On Sat, 27 Apr 2019 11:12:48 -0700 Kevin Fenzi kevin@scrye.com wrote:
On 4/26/19 8:53 AM, stan wrote:
On Fri, 26 Apr 2019 11:07:54 -0000 (UTC) Petr Pisar ppisar@redhat.com wrote:
I am a fedora user with no dog in this fight.
Controversial property of modules are private build-time dependencies. Modularity allows packagers to hide them and to not to support them (to the extend that they work in my module). However, this privatisation has costs. It means duplication of work unless two ...
Isn't this contrary to the Fedora rules? If I'm understanding this correctly, it means that modules in Fedora can contain dependencies on code that isn't available, so that Fedora (and users) can't build that module from source.
No. The code is available at src.fedoraproject.org for everything. The binary packages may not be available outside the module build system, depending on how things are setup.
And that the module could contain basically anything because no one can examine the contents that built the module. Could someone privately pull in something like the proprietary nvidia binary blob and use it to build their module without anyone knowing?
No more so than any packager could just add the nvidia binary blob to their package. ie, sure, but we trust our maintainers not to do that, and if we detected it likely the maintainer wouldn't be a maintainer anymore.
Because I'm not knowledgeable about this, it might be that private dependencies have to be packages built from source code available in the Fedora ecosystem, and so this is not possible. I just want to clarify my understanding.
Yes, they are all still built from source.
Thanks.