On 5/8/2013 10:59 PM, Nico Kadel-Garcia wrote: > On Wed, May 8, 2013 at 1:02 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: >> On 08/05/13 08:13 AM, Igor Gnatenko wrote: >>> >>> Thx. But why in oficially packages doesn't fixed? >> >> >> Does anyone know if it's actually the case that the guidelines require >> packages be buildable without internet access? I just had a quick search on >> obvious terms through https://fedoraproject.org/wiki/Packaging:Guidelines , >> and couldn't find anything. > > There are huge security issues with downloading source at build time: > someone who can manipulate your DNS or your proxies can get you > downloading, building, and installing some arbitrarily contaminated > source code. Also, repositories tend to evaporate or fail to publish > specific releases in specific locations. so the module you download > today may have nothing to do with the module of the same name that I > download tomorrow. > > This is one of the absolute banes of all the "grab and build it when > you need it and only when you need it" approaches, such as CPAN, > rubygems, and maven. > You forgot to mention the evil monkey that lives in your closet or the monster that lives under your bed or the things that go bump in the night. :-) -- David -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
