On Sat, Apr 27, 2019 at 11:20 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > On Fri, Apr 26, 2019 at 11:53 AM stan <upaitag@xxxxxxxx> wrote: > > > > On Fri, 26 Apr 2019 11:07:54 -0000 (UTC) > > Petr Pisar <ppisar@xxxxxxxxxx> wrote: > > > > I am a fedora user with no dog in this fight. > > > > > Controversial property of modules are private build-time dependencies. > > > Modularity allows packagers to hide them and to not to support them > > > (to the extend that they work in my module). However, this > > > privatisation has costs. It means duplication of work unless two ... > > > > Isn't this contrary to the Fedora rules? If I'm understanding this > > correctly, it means that modules in Fedora can contain dependencies on > > code that isn't available, so that Fedora (and users) can't build that > > module from source. And that the module could contain basically > > anything because no one can examine the contents that built the > > module. Could someone privately pull in something like the proprietary > > nvidia binary blob and use it to build their module without anyone > > knowing? > > > > Because I'm not knowledgeable about this, it might be that private > > dependencies have to be packages built from source code available in the > > Fedora ecosystem, and so this is not possible. I just want to clarify > > my understanding. > > The restrictions by Fedora Koji prevent that, but yes, MBS and > Modularity do allow for something like this. It can't happen in Fedora > because our Koji is not set up to consume external repositories > (except for EPEL, which consumes RHEL content this way). > > But I don't know if this restriction will stick around in the future... > > That said, today, modules can and do rely on unpublished RPMs that > have packaging in Dist Git. It is currently impossible with some > modules to be able to privately rebuild them outside of Fedora > infrastructure. I've made my displeasure about this known in the past, > and hopefully this will be rectified soon. Please, yes. The provenance of RPMs and their build environments is one of Fedora's most redeeming features. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
