On 2017-12-20, Aleksa Sarai
Secondly, in order to make this vendor archive reproducible, I propose we have an OBS service that can be used to vendor a source tree (which can obviously be run either locally or on OBS). It will produce all of the vendor archives created by language-specific tools, and produce a language-agnostic manifest of what was downloaded (the name, language, version, git commit, and so on). The idea is that this manifest could be used by the RPM macros above rather than writing language-specific macros.
I forgot to mention that one benefit of having it as an OBS service is that we could run source validator on it (in principle at least, assuming that the language actually creates reproducible vendor trees). Making things easier for legal would be that we could provide in the metadata for the vendor tree the subdirectories in the tree that correspond to each package, and then we could add support for this vendor concept that way (at the moment I believe that the legal tooling doesn't have a way to handle vendor archives). -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/