sane dependencies -- a positive look at 'fix your packages'

Nicolas Mailhot Nicolas.Mailhot at laPoste.net
Sun Oct 5 00:03:59 UTC 2003


Le dim 05/10/2003 à 00:58, Alan Cox a écrit :
> > So, in other words I would depend on arbitrary sites to supply prebuilt
> > libraries rather than getting software from trusted community
> > repositories? Would those prebuilt libraries be of the same poor quality
> 
> Actually if the binary is supplied signed by the trusted community source
> its origin isnt actually too important. Did it come froma mirror, did
> it come from your ISP web cache - was it in fact several round robin sites.
> The truth is you already don't know.

Sure. But a srpm requires someone to document the build process.
Allowing projects to directly provide binaries means you'll soon not be
able to rebuild their stuff because their build scripts will rot in
strange and wonderful ways, depend on undocumented build environments
and anyway even if you manage to build them they will check their
signature at runtime and refuse to run if they're not signed by the
upstream project key.

Which I'm sure the gcc people will love next time they want to release a
new version since instead of pulling a RedHat they'll have to convince
every single project the system use it's time to upgrade their build
tools.

(and I case someone thinks I'm overly pessimistic - this kind of stuff
already exists. I met it. Every single aspect from the broken build
system to the key check is already used by people who thought about
auto-upload before the autoupdate project. And it's not even closed
commercial stuff but pure FOSS)

-- 
Nicolas Mailhot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20031005/a1dfedd8/attachment.sig>


More information about the fedora-devel-list mailing list