Even if we remove them in the %prep section, they are still present in the source rpm, which we are still distributing. In fact the problematic files were never actually packaged, just having them in the source was enough. And we are supposed to use unmodified upstream sources for security reasons. And these are a source-based wheel, not binary wheels. They doesn't contain any binaries or bytecode, just the normal python sources and some metadata. We are still doing all the building ourselves. So as far as I can tell the options are: 1. Violate our licensing rules 2. Violate our package integrity rules 3. Build from a source wheel Although I don't like using wheels when we can easily avoid it, it seemed to me that it is better than the other two options. Of course if this was a wheel with binaries that would be a different story, but that isn't the case here. On Mon, May 20, 2019 at 11:22 AM Matěj Cepl <mcepl@cepl.eu> wrote:
Hi,
looking at https://build.opensuse.org/request/show/704092 I get really unhappy feeling. I really we should try harder to build from the upstream tarball. We should do all building from the upstream unprocessed sources and do all building ourselves to have it under control.
Yes, it is possible that some parts of the sources are questionable legally, but then the only sane thing to do is to remove that in %prep part (or even provide a modified tarball as Source).
Any comments?
Best,
Matěj
-- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8
Therefore, faithful Christian, seek truth, hear truth, learn truth, love truth, speak truth, hold truth, defend truth until death: because truth will free you from sin, from devil, from the death of soul and finally from the death eternal, which is a separation from God's mercy. -- Master John Hus, Explanation of Credo, 1412
-- To unsubscribe, e-mail: opensuse-python+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-python+owner@opensuse.org