On Feb 23, 2011, at 02:25 PM, Toshio Kuratomi wrote:
What Barry's talking about is slightly different I think. When running python setup.py test, setup.py may download additional modules that should have been specified in the system package (thus the download should never be tried). This occurs before the software is installed anywhere.
Right on, Toshio.
For Fedora we deal with this by preventing processes related to the build from making any non-localhost network connnections. That doesn't catch things when a packager is building on their local machine but it does catch things when the package is built on the builders
There's two pieces that work on that: 1) The build hosts themselves are configured with a firewall that prevents a lot of packets from leaving the box, and prevent any packets from going to a non-local network. 2) We build in a chroot and part of chroot construction is to create an empty resolv.conf. This prevents DNS lookups from succeeding and controls the automatic downloading among other things.
Neither of these are especially well adapted to being run by a casual packager but the second (a chroot with empty resolv.conf) could be done without too much trouble (we have a tool called mock that creates chroots, it was based on a tool called mach which can use apt and might be better for a Debian usage). Both 1 and 2 could be performed on a VM if you can get your packagers to go that far or are dealing with a build system rather than individual packagers.
I believe our builders prevent external connections too. I'm not positive about it but it wouldn't be too difficult to test. Still, as you point out, it's more difficult to enforce with local builders, and that's where packagers are going to be more able to quickly fix any such problems. One difficultly for Debian/Ubuntu local build environments (aside from the fact that there are several ways people do it ;), is that at least with some of the local builders, they *have* to do external connections, e.g. to download build dependencies into the chroot the build is done from. You could of course tightly control that, but given the geographical archive mirroring, it just makes things more complicated. -Barry