From Fedora Project Wiki

Proposal to remove all pre-built binaries before a build

Current guidelines

Current guidelines for no inclusion of pre-built binaries or libraries [1] are

All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:

  • Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
  • Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.

If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:

  • Is it executable? If so, it is probably a binary.
  • Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
  • If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.

Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).

Exceptions

  • Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
  • An exception is made for binary firmware, as long as it meets the requirements documented here: BinaryFirmware

Issues with current guidelines

  • The current guidelines are vague. They don't tell what to do where about removal of pre-built binaries.
  • Enforcing the removal of all pre-built binaries in %prep is a clean solution. In most cases, the detection and the removal of these binaries is an easier process than tracing the build logs and making sure that the pre-built binaries do not end up in the final RPM.
  • There is a confusion among some packagers about inclusion of certain pre-built data & documentation formats in packages, such as pdf, ps.

Proposal

Replace occurrences of "binary" with "program binary", and occurrences of "library" with "program library". Add one sentence to clear up that content binaries are allowed. Also improve some grammar along the way. Here is the full proposal:

All program binaries and program libraries included in Fedora packages must be built from the source code that is included in the source package. This is a requirement for the following reasons:

  • Security: Pre-packaged program binaries and program libraries not built from the source code could contain parts that are malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
  • Compiler Flags: Pre-packaged program binaries and program libraries not built from the source code were probably not compiled with standard Fedora compiler flags for security and optimization.

Content binaries (such as .mo, .pdf, .png, .ps files) are not required to be rebuilt from the source code.

If you are in doubt as to whether something is considered a program binary or a program library, here is some helpful criteria:

  • Is it executable? If so, it is probably a program binary.
  • Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a program library.
  • If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.

Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).

When you encounter prebuilt binaries in a package you MUST:

  • Remove all pre-built program binaries and program libraries in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
  • Ask upstream to remove the binaries in their next release.

Exceptions

  • Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval.
  • An exception is made for binary firmware, as long as it meets the requirements documented here: Licensing:Main#Binary_Firmware
  • Some pre-packaged program binaries or program libraries may be under terms which do not permit redistribution, or be affected by legal scenarios such as patents. In such situations, simply deleting these files in %prep is not sufficient, the maintainer will need to make a modified source that does not contain these files. See: Packaging:SourceURL#When_Upstream_uses_Prohibited_Code