On Thu, May 9, 2013 at 12:12 AM, Rahul Sundaram <metherid@xxxxxxxxx> wrote: > Hi > > > On Thu, May 9, 2013 at 12:04 AM, Adam Williamson wrote: >> >> >> >> Yes, I know that, thanks. I didn't ask for a lecture, but whether this >> was actually written down in the guidelines somewhere. > > > It is not written down as policy and since the tools themselves enforce > this, I don't think it has been needed > > Rahul Which tool enforces this? Unless the toolkit for the build environments is completely isolated from the Internet and uses only disk access or local VLAN for it's access to source file repositories, this can be very difficult to enforce. I'll admit I've not tried taking koji's source apart to verify this behavior. But I continue to run across Java based SRPM's that use "maven" and wind up with broken URL's or insufficiently specific URL's that just grab the latest modules from their relevant upstream repo. And I've even encountering SRPM's in private use that do "wget" pulls for source code as part of the build process. I even job interviewed for an open source project last year that did "git clone [github master repo]" clones to obtain their source code. It would make my life easier to have a stated policy I can point packagers to in the wide world. Please? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
