Dne 22. 06. 26 v 14:20 Daniel P. Berrangé napsal(a):
On Mon, Jun 22, 2026 at 07:17:18AM -0500, Chris Adams wrote:Once upon a time, Jarek Prokop <[email protected]> said:It does NOT seem to be banned to include pre-built stuff in the source archive, there is even an implication that it is OK in the source archive in the guidelines:Yeah, I think the only time you can't use the upstream source tar/zip is if there is legally impermissible content in the archive. Otherwise, it is best to use the upstream source as-is, because that makes it much easier to manage and validate.In the case of NodeJS modules, however, we're not relying on upstream tar/zip files for the bundled code. There is a Fedora script which maintainers use to create the bundled. For downstream bundling we must ensure we remove all pre-built binaries, given that the binary RPM contents are essentially a copy of the bundled tarball contents.
The guidelines talks about two tarballs:
~~~
Source1: %{npm_name}-%{version}-nm-prod.tgz
Source2: %{npm_name}-%{version}-nm-dev.tgz
~~~
Is the concern the first, the second, or both?
To me the binary content in the first is concerning, because this is
going to be part of the resulting package. The content of the second is
fine as long as the content is legally permissible. I don't think it
makes any difference if such tarball is downloaded from upstream or
produced by some bundling script.
Vít
With regards, Daniel
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
