From Fedora Project Wiki

Revision as of 17:32, 18 June 2009 by Oget (talk | contribs) (initial draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Propoposal to remove all pre-built binaries before a build

Current guidelines

Current guidelines for no inclusion of pre-built binaries or libraries [1] are

All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:

  • Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
  • Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.

If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:

  • Is it executable? If so, it is probably a binary.
  • Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
  • If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.

Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).

Issues with current guidelines

  • The current guidelines are vague. They don't tell what to do where about removal of pre-built binaries.
  • Enforcing the removal of all pre-built binaries in %prep is a clean solution. In most cases, the detection and the removal of these binaries is an easier process than tracing the build logs and making sure that they do not end up in the final RPM.
  • There is a confusion among some packagers about inclusion of certain pre-built documentation formats in packages, such as pdf, ps.


Proposal

Add the following to the above guidelines:

  • All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.mo, *.o, *.pyc, *.pyo, *.so files.
  • If it is possible to build the documentation from sources (*.html, *.man, *.pdf, *.ps, ...), the pre-built versions MUST be removed in %prep.

Notes

  • .html, *.man files are not really binary, so that the last proposal might need to be re-worded, or put in a different section.