Build control-center in mock fail

Nico Kadel-Garcia nkadel at gmail.com
Thu May 9 02:59:42 UTC 2013


On Wed, May 8, 2013 at 1:02 PM, Adam Williamson <awilliam at redhat.com> wrote:
> On 08/05/13 08:13 AM, Igor Gnatenko wrote:
>>
>> Thx. But why in oficially packages doesn't  fixed?
>
>
> Does anyone know if it's actually the case that the guidelines require
> packages be buildable without internet access? I just had a quick search on
> obvious terms through https://fedoraproject.org/wiki/Packaging:Guidelines ,
> and couldn't find anything.

There are huge security issues with downloading source at build time:
someone who can manipulate your DNS or your proxies can get you
downloading, building, and installing some arbitrarily contaminated
source code. Also, repositories tend to evaporate or fail to publish
specific releases in specific locations. so the module you download
today may have nothing to do with the module of the same name that I
download tomorrow.

This is one of the absolute banes of all the "grab and build it when
you need it and only when you need it" approaches, such as CPAN,
rubygems, and maven.


More information about the devel mailing list