https://bugzilla.redhat.com/show_bug.cgi?id=2085444 --- Comment #80 from Daniel Berrangé <berrange@xxxxxxxxxx> --- > # To build SGX SDK from linux-sgx source, first download the prebuilt > # binaries by "make preparation", then run script > # ./linux/installer/rpm/sdk/build.sh to update spec and repack tarball. > # Since no network access is possible for Fedora package build system, > # the pre-downloaded and repacked tarball is shared on 01.org. > Source0: https://download.01.org/intel-sgx/sgx_repo/rpm_onespec/%{name}-%{version}.tar.gz I've tried to follow these instructions again, assuming it was fixed since I previously raised the problem in August (https://bugzilla.redhat.com/show_bug.cgi?id=2085444#c65) I had to 'make sdk' after 'make preparation' and before running 'build.sh', otherwise files it was looking for don't exist. At the end of 'build.sh' there is a sgxsdk-2.22.100.3.tar.gz created, but its content don't resemble the contents of sgxsdk-2.22.100.0.tar.gz that is in the src.rpm provided in this review. The build.sh appears to create a tarball that contains exclusively a pre-built set of binaries, while the src.rpm here contains actual source, along with a few compiled binaries acquired from other tarballs that 'download_prebuilt.sh' acquired. Looking at the files in the sgxsdk-2.22.100.0.tar.gz many of them do not correspond to files that I can find in https://github.com/intel/linux-sgx, nor do they correspond to files in the linux-sgx-sgx_2.22.tar.gz provided at https://github.com/intel/linux-sgx/releases/tag/sgx_2.22 The 'make preparation' step downloads a file https://download.01.org/intel-sgx/sgx-linux/2.22/optimized_libs_2.22.tar.gz whose contents appear to be copied into sgxsdk-2.22.100.0.tar.gz. This optimized_libs_2.22.tar.gz contains a Master_EULA_for_Intel_Sw_Development_Products.pdf file that imposes restrictive licensing on anyone receiving this tarball of pre-build libraries. I don't think that will be acceptable for Fedora. Given that I cannot validate the provenance of the sgxsdk-2.22.100.3.tar.gz tarball in the provided src.rpm I'm not willing to approve this package. IMHO the whole idea of pre-generating a custom sgxsdk-2.22.100.3.tar.gz for the RPM is flawed and needs to be re-thought. This RPM needs to be built using the official pristine released linux-sgx-sgx_2.22.tar.gz from https://github.com/intel/linux-sgx/releases/tag/sgx_2.22 Separately the src.rpm should also contain the additional tarballs (that download_prebuilt.sh would otherwise fetch) with the requisite signed pre-compiled binaries, so we have clear separation of what parts are from the pristine source release and what parts are pre-compiled. The questionable EULA in optimized_libs_2.22.tar.gz needs addressing too. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2085444 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202085444%23c80 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
