The Packaging Guidelines require that all binary programs and libraries be built from source code. How should this requirement be interpreted when some of the "source code" is itself automatically generated from other sources? GTKada is an Ada binding to GTK+. In the latest version, some of the Ada files in the source tarball have been generated by a program that is included in the tarball. Future versions will have even more generated code. The input to the code generator is a GIR file, which as far as I understand is some kind of XML representation of the GTK+ API. The GIR file has in turn been generated from the C source code of GTK+. The GIR file is included in the GTKada tarball, but the GTK+ source is not. Now I'm trying to figure out whether I can build the GTKada package from the distributed generated Ada code, or whether I have to run the code generation as a part of the build, possibly using the GIR file from the GTK+ package instead of the one in the GTKada tarball. There are two reasons for the requirement listed in the guidelines: · "Security: Pre-packaged program binaries and program libraries not built from the source code could contain parts that are malicious, dangerous, or just broken. Also, these are functionally impossible to patch." The generated Ada code is nicely formatted and legible, and no harder to review than hand-written source code. It would be possible to patch it, although such a patch would of course not be upstreamable. · "Compiler Flags: Pre-packaged program binaries and program libraries not built from the source code were probably not compiled with standard Fedora compiler flags for security and optimization." This obviously doesn't apply to generated code that hasn't yet been through a compiler. Thus, none of the stated reasons seem to be relevant to this case, and I can see only one thing that could mean that I have to run the code generation as a part of the build, namely the term "source code". My question is: Is it required that all the steps in the process from the actual source code to binary code take place on Fedora's build servers, or is it sufficient that binaries are built from human-readable code even if that code isn't the actual source code? In other words: Should I read "source code" literally, as "the ultimate source code written by human programmers", or is it OK, for the purpose of this requirement, to read it as "human-readable code in a textual programming language"? Björn Persson -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
