On Mon, Jun 22, 2026 at 06:21:40PM +0200, Vít Ondruch wrote:
> 
> Dne 22. 06. 26 v 14:20 Daniel P. Berrangé napsal(a):
> > On Mon, Jun 22, 2026 at 07:17:18AM -0500, Chris Adams wrote:
> > > Once upon a time, Jarek Prokop <[email protected]> said:
> > > > It does NOT seem to be banned to include pre-built stuff in the
> > > > source archive, there is even an implication that it is OK in the
> > > > source archive in the guidelines:
> > > Yeah, I think the only time you can't use the upstream source tar/zip is
> > > if there is legally impermissible content in the archive.  Otherwise, it
> > > is best to use the upstream source as-is, because that makes it much
> > > easier to manage and validate.
> > In the case of NodeJS modules, however, we're not relying on upstream
> > tar/zip files for the bundled code. There is a Fedora script which
> > maintainers use to create the bundled. For downstream bundling we
> > must ensure we remove all pre-built binaries, given that the binary
> > RPM contents are essentially a copy of the bundled tarball contents.
> 
> 
> The guidelines talks about two tarballs:
> 
> ~~~
> 
> Source1:        %{npm_name}-%{version}-nm-prod.tgz
> Source2:        %{npm_name}-%{version}-nm-dev.tgz
> 
> ~~~
> 
> 
> Is the concern the first, the second, or both?
> 
> To me the binary content in the first is concerning, because this is going
> to be part of the resulting package. The content of the second is fine as
> long as the content is legally permissible. I don't think it makes any
> difference if such tarball is downloaded from upstream or produced by some
> bundling script.

Agree that the first case is the #1 priority in terms of avoiding
prebuilt binaries in shipped binary RPMs.

I tend to view bundling of binaries as a conceptual mistake. We would
accept it from upstream for pragmatic reasons as long as it does not
have legal problems. This is to avoid blocking packaging waiting for
upstream to change their approach, if they even agree to the request.

If we're creating tarballs downstream ourselves, then a maintainer has
the power to avoid including binaries and so should do so IMHO.

Having pre-built binaries suggests when we're running npm tests in
Fedora it is potentially executing binaries of unknown provenence
which can't be audited in any meaningful way. This makes me wary
as while mock is isolated any local rpmbuilds are not.

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to