[opensuse-python] Building from wheels
Hi, looking at https://build.opensuse.org/request/show/704092 I get really unhappy feeling. I really we should try harder to build from the upstream tarball. We should do all building from the upstream unprocessed sources and do all building ourselves to have it under control. Yes, it is possible that some parts of the sources are questionable legally, but then the only sane thing to do is to remove that in %prep part (or even provide a modified tarball as Source). Any comments? Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Therefore, faithful Christian, seek truth, hear truth, learn truth, love truth, speak truth, hold truth, defend truth until death: because truth will free you from sin, from devil, from the death of soul and finally from the death eternal, which is a separation from God's mercy. -- Master John Hus, Explanation of Credo, 1412
Even if we remove them in the %prep section, they are still present in the source rpm, which we are still distributing. In fact the problematic files were never actually packaged, just having them in the source was enough. And we are supposed to use unmodified upstream sources for security reasons. And these are a source-based wheel, not binary wheels. They doesn't contain any binaries or bytecode, just the normal python sources and some metadata. We are still doing all the building ourselves. So as far as I can tell the options are: 1. Violate our licensing rules 2. Violate our package integrity rules 3. Build from a source wheel Although I don't like using wheels when we can easily avoid it, it seemed to me that it is better than the other two options. Of course if this was a wheel with binaries that would be a different story, but that isn't the case here. On Mon, May 20, 2019 at 11:22 AM Matěj Cepl <mcepl@cepl.eu> wrote:
Hi,
looking at https://build.opensuse.org/request/show/704092 I get really unhappy feeling. I really we should try harder to build from the upstream tarball. We should do all building from the upstream unprocessed sources and do all building ourselves to have it under control.
Yes, it is possible that some parts of the sources are questionable legally, but then the only sane thing to do is to remove that in %prep part (or even provide a modified tarball as Source).
Any comments?
Best,
Matěj
-- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8
Therefore, faithful Christian, seek truth, hear truth, learn truth, love truth, speak truth, hold truth, defend truth until death: because truth will free you from sin, from devil, from the death of soul and finally from the death eternal, which is a separation from God's mercy. -- Master John Hus, Explanation of Credo, 1412
-- To unsubscribe, e-mail: opensuse-python+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-python+owner@opensuse.org
On 2019-05-20, 18:16 GMT, Todd Rme wrote:
Even if we remove them in the %prep section, they are still present in the source rpm, which we are still distributing. In fact the problematic files were never actually packaged, just having them in the source was enough. And we are supposed to use unmodified upstream sources for security reasons.
I am really not sure whether distributing CC-noncomercial licensed documentation in the source package breaks anything (BTW, I hope you filed a bug upstream complaining about it). I am a lawyer by education, but out of the profession for long time, so I am not sure what the proper conclusion is. However, if you feel really uncertain about it, then I am certain that (documented) removing of problematic parts and using modified tarball is perfectly all right. We do it for many packages (and many packages have uncertain tarball).
And these are a source-based wheel, not binary wheels. They doesn't contain any binaries or bytecode, just the normal python sources and some metadata. We are still doing all the building ourselves.
I don't know. I really don't like it, but I guess I cannot stop you. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Roses are red; Violets are blue. I'm schizophrenic, And so am I. -- To unsubscribe, e-mail: opensuse-python+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-python+owner@opensuse.org
On Thu, May 23, 2019 at 1:27 PM Matěj Cepl <mcepl@cepl.eu> wrote:
On 2019-05-20, 18:16 GMT, Todd Rme wrote:
Even if we remove them in the %prep section, they are still present in the source rpm, which we are still distributing. In fact the problematic files were never actually packaged, just having them in the source was enough. And we are supposed to use unmodified upstream sources for security reasons.
I am really not sure whether distributing CC-noncomercial licensed documentation in the source package breaks anything (BTW, I hope you filed a bug upstream complaining about it). I am a lawyer by education, but out of the profession for long time, so I am not sure what the proper conclusion is.
As I said, the package was already rejected for doing exactly that.
However, if you feel really uncertain about it, then I am certain that (documented) removing of problematic parts and using modified tarball is perfectly all right. We do it for many packages (and many packages have uncertain tarball).
I agree we could, but I don't see why that is a better solution in this situation since it does have its own drawbacks, including both security issues and a significantly increased maintenance burden.
And these are a source-based wheel, not binary wheels. They doesn't contain any binaries or bytecode, just the normal python sources and some metadata. We are still doing all the building ourselves.
I don't know. I really don't like it, but I guess I cannot stop you.
I still don't understand why, though. It is literally just a zip file with the python sources and some metadata. What is wrong with using it when there is a problem using the traditional archive? -- To unsubscribe, e-mail: opensuse-python+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-python+owner@opensuse.org
On 2019-05-24, 14:21 GMT, Todd Rme wrote:
I don't know. I really don't like it, but I guess I cannot stop you.
I still don't understand why, though. It is literally just a zip file with the python sources and some metadata. What is wrong with using it when there is a problem using the traditional archive?
Because one of the fundamental parts of our religion is that we should build everything from SOURCE, meaning as close to the original repo as possible? And whenever we slacked on this article of faith it bitten us horribly? Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 You either die a hero or you live long enough to see yourself become the villain. -- Harvey Dent in The Dark Knight -- To unsubscribe, e-mail: opensuse-python+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-python+owner@opensuse.org
participants (2)
-
Matěj Cepl -
Todd Rme