| ▲ | sillystuff 3 hours ago | |
Debian requires that packages be able to be built entirely offline. > Debian guarantees every binary package can be built from the available source packages for licensing and security reasons. For example, if your build system downloaded dependencies from an external site, the owner of the project could release a new version of that dependency with a different license. An attacker could even serve a malicious version of the dependency when the request comes from Debian's build servers. [1] [1] https://wiki.debian.org/UpstreamGuide#:~:text=make%20V=1-,Su... | ||
| ▲ | MarsIronPI 2 hours ago | parent | next [-] | |
So do Gentoo and Nix, yet they have packaging separate from the source code. The source is fetched, but the build is sandboxed from the network during the configure, build and install phases. So it's technically possible. | ||
| ▲ | 0x457 2 hours ago | parent | prev [-] | |
All that is required for this to work (building offline) and be immune to all bad thing you wrote: package build part must contain checksum of source code archive and mirror that source code. | ||