On Thu, May 23, 2019 at 1:27 PM Matěj Cepl firstname.lastname@example.org wrote:
On 2019-05-20, 18:16 GMT, Todd Rme wrote:
Even if we remove them in the %prep section, they are still present in the source rpm, which we are still distributing. In fact the problematic files were never actually packaged, just having them in the source was enough. And we are supposed to use unmodified upstream sources for security reasons.
I am really not sure whether distributing CC-noncomercial licensed documentation in the source package breaks anything (BTW, I hope you filed a bug upstream complaining about it). I am a lawyer by education, but out of the profession for long time, so I am not sure what the proper conclusion is.
As I said, the package was already rejected for doing exactly that.
However, if you feel really uncertain about it, then I am certain that (documented) removing of problematic parts and using modified tarball is perfectly all right. We do it for many packages (and many packages have uncertain tarball).
I agree we could, but I don't see why that is a better solution in this situation since it does have its own drawbacks, including both security issues and a significantly increased maintenance burden.
And these are a source-based wheel, not binary wheels. They doesn't contain any binaries or bytecode, just the normal python sources and some metadata. We are still doing all the building ourselves.
I don't know. I really don't like it, but I guess I cannot stop you.
I still don't understand why, though. It is literally just a zip file with the python sources and some metadata. What is wrong with using it when there is a problem using the traditional archive?