opened 12:19PM - 06 Mar 24 UTC
dpkg-buildpackage -b -d --no-sign
```
go: downloading golang.org/x/exp v0.0.…0-20240222234643-814bf88cf225
go: downloading github.com/arduino/go-paths-helper v1.12.0
go: downloading github.com/pkg/errors v0.9.1
```
This is probably a blocker for `apparmor.d` be eligible to be added to `packages.debian.org`.
Quote https://wiki.debian.org/buildd
> no network -- most buildds will have no network access available. Your package build+test process must not attempt to use the network or assume that any network interface is available.
More references:
* https://lists.debian.org/debian-devel/2016/09/msg00082.html
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830568
* https://www.debian.org/doc/debian-policy/policy.pdf
* > For packages in the main archive, required targets must not attempt network access, except, via the loopback interface,
to services on the build host that have been started by the build.
Ubuntu might inherit the same policy.
Fedora has a similar policy. Quote https://docs.fedoraproject.org/en-US/packaging-guidelines/#_build_time_network_access
> Packages in the Fedora buildsystem are built in a mock chroot with no access to the internet. Packages must not depend or or use any network resources that they don’t themselves create (i.e., for tests). In no cases should source code be downloaded from any external sources, only from the lookaside cache and/or the Fedora git repository.
It can be assumed that many other distributions have similar policies.
Embedded code copies are also not permissible in Debian as per:
https://wiki.debian.org/EmbeddedCopies
So what is the right way to package this? I don't know. For Debian, most likely, all build and runtime dependencies would need to be packages and uploaded to `packages.debian.org` separately. Ideally, apparmor.d would not require any dependencies unavailable from official distribution package repositories.
For Kicksecure, Whonix, the same policies have been inherited.
