[Fedora-packaging] No pre-built applications rule
Toshio Kuratomi
a.badger at gmail.com
Sun Sep 17 18:43:41 UTC 2006
On Sun, 2006-09-17 at 10:58 +0200, Nicolas Mailhot wrote:
> Toshio Kuratomi a écrit :
>
> > How about something like:
> >
> > "Packages must be built from source code. Including pre-built programs
> > or libraries is strictly forbidden. A select few exceptions are made
> > for binary firmware.
>
> If you want to tackle this particular problem, you also need an official
> bootstraping policy
True. In the past it seemed like bootstrapping cases asked for
permission on fedora-extras and permission was granted to do the one
time import of a binary followed by compiling from the previous Fedora
package. For now, I'd amend the draft policy to read:
"Packages must be built from source code. Including pre-built programs
or libraries is forbidden. There are exception for certain classes of
binaries. See BinaryFirmware for exceptions that involve firmware.
Send an email to fedora-extras-list(fesco?fedora-maintainers?) for
discussion in the case of bootstrapping."
For a real bootstrapping policy the main thing will be figuring out what
criteria is needed for determining if we trust the binary compiler. Is
it acceptable if it comes from upstream? If it comes from upstream with
gpg signatures? If it comes from a Debian Package? Etc. The Ken
Thompson article [1]_ is good reading for anyone that doesn't know why
bootstrapping compilers needs an extra level of paranoia.
[1]_ http://www.acm.org/classics/sep95/
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-packaging/attachments/20060917/446e057e/attachment.sig>
More information about the Fedora-packaging
mailing list