Mike Meyer wrote: > Nicolas Williams <[email protected]> wrote: >> A related point: for security purposes we're going to want to include >> cryptographic hashes of everything referenced by URL that is needed to >> rebuild a pkg. > > Security? How about simply sanity? Trying to rebuild a package that's > been modified by the upstream provider is a good way to drive an end > user crazy. Not all upstream providers provided nicely versioned > tarballs, and not all of those that do have good hygiene about > updating version numbers whenever they update the sources. Of course, > a way to say "ignore this" helps, letting users try the build knowing > that they may not have the right sources. But in that case, they're > expecting breakage.
Since most open source licenses make the distributor responsible for providing the source, pointing to where you got the tarball from usually isn't sufficient to fulfil license requirements. As an example, I seem to recall the FSF stating that projects that host derivatives of GPL licensed software also had to host the source code. So, in other words, we have to host it anyway as far as I'm aware. DISCLAIMER: I am not a lawyer and this is not valid legal advice. -- Shawn Walker _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
