How is it not obvious that Debian <i>must</i> enforce such a rule? Otherwise they open themselves up to issues like the Great NPM Unpublish Debacle of 2016. Doing so would dilute and ultimately negate whatever value they provide as a trusted package source (which, BTW, is <i>huge</i>). (While there are exceptions (notably flashplugin-nonfree), I believe they are necessarily relegated to the nonfree repository.)<p>Not to mention that a package which violates the "no-downloads" rule would utterly break on any system without Internet access. (Yes, there are very legitimate reasons, even in 2016, to run a system with access to a package repository, but without Internet access.)<p>And the workaround is <i>trivial</i>: just bundle the libraries you need with your source.<p>But no, instead of making the effort to understand the notion of trust inherent in a time-tested packaging system, and implement a simple workaround, let's whine about it on the Internet and say "fuck" a lot.<p>What a non-story.