edespino commented on PR #1383: URL: https://github.com/apache/cloudberry/pull/1383#issuecomment-3395394523
## Subject: Release Engineering View – Using EPEL vs. Building from Source When building on Rocky Linux 9, EPEL can be convenient for missing dependencies, but it introduces several trade-offs worth noting: ### Key Issues * **Reproducibility:** EPEL is rolling; rebuilds can silently pick up new versions. Exact, bit-reproducible releases become hard to guarantee. * **Supply-chain control:** Packages are maintained outside ASF governance. Building from source keeps provenance and signatures within our audit trail. * **Licensing clarity:** ASF policy expects verifiable source for all distributed code. Relying on EPEL binaries delegates license vetting to Fedora. * **Runtime portability:** Binaries linked against EPEL libraries may fail on systems where EPEL isn’t enabled or where ABI flags differ. * **Longevity:** EPEL mirrors move forward; old package versions aren’t preserved, complicating long-term rebuilds. ### Recommended Approach * Build third-party libraries **from verified upstream source** whenever they appear in our release artifacts. * Use EPEL only for transient **developer tools**, not for runtime dependencies. * If EPEL is required in CI, **snapshot or mirror** it to fix versions. * Record all external sources and hashes in `DEPENDENCIES` or release notes. ### Bottom Line EPEL is fine for development convenience, but from a release-engineering and ASF-compliance standpoint, **source builds give stronger reproducibility, auditability, and long-term stability**. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
