Proposal to remove all pre-built binaries before a build
Current guidelines
Current guidelines for no inclusion of pre-built binaries or libraries [1] are
All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:
- Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
- Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.
If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:
- Is it executable? If so, it is probably a binary.
- Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
- If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.
Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).
Issues with current guidelines
- The current guidelines are vague. They don't tell what to do where about removal of pre-built binaries.
- Enforcing the removal of all pre-built binaries in %prep is a clean solution. In most cases, the detection and the removal of these binaries is an easier process than tracing the build logs and making sure that the pre-built binaries do not end up in the final RPM.
- There is a confusion among some packagers about inclusion of certain pre-built data & documentation formats in packages, such as pdf, ps.
Proposal 1
Add the following to the above guidelines:
- All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
Proposal 2
This suggests a more extensive change in the guidelines. A new section will be made with the title "No inclusion of pre-built files" and the existing guideline will be put in a subsection:
No inclusion of pre-built files
pre-built binaries or libraries
All binaries or libraries included with Fedora packages must have been built from sourcecode included in the source package. This is a requirement for the following reasons:
- Security: Pre-packaged binaries and libraries not built from source could include anything, malicious, dangerous, or just broken. Also, these are functionally impossible to patch.
- Compiler Flags: Pre-packaged binaries and libraries not built from source probably don't have the standard Fedora compiler flags for security and optimization.
If you are in doubt as to whether something is considered a binary or library, here is some helpful criteria:
- Is it executable? If so, it is probably a binary.
- Does it contain a .so, ,so.#, or .so.#.#.# extension? If so, it is probably a library.
- If in doubt, ask your reviewer. If the reviewer is not sure, they should ask the Fedora Packaging Committee.
Packages which require non-open source components to build are also not permitted (e.g. proprietary compiler required).
- All pre-built binaries in the source tarball MUST be removed in %prep prior to the building of the package. Examples include, but are not limited to, *.class, *.dll, *.DS_Store, *.exe, *.jar, *.o, *.pyc, *.pyo, *.so files.
pre-built data
Some upstream tarballs contain both the sources and the pre-built version of certain data types (Examples include doxygen documentation, LateX documentation, certain image file types, fonts). It might happen that the pre-built version of the data is outdated. Therefore,
- if it is possible to build the data from sources (*.dvi, *.html, *.man, *.mo, *.pdf, *.pfb, *.png, *.ps, *.ttf, ...), the pre-built versions MUST be removed in %prep.
Exceptions
* Some software (usually related to compilers or cross-compiler environments) cannot be built without the use of a previous toolchain or development environment (open source). If you have a package which meets this criteria, contact the Fedora Packaging Committee for approval. * An exception is made for binary firmware, as long as it meets the requirements documented here: BinaryFirmware