From Fedora Project Wiki

m (formatting)
(Change to archive category)
 
(9 intermediate revisions by 3 users not shown)
Line 15: Line 15:


Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).
Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).
=== Exceptions ===
* Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
* An exception is made for binary firmware, as long as it meets the requirements documented here: BinaryFirmware


== Issues with current guidelines ==
== Issues with current guidelines ==
Line 21: Line 26:
* There is a confusion among some packagers about inclusion of certain pre-built data & documentation formats in packages, such as pdf, ps.
* There is a confusion among some packagers about inclusion of certain pre-built data & documentation formats in packages, such as pdf, ps.


== Proposal 1 ==
== Proposal ==


''Add the following to the above guidelines:''
''Replace occurrences of "binary" with "program binary", and occurrences of "library" with "program library". Add one sentence to clear up that content binaries are allowed. Also improve some grammar along the way. Here is the full proposal:''


* All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
All program binaries and program libraries included in Fedora packages must be built from the source code that is included in the source package. This is a requirement for the following reasons:
* Security: Pre-packaged program binaries and program libraries not built from the source code could contain parts that are malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
* Compiler Flags: Pre-packaged program binaries and program libraries not built from the source code were probably not compiled with standard Fedora compiler flags for security and optimization.


== Proposal 2 ==
Content binaries (such as .mo, .pdf, .png, .ps files) are ''not'' required to be rebuilt from the source code.
''This suggests a more extensive change in the guidelines. A new section will be made with the title '''"No inclusion of pre-built files"''' and the existing guideline will be put in a subsection:''


== No inclusion of pre-built files ==
If you are in doubt as to whether something is considered a program binary or a program library, here is some helpful criteria:
=== pre-built binaries or libraries ===
* Is it executable? If so, it is probably a program binary.
 
* Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a program library.
All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:
* Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
* Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.
 
If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:
* Is it executable? If so, it is probably a binary.
* Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
* If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.
* If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.


Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).
Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).


* All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
When you encounter prebuilt binaries in a package you MUST:


=== pre-built data ===
* Remove all pre-built program binaries and program libraries in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
Some upstream tarballs contain both the sources and the pre-built version of certain data types (Examples include doxygen documentation, LateX documentation, certain image file types, fonts). It might happen that the pre-built version of the data is outdated. Therefore,
* Ask upstream to remove the binaries in their next release.


* if it is possible to build the data from sources (*.dvi, *.html, *.man, *.mo, *.pdf, *.pfb, *.png, *.ps, *.ttf,  ...), the pre-built versions MUST be removed in %prep.
=== Exceptions ===


=== Exceptions ===
* Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
* Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
* An exception is made for binary firmware, as long as it meets the requirements documented here: BinaryFirmware
* An exception is made for binary firmware, as long as it meets the requirements documented here: [[Licensing:Main#Binary_Firmware]]
* Some pre-packaged program binaries or program libraries may be under terms which do not permit redistribution, or be affected by legal scenarios such as patents. In such situations, simply deleting these files in %prep is not sufficient, the maintainer will need to make a modified source that does not contain these files. See: [[Packaging:SourceURL#When_Upstream_uses_Prohibited_Code]]
 
[[Category: Archived packaging guideline drafts]]

Latest revision as of 18:44, 15 September 2009

Proposal to remove all pre-built binaries before a build

Current guidelines

Current guidelines for no inclusion of pre-built binaries or libraries [1] are

All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:

  • Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
  • Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.

If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:

  • Is it executable? If so, it is probably a binary.
  • Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
  • If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.

Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).

Exceptions

  • Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
  • An exception is made for binary firmware, as long as it meets the requirements documented here: BinaryFirmware

Issues with current guidelines

  • The current guidelines are vague. They don't tell what to do where about removal of pre-built binaries.
  • Enforcing the removal of all pre-built binaries in %prep is a clean solution. In most cases, the detection and the removal of these binaries is an easier process than tracing the build logs and making sure that the pre-built binaries do not end up in the final RPM.
  • There is a confusion among some packagers about inclusion of certain pre-built data & documentation formats in packages, such as pdf, ps.

Proposal

Replace occurrences of "binary" with "program binary", and occurrences of "library" with "program library". Add one sentence to clear up that content binaries are allowed. Also improve some grammar along the way. Here is the full proposal:

All program binaries and program libraries included in Fedora packages must be built from the source code that is included in the source package. This is a requirement for the following reasons:

  • Security: Pre-packaged program binaries and program libraries not built from the source code could contain parts that are malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
  • Compiler Flags: Pre-packaged program binaries and program libraries not built from the source code were probably not compiled with standard Fedora compiler flags for security and optimization.

Content binaries (such as .mo, .pdf, .png, .ps files) are not required to be rebuilt from the source code.

If you are in doubt as to whether something is considered a program binary or a program library, here is some helpful criteria:

  • Is it executable? If so, it is probably a program binary.
  • Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a program library.
  • If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.

Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).

When you encounter prebuilt binaries in a package you MUST:

  • Remove all pre-built program binaries and program libraries in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
  • Ask upstream to remove the binaries in their next release.

Exceptions

  • Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
  • An exception is made for binary firmware, as long as it meets the requirements documented here: Licensing:Main#Binary_Firmware
  • Some pre-packaged program binaries or program libraries may be under terms which do not permit redistribution, or be affected by legal scenarios such as patents. In such situations, simply deleting these files in %prep is not sufficient, the maintainer will need to make a modified source that does not contain these files. See: Packaging:SourceURL#When_Upstream_uses_Prohibited_Code