-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please keep responses on the devel@ list. CCed to the Council list for visibility and discussion of how this fits with our "Freedom" foundation. == Premise == Some upstream distribute tarballs that include code and content that has been generated at distribution time. Some (non-exhaustive) examples of this include: * Code produced by gdbus-codegen * Code generated by a YACC implementation such as bison or jison. * Autotools scripts such as libtool * Man-pages that are built from templates such as Docbook. * Minified JavaScript or CSS There are many other examples, but those are readily called to mind. This brings up several important questions: 1) Do we require that the original data used to generate this code is included in the SRPM? 2) Do we require that whatever tools are necessary to generate this code is packaged in Fedora (with all the legal and policy requirements that this implies)? If we do not, do we require that the code used by upstream is free software? 3) Do we require that building in Fedora always requires regeneration of this code from the original data? == Analysis == Shipping pre-generated content may introduce risk: * If the pre-generated code produces code that is not human-readable, it may be impossible to audit (or verify that it actually matches the input files, if available). For example, a compromised upstream might be shipping a back-door, possibly without knowing. * If a bug or security vulnerability is discovered in the generated code, will it be reasonable for a Fedora maintainer to patch it? Patching the source files vs. patching the generated output can be a very significant difference in the level of effort. * Code that was pre-generated by upstream may have been done with build flags that differ from Fedora's own set of hardened and optimized flags, resulting in a poorer experience (or less secure Forcing the re-generation of all such code may be infeasible in many cases. For example, the call has gone out numerous times in the past to mandate that `autoreconf` must be run on all autotools code (to enforce compiler flags) and every time it has been defeated because many programs won't generate with anything but the version of autotools that was used by upstream (which is a separate problem). FESCo discussed this very briefly in our last meeting, but it was decided that we should open this up to community discussion before attempting to make a decision. Please add your thoughts to this thread and FESCo will revisit it at our next meeting (after the New Year). -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZ0Wu8ACgkQeiVVYja6o6PYCgCfZ60GH/PYiDqlZzPX38XEAhMI 97UAn2kBrPcbOvdjK2sYkwFCiO/dzXwu =ge2Z -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
