[indiana-discuss] [pkg-discuss] src packages

[Shawn Walker]

Mike Meyer wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> wrote:
>> A related point: for security purposes we're going to want to include
>> cryptographic hashes of everything referenced by URL that is needed to
>> rebuild a pkg.
> 
> Security? How about simply sanity? Trying to rebuild a package that's
> been modified by the upstream provider is a good way to drive an end
> user crazy. Not all upstream providers provided nicely versioned
> tarballs, and not all of those that do have good hygiene about
> updating version numbers whenever they update the sources. Of course,
> a way to say "ignore this" helps, letting users try the build knowing
> that they may not have the right sources. But in that case, they're
> expecting breakage.

Since most open source licenses make the distributor responsible for 
providing the source, pointing to where you got the tarball from usually 
isn't sufficient to fulfil license requirements.  As an example, I seem 
to recall the FSF stating that projects that host derivatives of GPL 
licensed software also had to host the source code.

So, in other words, we have to host it anyway as far as I'm aware.

DISCLAIMER: I am not a lawyer and this is not valid legal advice.

-- 
Shawn Walker