Build control-center in mock fail

David dgboles at gmail.com
Thu May 9 03:05:36 UTC 2013


On 5/8/2013 10:59 PM, Nico Kadel-Garcia wrote:
> On Wed, May 8, 2013 at 1:02 PM, Adam Williamson <awilliam at redhat.com> wrote:
>> On 08/05/13 08:13 AM, Igor Gnatenko wrote:
>>>
>>> Thx. But why in oficially packages doesn't  fixed?
>>
>>
>> Does anyone know if it's actually the case that the guidelines require
>> packages be buildable without internet access? I just had a quick search on
>> obvious terms through https://fedoraproject.org/wiki/Packaging:Guidelines ,
>> and couldn't find anything.
> 
> There are huge security issues with downloading source at build time:
> someone who can manipulate your DNS or your proxies can get you
> downloading, building, and installing some arbitrarily contaminated
> source code. Also, repositories tend to evaporate or fail to publish
> specific releases in specific locations. so the module you download
> today may have nothing to do with the module of the same name that I
> download tomorrow.
> 
> This is one of the absolute banes of all the "grab and build it when
> you need it and only when you need it" approaches, such as CPAN,
> rubygems, and maven.
> 


You forgot to mention the evil monkey that lives in your closet or the
monster that lives under your bed or the things that go bump in the
night.   :-)

-- 

  David


More information about the devel mailing list