You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "James E. King III (JIRA)" <ji...@apache.org> on 2019/01/07 21:06:00 UTC

[jira] [Updated] (THRIFT-1439) debian packaging: do not download dependencies during build

     [ https://issues.apache.org/jira/browse/THRIFT-1439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James E. King III updated THRIFT-1439:
--------------------------------------
    Priority: Minor  (was: Major)

> debian packaging: do not download dependencies during build
> -----------------------------------------------------------
>
>                 Key: THRIFT-1439
>                 URL: https://issues.apache.org/jira/browse/THRIFT-1439
>             Project: Thrift
>          Issue Type: Bug
>          Components: Deployment
>         Environment: any Debian-based OS
>            Reporter: paul cannon
>            Priority: Minor
>              Labels: debian
>
> It is very much against Debian procedure and policy for a package build process to download dependencies from the internet. There are a lot of reasons for this; among them, guaranteed build repeatability, security auditability, non-reliance on websites remaining available, and license auditability.
> The thrift Debian packaging (in contrib/) should use Maven in offline mode, if Maven is actually required for the Java build phase. Build-dependencies should be expressed as a list of Debian packages under "{{Build-Depends:}}" in debian/control.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)