On Tue, Jan 19, 2021 at 6:49 AM Fabio Valentini <decathorpe(a)gmail.com> wrote:
On Tue, Jan 19, 2021 at 12:22 AM Josh Stone <jistone(a)redhat.com> wrote:
>
> On 1/16/21 3:21 PM, Nico Kadel-Garcia wrote:
> > On Sat, Jan 16, 2021 at 4:54 PM Kevin Kofler via devel
> > <devel(a)lists.fedoraproject.org> wrote:
> >>
> >> Miro HronĨok wrote:
> >>> See also:
> >>>
https://src.fedoraproject.org/rpms/rust-bootupd/c/c6cf7f6492e0d943e8471f8...
> >>
> >> This is a blatant violation of Fedora packaging guidelines and ought to be
> >> reverted immediately.
> >>
> >> Kevin Kofler
(snip)
> > And where and how, precisely, does "rhel require this". Having the
> > provenance of the source tarballs or git repos is wise and sensible,
> > and random tarballs with no provenance are a problem for everybody, so
> > that part is a good idea. But I'm not aware of it as a requirement. Is
> > anyone else?
>
> It's a softer "requires", as in: RHEL is not shipping rust2rpm nor
the
> mass of rust-*-devel packages, so vendoring is the way.
That might be so, but it's not a valid reason to build packages this
way in fedora, where all the required dependencies should be present
already.
Additionally, missing instructions on how to build the "vendor"
tarball, missing License information for the vendored crates, and
missing "bundled()" provides are *definitely* against Packaging
Guidelines.
Fabio
I see a "Source1" tarball from github. If a github published archive
isn't reasonable for a Source tarball, there are a *lot* of other
.spec files that would need to be rejected.
Some of the other logic about this is peculiar, but that particular
"including a separate tarball" part looks legal in and of itself. The
Samba and Subversion and Emacs SRPM's, for example, have included
separate tarballs for years.