Dne 22. 06. 26 v 18:46 Daniel P. Berrangé napsal(a):
On Mon, Jun 22, 2026 at 06:21:40PM +0200, Vít Ondruch wrote:
Dne 22. 06. 26 v 14:20 Daniel P. Berrangé napsal(a):
On Mon, Jun 22, 2026 at 07:17:18AM -0500, Chris Adams wrote:
Once upon a time, Jarek Prokop <[email protected]> said:
It does NOT seem to be banned to include pre-built stuff in the
source archive, there is even an implication that it is OK in the
source archive in the guidelines:
Yeah, I think the only time you can't use the upstream source tar/zip is
if there is legally impermissible content in the archive.  Otherwise, it
is best to use the upstream source as-is, because that makes it much
easier to manage and validate.
In the case of NodeJS modules, however, we're not relying on upstream
tar/zip files for the bundled code. There is a Fedora script which
maintainers use to create the bundled. For downstream bundling we
must ensure we remove all pre-built binaries, given that the binary
RPM contents are essentially a copy of the bundled tarball contents.

The guidelines talks about two tarballs:

~~~

Source1:        %{npm_name}-%{version}-nm-prod.tgz
Source2:        %{npm_name}-%{version}-nm-dev.tgz

~~~


Is the concern the first, the second, or both?

To me the binary content in the first is concerning, because this is going
to be part of the resulting package. The content of the second is fine as
long as the content is legally permissible. I don't think it makes any
difference if such tarball is downloaded from upstream or produced by some
bundling script.
Agree that the first case is the #1 priority in terms of avoiding
prebuilt binaries in shipped binary RPMs.

I tend to view bundling of binaries as a conceptual mistake. We would
accept it from upstream for pragmatic reasons as long as it does not
have legal problems. This is to avoid blocking packaging waiting for
upstream to change their approach, if they even agree to the request.

If we're creating tarballs downstream ourselves, then a maintainer has
the power to avoid including binaries and so should do so IMHO.

Having pre-built binaries suggests when we're running npm tests in
Fedora it is potentially executing binaries of unknown provenence
which can't be audited in any meaningful way. This makes me wary
as while mock is isolated any local rpmbuilds are not.


Needed to say that I agree with all your points.

The only problem is that we are missing so much basic tooling, e.g. Rollup :/

BTW in my specific case [1] there are also other options how to avoid a lot of (possible binary) dependencies in the -dev tarball and that is skipping running the test suite. Not sure what is bigger evil?


Vít


[1]: https://lists.fedoraproject.org/archives/list/[email protected]/thread/MYW3QT5WIJZJWRSBDZJF6I7FKGZGNBHE/


Vít


With regards,
Daniel

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to