On Wed, Jun 22, 2016 at 3:11 PM, Matthias Runge <mrunge at matthias-runge.de> wrote: > On Tue, Jun 21, 2016 at 02:58:56PM -0600, Rich Megginson wrote: >> > You end up with packages that other people have no idea the packages >> > that are required to get a build or source code required to get the >> > packages if packages are even used. >> > >> > If we can create a mechanism where others can reproduce this >> > buildroot/area external to our koji instance and provide all the >> > necessary documentation so it can also be easily reproduced by the >> > community, then I could likely be convinced. >> >> I think if we do that for CBS, it will have to be done that way, for exactly >> the reasons you mention. Would you add that as a comment to the bug, or >> would you mind if I did? https://bugs.centos.org/view.php?id=11073 >> > > Yes, I would like a documented way to enable everyone to create > comparable builds, but not necessarily bit-identical builds. For > identical builds, one would have to make sure, the time, buildhost etc. > are always the same. This takes infrastructure to host and manage the various Maven built dependencies, much like Python, modules from pypi.org and likeperl modules from CPAN. I can warn you right now that this adds up to a lot of work. JPackage used to try to do this, but the dependency trees got out of hand and incompatible with built-in RHEL and thus CentOS or Scientific Linux components very quickly. Even the packaginf of the Sun published Java RPM's, for those who required the old Sun Java specifically, became a licensing and incompatible packaging adventure. >> > What does Fedora do? > > Fedora forbids pre-built binary objects in their packages (with a very > few exceptions). As does RHEL, in general, and as should CentOS. It's critical to open source and free software distribution that the code, *including the build tools*, be publicly available. Not all vendors have been good about this, keeping some of the build tools as "secret sauce". > For CentOS, we don't have that restriction. Please correct me, if I'm > wrong. Depends on the license of individual components. GPL tools with closed source binary modules inserted in them after deployment are "tainted" and cannot be republished as a whole package. That's why Nvidia and similar modules "taint" the Linux kernel, and need to be published out of band from the main kernel source. Similar restrictions may appy to other projects: you'd have to carefully review *all* the licensing. It looks like CentOS policy has been to use open source and free software builds, and avoid closed source binaries with their potentially incompatible licensing. That kind of thing is why the Java from Oracle is not, and cannot be, part of the base RHEL or in turn the base CentOS operating systems. > Best, > Matthias > -- > Matthias Runge <mrunge at matthias-runge.de> > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel