Debian Bug report logs - #1037064
maven-verifier depends on downloading sources at build time

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Steve Langasek <[email protected]>

To: [email protected]

Subject: maven-verifier depends on downloading sources at build time

Date: Fri, 2 Jun 2023 21:40:10 -0700

[Message part 1 (text/plain, inline)]

Source: maven-verifier
Version: 1.8.0-1
Severity: serious
Justification: package in main has dependency on external software
User: [email protected]
Usertags: origin-ubuntu mantic

Dear maintainers,

maven-verifier 1.8.0-1 has been failing to build in Ubuntu, because its
build-time tests depend on downloading software from the Internet:

[...]
[ERROR] testWithMavenHome(org.apache.maven.it.Embedded3xLauncherTest)  Time elapsed: 0.581 s  <<< FAILURE!
java.lang.AssertionError: 
exit code unexpected, build log: 
[INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/18/maven-shared-components-18.pom
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[FATAL] Non-resolvable parent POM for org.apache.maven.shared:maven-verifier:1.4-SNAPSHOT: Could not transfer artifact org.apache.maven.shared:maven-shared-components:pom:18 from/to central (https://repo.maven.apache.org/maven2): transfer failed for https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/18/maven-shared-components-18.pom and 'parent.relativePath' points at wrong local POM @ line 23, column 11
 @ 
[...]

  (https://launchpad.net/ubuntu/+source/maven-verifier/1.8.0-1/+build/26010073)

This fails because Launchpad does not allow network access during package
builds, unlike Debian buildds which usually have network access.

While this is not a build failure, it does mean building the package has a
dependency on software outside of main, which I believe is a serious policy
violation.

libmaven-parent-java ships maven-shared-components-35.pom and maven-verifier
build-depends on libmaven-parent-java.  So perhaps src/test/resources/pom.xml
simply needs updated to point at the current version instead of version 18?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
[email protected]                                     [email protected]

[signature.asc (application/pgp-signature, inline)]

Message #10 received at [email protected] (full text, mbox, reply):

From: gregor herrmann <[email protected]>

To: Steve Langasek <[email protected]>, [email protected]

Subject: Re: Bug#1037064: maven-verifier depends on downloading sources at build time

Date: Sat, 3 Jun 2023 12:58:17 +0200

[Message part 1 (text/plain, inline)]

On Fri, 02 Jun 2023 21:40:10 -0700, Steve Langasek wrote:

> While this is not a build failure, it does mean building the package has a
> dependency on software outside of main, which I believe is a serious policy
> violation.

The network access during build is a policy violation in itself:

    4.9
    …
    For packages in the main archive, required targets must not
    attempt network access, except, via the loopback interface, to
    services on the build host that have been started by the build.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   

[signature.asc (application/pgp-signature, inline)]

Message #13 received at [email protected] (full text, mbox, reply):

From: Tony Mancill <[email protected]>

To: [email protected]

Subject: Bug#1037064 marked as pending in maven-verifier

Date: Fri, 16 Jun 2023 03:19:29 +0000

Control: tag -1 pending

Hello,

Bug #1037064 in maven-verifier reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/maven-verifier/-/commit/c761ab42ddbdd883306e9d72a27096a2123d0752

------------------------------------------------------------------------
Disable tests requiring network access (Closes: #1037064)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1037064

Message #20 received at [email protected] (full text, mbox, reply):

From: Debian FTP Masters <[email protected]>

To: [email protected]

Subject: Bug#1037064: fixed in maven-verifier 1.8.0-2

Date: Fri, 16 Jun 2023 04:22:00 +0000

Source: maven-verifier
Source-Version: 1.8.0-2
Done: tony mancill <[email protected]>

We believe that the bug you reported is fixed in the latest version of
maven-verifier, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated maven-verifier package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 15 Jun 2023 20:13:15 -0700
Source: maven-verifier
Architecture: source
Version: 1.8.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1037064
Changes:
 maven-verifier (1.8.0-2) unstable; urgency=medium
 .
   * Team upload.
   * Rework tests patch to disable network access (Closes: #1037064)
   * Freshen years in debian/copyright
   * Set Rules-Requires-Root: no in debian/control
Checksums-Sha1:
 2bea4f4d360a67b33526cb25bec54f0c51d8ee44 2244 maven-verifier_1.8.0-2.dsc
 f4fa6106900dd0ec326c13bf0eeaf4ec99d2a05b 4148 maven-verifier_1.8.0-2.debian.tar.xz
 7eb163709fdd64b128235e18661da9feab9db0d4 13732 maven-verifier_1.8.0-2_amd64.buildinfo
Checksums-Sha256:
 f1f5a06273f401273b045d22a61a8c815cbed6bfdbb1ee944f5672a8a729076e 2244 maven-verifier_1.8.0-2.dsc
 617e7096c8031d7ffefb9fa6a512f5905700284d82eace4166751534ed071f56 4148 maven-verifier_1.8.0-2.debian.tar.xz
 b6c0afd8e9242f0eecba2b67f4233a23a38742fa817286aa10ae0b1422fb2603 13732 maven-verifier_1.8.0-2_amd64.buildinfo
Files:
 f170a5615c99892370015c4ed0b80992 2244 java optional maven-verifier_1.8.0-2.dsc
 86e56b335ebfd532e3dbdb177dfeca8d 4148 java optional maven-verifier_1.8.0-2.debian.tar.xz
 7bf3b3d4e36cd4bc49a29e521375b3b3 13732 java optional maven-verifier_1.8.0-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmSL1JMUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpaCBBAAlIhkQ8CkqzL9hY9Gk6g3DZ1ywpQq
xqZOBPjqeM4Du8TqrEOCh656hqIUHqlgSE6AvF+eWX2YpzZlmKHCAl9RvpPYMP7p
HGKTSHB+rhv5hOoWBtJNlDWRsiILHhvn64YCdMhpMqtLf2B1VmDLyZaQIso99mPM
qA/MN5Bffd7Wm9VDy11BXvLEebR1S/FuvQ+derBdebLHAojVRyl4SO0/Y2Y0FtxZ
laUxNWBlP7C/gy2L9scLyO5tK+sl/H+//H9FWJfJKPJUvmEsNZ2wl7BzFsBn4hWt
X3k75lRBaSUt8JySZI6hqFKj2SyGoPJ6vvFJJ96ZaOBeLebkDaPaMDpgvox1Fncp
OS5f2Pt+pNxe52JVZu+znfblciVnQ9wj39kZlDZzbSe9TbaGvfAMGILiFjlxSd92
VIassH4M3BqY7yIRUYlP9EEmDP3C8zfTjsLH+z8oJCOnlyHwYdF7C43Q4EoSzmRG
JQf05MvXovFjQkN33l20Uttwh36VfxCPdz/cpxcfHrLkN0lrcI+ezcIQA+dfS3cc
TjBRZp/Re/2MEdTWUVsfWONGqxGdjKVemgWO78t8sXQhN6jwdjTmc/RrZB2Ywn60
JKtQEezePlriF0O7GlEsdxRdwaR/wtjZlMjG+Ywo/uGbNhRSqLeOfjeBfhi+aWMI
zzS9IVUxUNFKKPY=
=2a0j
-----END PGP SIGNATURE-----

Message #25 received at [email protected] (full text, mbox, reply):

From: tony mancill <[email protected]>

To: [email protected]

Subject: Re: Bug#1037064: maven-verifier depends on downloading sources at build time

Date: Thu, 15 Jun 2023 21:52:24 -0700

On Sat, Jun 03, 2023 at 12:58:17PM +0200, gregor herrmann wrote:
> On Fri, 02 Jun 2023 21:40:10 -0700, Steve Langasek wrote:
> 
> > While this is not a build failure, it does mean building the package has a
> > dependency on software outside of main, which I believe is a serious policy
> > violation.
> 
> The network access during build is a policy violation in itself:
> 
>     4.9
>     …
>     For packages in the main archive, required targets must not
>     attempt network access, except, via the loopback interface, to
>     services on the build host that have been started by the build.

For posterity, I tested locally using network namespaces and described
here [1].  Specifically:

# create a chroot including the build-deps
# (maybe there's an easier way?)

sudo sbuild-createchroot --no-deb-src --chroot-mode=schroot \
   --chroot-prefix=1037064 \
   --include=debhelper,default-jdk,junit4,libeclipse-sisu-maven-plugin-java,libmaven-parent-java,libmaven-resolver-transport-http-java,libmaven-shared-utils-java,libmodello-maven-plugin-java,maven-debian-helper \
   unstable /data/chroot/1037064-amd64-sbuild http://localhost:3142/debian

# create the namespace
sudo ip netns add no-net

# build
sudo ip netns exec no-net sbuild --no-apt-update --no-apt-upgrade \
    --no-apt-distupgrade --no-run-lintian --chroot=1037064-amd64-sbuild

# clean up
/usr/sbin/sbuild-destroychroot 1037064-amd64-sbuild

[1] https://wiki.debian.org/sbuild#Disabling_network_access_for_dpkg-buildpackage

Send a report that this bug log contains spam.