V Mon, Mar 31, 2025 at 10:53:54AM +0000, Zbigniew Jędrzejewski-Szmek napsal(a): > tl;dr: change the Packaging Guidelines to recommend the raw "git > archive" or equivalent over the upstream tarball produced using > "make dist". > > This is inspired by the discussion in "Reproducible Builds" mailing list, > in particular [1]. > > Background: upstreams use version control for their projects, but in > packaging we use a "tarball". Nowadays, this tarball is often the output > of "git archive". But it is also common for upstream to use "make dist" > (in case of autoconf) or 'python setup.py sdist' (python), etc. > In particular, when we download from github/gitlab/…, the archive is > often autogenerated by the forge upon request, equivalent to 'git archive'. > > In general, those "upstream tarballs" include the results of some > local processing, for example translating a configure.ac source into a > configure script, using local autoconf macros. Those preprocessed > scripts can become outdated, and in fact we often run 'autoreconf' in > %build to "refresh". In the "xz debacle", an upstream tarball was used > to smuggle rogue payload that wasn't checked into git. Finally, those > "upstream tarballs" are generally not reproducible because they depend > on the build environment. So there are good reasons to start with the > "raw" tarball and build everything from that. > In my eyes this proposal changes where the tar ball is generated. Suddenly an archive produced by a Git hosting platform and which the developer never seen is trusted more that an archive produced by the developer on his own machine. I don't think this is good.
-- Petr
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
