From Fedora Project Wiki
m (→Issues with current guidelines: clear wording) |
(make a proposal 2) |
||
| Line 19: | Line 19: | ||
* The current guidelines are vague. They don't tell what to do where about removal of pre-built binaries. | * The current guidelines are vague. They don't tell what to do where about removal of pre-built binaries. | ||
* Enforcing the removal of all pre-built binaries in %prep is a clean solution. In most cases, the detection and the removal of these binaries is an easier process than tracing the build logs and making sure that the pre-built binaries do not end up in the final RPM. | * Enforcing the removal of all pre-built binaries in %prep is a clean solution. In most cases, the detection and the removal of these binaries is an easier process than tracing the build logs and making sure that the pre-built binaries do not end up in the final RPM. | ||
* There is a confusion among some packagers about inclusion of certain pre-built documentation formats in packages, such as pdf, ps. | * There is a confusion among some packagers about inclusion of certain pre-built data & documentation formats in packages, such as pdf, ps. | ||
== Proposal == | == Proposal 1 == | ||
''Add the following to the above guidelines:'' | ''Add the following to the above guidelines:'' | ||
* All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar | * All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files. | ||
== | == Proposal 2 == | ||
*. | ''This suggests a more extensive change in the guidelines. A new section will be made with the title '''"No inclusion of pre-built files"''' and the existing guideline will be put in a subsection:'' | ||
== No inclusion of pre-built files == | |||
=== pre-built binaries or libraries === | |||
All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons: | |||
* Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch. | |||
* Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization. | |||
If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria: | |||
* Is it executable? If so, it is probably a binary. | |||
* Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library. | |||
* If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee. | |||
Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required). | |||
* All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files. | |||
=== pre-built data === | |||
Some upstream tarballs contain both the sources and the pre-built version of certain data types (Examples include doxygen documentation, LateX documentation, certain image file types, fonts). It might happen that the pre-built version of the data is outdated. Therefore, | |||
* if it is possible to build the data from sources (*.dvi, *.html, *.man, *.mo, *.pdf, *.pfb, *.png, *.ps, *.ttf, ...), the pre-built versions MUST be removed in %prep. | |||
Revision as of 18:16, 18 June 2009
Proposal to remove all pre-built binaries before a build
Current guidelines
Current guidelines for no inclusion of pre-built binaries or libraries [1] are
All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:
- Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
- Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.
If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:
- Is it executable? If so, it is probably a binary.
- Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
- If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.
Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).
Issues with current guidelines
- The current guidelines are vague. They don't tell what to do where about removal of pre-built binaries.
- Enforcing the removal of all pre-built binaries in %prep is a clean solution. In most cases, the detection and the removal of these binaries is an easier process than tracing the build logs and making sure that the pre-built binaries do not end up in the final RPM.
- There is a confusion among some packagers about inclusion of certain pre-built data & documentation formats in packages, such as pdf, ps.
Proposal 1
Add the following to the above guidelines:
- All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
Proposal 2
This suggests a more extensive change in the guidelines. A new section will be made with the title "No inclusion of pre-built files" and the existing guideline will be put in a subsection:
No inclusion of pre-built files
pre-built binaries or libraries
All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:
- Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
- Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.
If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:
- Is it executable? If so, it is probably a binary.
- Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
- If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.
Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).
- All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
pre-built data
Some upstream tarballs contain both the sources and the pre-built version of certain data types (Examples include doxygen documentation, LateX documentation, certain image file types, fonts). It might happen that the pre-built version of the data is outdated. Therefore,
- if it is possible to build the data from sources (*.dvi, *.html, *.man, *.mo, *.pdf, *.pfb, *.png, *.ps, *.ttf, ...), the pre-built versions MUST be removed in %prep.