On 5/13/20 4:16 PM, James Cassell wrote:
On Wed, May 13, 2020, at 5:04 PM, Ty Young wrote:
> On 5/13/20 12:04 PM, Robbie Harwood wrote:
>> Ty Young <youngty1997(a)gmail.com> writes:
>>
>>> On 5/12/20 5:55 AM, Felix Schwarz wrote:
>>>> Am 12.05.20 um 12:32 schrieb Ty Young:
>>>>
>>>>> Right, I figured it was some Fedora policy and not up to you. I
>>>>> suppose I should have been more clear there. Sorry for any
>>>>> confusion, it was aimed at the Fedora project as a whole as this is
>>>>> a Fedora issue.
>>>> This is not a Fedora issue but a consequence of Fedora's core
>>>> values. You not agree with it but "building from source" is so
>>>> fundamental that it does not make sense to even start a discussion
>>>> about it on fedora-devel.
>>>>
>>>> I suggest you read up on the rationale behind that policy (which is
>>>> why I linked the policy document in the first place).
>>>>
>>>> I understand that missing components/features due to the source
>>>> requirement are annoying but Fedora (and other distros) decided to
>>>> take the "high road" here and actually fix stuff instead of
shipping
>>>> whatever upstream came up with.
>>> As someone who has been burned due to Fedora's goody little two shoes
>>> policies, I'd kindly ask that Fedora take a hike and not package the
>>> software at all.
>> This is not "being excellent to each other". Let's keep in mind
that we
>> are all here for the same reason (caring about Fedora), and that this
>> makes us colleagues - even when we disagree.
>
> Neither was the threat and intimidation by higher ups at Red Hat or
> Fedora, which very few people on this seem to care about despite
> constantly bringing up the CoC. Selective enforcement probably isn't
> "being excellent to each other" either.
>
>
> Anyway, I'm just asking that Fedora not repeat what Debian did. While I
> find it to be a bit paranoid, I understand the concerns regarding
> someone sneaking in malware into pre-build binaries. I'm just asking
> Fedora not package the software at all in that case, or any software
> that depends on that software if possible. People who want to support
> Linux by writing software shouldn't be bothered with bug reports from
> issues they never created to begin with.
>
Is your position that Fedora should not package any software where the Upstream provides
binaries? If so, that would seem to defeat the purpose of a Linux distribution, IMHO.
No. If source code is provided side-by-side with the binaries(as-is the
case with Gradle and many other software) then it's fine as the source
code provided is *supposed* to give you the binaries once compiled
anyway. If it doesn't then something shady may be going on.
Although I highly doubt the security claims that people are making in
favor of compiling from source. Does every Fedora packager *actually*
pore over every line of code in order to make sure it doesn't do
anything shady? I really doubt it, that would be a superhuman task in
many cases. If you can't trust binaries coming from the horses mouth
then I'm not so sure you can trust the side-by-side source code either...
> V/r,
> James Cassell
> _______________________________________________
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org