[CentOS-devel] How to build maven packages in CBS?

On Thu, Jun 23, 2016 at 11:44 AM, Karanbir Singh <mail-lists at karan.org> wrote:
> On 22/06/16 20:11, Matthias Runge wrote:
>>>> What does Fedora do?
>>
>> Fedora forbids pre-built binary objects in their packages (with a very
>> few exceptions).
>>
>> For CentOS, we don't have that restriction. Please correct me, if I'm
>> wrong.
>
> That is right, we dont enforce from source builds, but we do need the
> content to be open source ideally, or you to have demonstrate-able
> rights to redistribute unconditionally, any content imported via that route.
>
> What would this reproduceable builds chain look like if we were to start
> looking at Maven/MEAD ? Also, how would we verify the content that goes
> through ?

It's inherently unpredictable. While many of the standard Maven
repository packages have good license, it's not a pre-requisite to
provide buildable or open source or free software licenses for
packages accepted by various public Maven repositories. The only way
to prevent loading of an unexpectedly mislicensed package in doing a
normal maven build is to turn off all public repositories and use a
well defined local one. And makiong sure of *that* basically means
turning off DNS or all networking in your build environment.

See http://stackoverflow.com/questions/2493507/maven-report-on-licenses-your-project-depends-on
for some notes on publishing license dependencies, but remember that
Maven suffers from some of the same issues of CPAN and PyPI. The
package you build on Tuesday may not match the package, and all the
dependencies, of a package you build on Thursday unless you go to
incredible amounts of work to lock down *all* the dependencies. And
the one you fail to lock down may develop a conflict with the one you
*do* lock down.

It's one of my pet peeves about the "just install it from scratch"
approach to software deployment. It's also why I spend so much time
writing RPM's for internal projects, so we do have well defined
modules.