red-bean.com>
Date: 09 Feb 2000 10:20:53 -0800
Message-id: <87900u2q62.fsf@piracy.red-bean.com>
In-reply-to: Manoj Srivastava's message of "09 Feb 2000 05:15:59 -0600"
References: <20000128161610.A13321@xs4all.nl> <8766w1557j.fsf@raven.localnet> <87900wsu4l.fsf@glaurung.green-gryphon.com> <20000208004137.F31134@gaia.pp.sci.fi> <87aelcqlj7.fsf@glaurung.green-gryphon.com> <87zotc5c2p.fsf@piracy.red-bean.com> <871z6m1v9s.fsf@glaurung.green-gryphon.com>

Manoj Srivastava <srivasta@debian.org> writes:

>  Craig> I think that removing packages for this would be ludicrous.
> 
>         Really? Difficult, maybe, politically hard, maybe. but
>  ludicrous? That's very narrow minded of you.

No, ludicrous still.  Not politically hard, politically impossible.
Not difficult, impossible.  Ludicrous because it's like biting our
nose off to spite our face.  There are so many circular dependencies
in the build process that taking out packages that depend on
themselves will accomplish nothing as far as making Debian buildable
from nothing but source.  Ludicrous because it basically cuts out all
packages that are developed in a rather common pattern;
self-bootstrapping compilers and systems are considered elegant by
many, especially language designers.

Now, an exception list, or some other way to indicate which packages
require themselves is not ludicrous, and seems to fit right in with
what Build-Depends is supposed to do anyways.

>         So how many packages are we talking about now? I still think
>  that any package that requires a circular build depends should be
>  in an excempted package list somewhere. In fact, it is so hard to
>  track trojans (has everyone forgotten pike hack of the C compiler
>  that inserted code in binary copies of itself and login to always
>  allow him to login?), that Iwould like to see a list of these
>  packages generated for teh Security FAQ.

Why another list when Build-Depends does this already?

Your security argument is a strawman.  The source code is still there,
and the binaries are signed by a Debian maintainer.  No more threat
than any other package in Debian.  One could always reproduce the
bootstrapping from source.  If you do feel compelled to pursue this, I
have no real problem with that, as it's your time and others that
would be wasted, and not mine.  It might be interesting to see such a
list regardless of it's location anyways, to see how pervasive
self-bootstrapping is.

>         So stay out of the discussion. Evil grin. And us others can
>  have our way.

I'm not worried that this would ever be accepted, so except for
dogging your butt and making life hell for you I'll drop out!  No,
just kidding Manoj, I have no intention of dogging you or anyone else
actually, as that would also be ludicrous 8^)

-- 
Craig Brozefsky                      <craig@red-bean.com>
Free Scheme/Lisp Software  http://www.red-bean.com/~craig
"Hiding like thieves in the night from life, illusions of 
oasis making you look twice.   -- Mos Def and Talib Kweli

Reply to:

Follow-Ups:
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Packages removed from frozen
  - From: Rob Browning <rlb@cs.utexas.edu>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Antti-Juhani Kaijanaho <gaia@iki.fi>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages removed from frozen
  - From: Craig Brozefsky <craig@red-bean.com>
- Re: Packages removed from frozen
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: The Penguin Machine Re: Debian for kids
Next by Date: Re: Packages removed from frozen
Previous by thread: Re: Packages removed from frozen
Next by thread: Re: Packages removed from frozen
Index(es):
- Date
- Thread