Archive:PackagingDrafts/SourceRequirement

The spirit behind Open Source is that anyone can take the source code, rebuild it, and have functional binaries. 

Fedora's guiding principle is: To provide free and open source software, at no cost, freely redistributable, and unencumbered by software patents.

I propose that the following text be added to the Packaging/Guidelines:

No inclusion of pre-built binaries or libraries
All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:
 * Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
 * Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.

If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:
 * Is it executable? If so, it is probably a binary.
 * Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
 * If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.

Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).

Exceptions

 * Some software (usually related to compilers or cross-compiler environments) cannot be build without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
 * An exception is made for binary firmware, as long as it meets the requirements documented here: BinaryFirmware
 * Some fonts are released as upstream as TTF only. These fonts are treated as content. When source code is available (like DejaVu), then the font must be built from source.