On Wed, May 31, 2023 at 06:48:37PM +0200, Vitaly Zaitsev via devel wrote: > On 31/05/2023 15:44, Gerd Hoffmann wrote: > > We do similar things in other cases, see for example shim-unsigned.rpm + > > shim.rpm > > Shim is a special case: > 1. Shim need to be signed by Microsoft on their own infrastructure and this > signature will be built directly into PE file. > 2. Shim runs on UEFI, so it can use exception for firmware. > > > The prebuilt RPMs are compiled on Fedora infrastructure too, so I don't > > see how that violates the 'build from source' requirement. > > If the package uses prebuilt blobs (their origin is irrelevant), it violates > current Fedora packaging guidelines. Can you point to the specific guideline that this violates ? I know we've always expected that apps are built from pristine upstream source, but I'm not finding the specific guideline that describes this right now. There *is* absolutely a difference between using a pre-built blob provided by a 3rd party, vs using a pre-built blob obtained from a previous Fedora RPM build. The purpose of Fedora building from pristine source is to ensure that the binary we distribute actually matches the source we distribute, which is important for licensing compliance and also should we ever need to rebuild later to patch the RPM we want confidence we can do so. Using a pre-built blob from a 3rd party can't satisfy our goals in this respect. Using a pre-built blob from a previous Fedora build absolutey *can* satisfy our needs. In fact we do this all the time - when we build cloud images or containers we are using pre-built blobs from a previous Fedora build process. What is proposed for the JDK is definitely a new scenario for Fedora, but we will still be able to satisfy our needs to trace a binary back to its pristine source. That critical traceability aspect is preserved. Thus I do NOT see this proposal as fundamentally unsound from a packaging POV, merely different and unusual. Finally the Fedora packaging guidelines are guidelines, not rules: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_general_exception_policy "As these guidelines can never cover all possible contingencies, there will always be packages which need exception." In the worst case the exception would require approval of FPC, and that is what this change proposal ultimately seeks to attain, which is good. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
