[Fedora-packaging] Re: Pre-review Gudelines

Fernando Nasser fnasser at redhat.com
Fri May 8 21:29:20 UTC 2009


Toshio Kuratomi wrote:
> (...)
>
> 3) Protecting the toolchain from being built with malicious code.
>
> If the packages are going to be rebuilt fresh with our existing
> toolchain after a full review is done, then this wouldn't be a big issue
> to me as the full review either will or will not catch it as normal.  If
> the packages built into the side tag will be moved over to the dist tag
> (or simply added as a buildroot override for the dist tag) in order to
> bootstrap the new packages then I would be concerned.
>
> fnasser, do you know if you guys need bootstrapping or will things be
> built fresh?
>
>   
Hi Toshio,

Once they are boostrapped in the side tag, they need to be mass-tagged 
in the the main tag so we can just rebuild them (I suggest the side tag 
uses a different dist tag for clarity).  If we would do the same process 
in the main tag we'd run into the same problem of having an unusable 
maven2 while the bootstrap process is going (it takes a while), which is 
just what we want to avoid with the side tag.

We have a working maven2 2.0.4.  It is old and no longer builds the new 
versions of things we need to build (for eclipse for instance), but it 
works and builds the current packages we have.  We don't want to risk 
and have a broken toolchain for any period of time, so the side tag.

Best regards,
Fernando




More information about the Fedora-packaging mailing list