[indiana-discuss] [pkg-discuss] src packages

[Mike Meyer]

On Fri, 12 Dec 2008 00:42:25 -0600
Shawn Walker <swalker at opensolaris.org> wrote:

> Mike Meyer wrote:
> > Nicolas Williams <Nicolas.Williams at sun.com> wrote:
> >> A related point: for security purposes we're going to want to include
> >> cryptographic hashes of everything referenced by URL that is needed to
> >> rebuild a pkg.
> > 
> > Security? How about simply sanity? Trying to rebuild a package that's
> > been modified by the upstream provider is a good way to drive an end
> > user crazy. Not all upstream providers provided nicely versioned
> > tarballs, and not all of those that do have good hygiene about
> > updating version numbers whenever they update the sources. Of course,
> > a way to say "ignore this" helps, letting users try the build knowing
> > that they may not have the right sources. But in that case, they're
> > expecting breakage.
> 
> Since most open source licenses make the distributor responsible for 
> providing the source, pointing to where you got the tarball from usually 
> isn't sufficient to fulfil license requirements.  As an example, I seem 
> to recall the FSF stating that projects that host derivatives of GPL 
> licensed software also had to host the source code.
> 
> So, in other words, we have to host it anyway as far as I'm aware.

Probably. That doesn't mean you can't break things yourself. More
importantly, it doesn't mean the build system has to fetch it from
you; just that it has to be able to do so. Providing multiple places
to fetch sources from - especially for more popular packages with lots
of build-time options - lets you spread the load around. Some of the
authors of such would probably be much happier if you could list all
their mirrors in any case.

      <mike

-- 
Mike Meyer <mwm at mired.org>		http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org