Dne 22. 06. 26 v 14:20 Daniel P. Berrangé napsal(a):
On Mon, Jun 22, 2026 at 07:17:18AM -0500, Chris Adams wrote:
Once upon a time, Jarek Prokop <[email protected]> said:
It does NOT seem to be banned to include pre-built stuff in the
source archive, there is even an implication that it is OK in the
source archive in the guidelines:
Yeah, I think the only time you can't use the upstream source tar/zip is
if there is legally impermissible content in the archive.  Otherwise, it
is best to use the upstream source as-is, because that makes it much
easier to manage and validate.
In the case of NodeJS modules, however, we're not relying on upstream
tar/zip files for the bundled code. There is a Fedora script which
maintainers use to create the bundled. For downstream bundling we
must ensure we remove all pre-built binaries, given that the binary
RPM contents are essentially a copy of the bundled tarball contents.


The guidelines talks about two tarballs:

~~~

Source1:        %{npm_name}-%{version}-nm-prod.tgz
Source2:        %{npm_name}-%{version}-nm-dev.tgz

~~~


Is the concern the first, the second, or both?

To me the binary content in the first is concerning, because this is going to be part of the resulting package. The content of the second is fine as long as the content is legally permissible. I don't think it makes any difference if such tarball is downloaded from upstream or produced by some bundling script.


Vít

With regards,
Daniel

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to