On Sat, Nov 10, 2018 at 9:45 PM Kevin Kofler <kevin.kofler(a)chello.at> wrote:
Dridi Boukelmoune wrote:
> If you take this compromise to an extreme then let's solve the Java
> problem (or <insert similar stack here>) and grant an internet access
> to builds. This way we can use vanilla maven/gradle/ivy to fetch
> dependencies at build time and make sure that we can upgrade to the
> latest versions of any leaf package.
For Java, this does not work because Maven fetches precompiled JARs, whereas
we need our software to be built from source. (You are not allowed to bundle
precompiled JARs even if you download them beforehand or they are even
included in the upstream tarball.) It is an essential requirement for a Free
Software distribution that all software it ships is built from source.
> For the Go case (and we can include Rust too)
For those, please see Nicolas Mailhot's reply.
Kevin Kofler
It's a very sensible requirement. It's not a legal one, as long as the
"free software" has the source available one. For the legal protection
of users who can assure the legal provenance of the code, and for
elementary security reasons, it's critical. It's one of the great
risks of rubygems and of all the Java build tools. It's installing
binaries without robust provenance. It's a risk, as well, for CPAN and
pip based installations.