On Sat, Nov 10, 2018 at 9:45 PM Kevin Kofler <kevin.kofler@xxxxxxxxx> wrote: > > Dridi Boukelmoune wrote: > > If you take this compromise to an extreme then let's solve the Java > > problem (or <insert similar stack here>) and grant an internet access > > to builds. This way we can use vanilla maven/gradle/ivy to fetch > > dependencies at build time and make sure that we can upgrade to the > > latest versions of any leaf package. > > For Java, this does not work because Maven fetches precompiled JARs, whereas > we need our software to be built from source. (You are not allowed to bundle > precompiled JARs even if you download them beforehand or they are even > included in the upstream tarball.) It is an essential requirement for a Free > Software distribution that all software it ships is built from source. > > > For the Go case (and we can include Rust too) > > For those, please see Nicolas Mailhot's reply. > > Kevin Kofler It's a very sensible requirement. It's not a legal one, as long as the "free software" has the source available one. For the legal protection of users who can assure the legal provenance of the code, and for elementary security reasons, it's critical. It's one of the great risks of rubygems and of all the Java build tools. It's installing binaries without robust provenance. It's a risk, as well, for CPAN and pip based installations. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
