[prepperdev]

Debian policy is very sane (no network access during build), but it does seem like modern software just assumes that the Internet is always available, and all dependencies (including transitive) are out there.

The assumption is a bit fragile, as proven by the the left-pad incident ([1]). I hope that whatever the outcome of the discussion in Debian will be, it would keep the basic policy in place: not relying on things outside of the immediate control during package builds.

1. https://evertpot.com/npm-revoke-breaks-the-build/

[BelenusMordred]

Debian is incredibly conservative about versioning/updates and faces a lot of pressure to move faster. I hope they keep the same pace or even slow down.

The world will keep turning.

[cbmuser]

> Debian policy is very sane (no network access during build)

openaSUSE has that policy, too. And I’m pretty sure the same applies for Fedora.

You don’t want to rely on external dependencies during build that you can’t control.

That would be a huge security problem.

[arp242]

The whole "download during build" thing is a minor issue; k8s, for example, puts all their dependencies in the /vendor/ directory, and AFAIK many toolchains support this or something like it. And even if they don't, this is something that can be worked around in various ways.

The real issue is whether or not to use that vendor directory, or to always use generic Debian-provided versions of those dependencies, or some mix of both. This is less of a purely technical issue like the above, and more of a UX/"how should Debian behave"-kind of issue.

[JoshTriplett]

I don't think that aspect of Debian Policy is in any danger of changing, nor should it.

[cbmuser]

It’s also not very Debian-specific. It applies to openSUSE as well, for example.