[INPUT REQUESTED] Fedora Policy on generated code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please keep responses on the devel@ list. CCed to the Council list for
visibility and discussion of how this fits with our "Freedom" foundation.


== Premise ==
Some upstream distribute tarballs that include code and content that
has been generated at distribution time. Some (non-exhaustive)
examples of this include:

* Code produced by gdbus-codegen
* Code generated by a YACC implementation such as bison or jison.
* Autotools scripts such as libtool
* Man-pages that are built from templates such as Docbook.
* Minified JavaScript or CSS

There are many other examples, but those are readily called to mind.
This brings up several important questions:

1) Do we require that the original data used to generate this code is
included in the SRPM?

2) Do we require that whatever tools are necessary to generate this
code is packaged in Fedora (with all the legal and policy requirements
that this implies)? If we do not, do we require that the code used by
upstream is free software?

3) Do we require that building in Fedora always requires regeneration
of this code from the original data?

== Analysis ==
Shipping pre-generated content may introduce risk:

* If the pre-generated code produces code that is not human-readable,
it may be impossible to audit (or verify that it actually matches the
input files, if available). For example, a compromised upstream might
be shipping a back-door, possibly without knowing.

* If a bug or security vulnerability is discovered in the generated
code, will it be reasonable for a Fedora maintainer to patch it?
Patching the source files vs. patching the generated output can be a
very significant difference in the level of effort.

* Code that was pre-generated by upstream may have been done with
build flags that differ from Fedora's own set of hardened and
optimized flags, resulting in a poorer experience (or less secure


Forcing the re-generation of all such code may be infeasible in many
cases. For example, the call has gone out numerous times in the past
to mandate that `autoreconf` must be run on all autotools code (to
enforce compiler flags) and every time it has been defeated because
many programs won't generate with anything but the version of
autotools that was used by upstream (which is a separate problem).

FESCo discussed this very briefly in our last meeting, but it was
decided that we should open this up to community discussion before
attempting to make a decision. Please add your thoughts to this thread
and FESCo will revisit it at our next meeting (after the New Year).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlZ0Wu8ACgkQeiVVYja6o6PYCgCfZ60GH/PYiDqlZzPX38XEAhMI
97UAn2kBrPcbOvdjK2sYkwFCiO/dzXwu
=ge2Z
-----END PGP SIGNATURE-----
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux