On 5/13/20 4:16 PM, James Cassell wrote:
On Wed, May 13, 2020, at 5:04 PM, Ty Young wrote:
> On 5/13/20 12:04 PM, Robbie Harwood wrote:
>> Ty Young <youngty1997(a)gmail.com> writes:
>>> On 5/12/20 5:55 AM, Felix Schwarz wrote:
>>>> Am 12.05.20 um 12:32 schrieb Ty Young:
>>>>> Right, I figured it was some Fedora policy and not up to you. I
>>>>> suppose I should have been more clear there. Sorry for any
>>>>> confusion, it was aimed at the Fedora project as a whole as this is
>>>>> a Fedora issue.
>>>> This is not a Fedora issue but a consequence of Fedora's core
>>>> values. You not agree with it but "building from source" is so
>>>> fundamental that it does not make sense to even start a discussion
>>>> about it on fedora-devel.
>>>> I suggest you read up on the rationale behind that policy (which is
>>>> why I linked the policy document in the first place).
>>>> I understand that missing components/features due to the source
>>>> requirement are annoying but Fedora (and other distros) decided to
>>>> take the "high road" here and actually fix stuff instead of
>>>> whatever upstream came up with.
>>> As someone who has been burned due to Fedora's goody little two shoes
>>> policies, I'd kindly ask that Fedora take a hike and not package the
>>> software at all.
>> This is not "being excellent to each other". Let's keep in mind
>> are all here for the same reason (caring about Fedora), and that this
>> makes us colleagues - even when we disagree.
> Neither was the threat and intimidation by higher ups at Red Hat or
> Fedora, which very few people on this seem to care about despite
> constantly bringing up the CoC. Selective enforcement probably isn't
> "being excellent to each other" either.
> Anyway, I'm just asking that Fedora not repeat what Debian did. While I
> find it to be a bit paranoid, I understand the concerns regarding
> someone sneaking in malware into pre-build binaries. I'm just asking
> Fedora not package the software at all in that case, or any software
> that depends on that software if possible. People who want to support
> Linux by writing software shouldn't be bothered with bug reports from
> issues they never created to begin with.
Is your position that Fedora should not package any software where the Upstream provides
binaries? If so, that would seem to defeat the purpose of a Linux distribution, IMHO.
No. If source code is provided side-by-side with the binaries(as-is the
case with Gradle and many other software) then it's fine as the source
code provided is *supposed* to give you the binaries once compiled
anyway. If it doesn't then something shady may be going on.
Although I highly doubt the security claims that people are making in
favor of compiling from source. Does every Fedora packager *actually*
pore over every line of code in order to make sure it doesn't do
anything shady? I really doubt it, that would be a superhuman task in
many cases. If you can't trust binaries coming from the horses mouth
then I'm not so sure you can trust the side-by-side source code either...
> James Cassell
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: