On Thu, Jun 23, 2016 at 11:44 AM, Karanbir Singh <mail-lists at karan.org> wrote: > On 22/06/16 20:11, Matthias Runge wrote: >>>> What does Fedora do? >> >> Fedora forbids pre-built binary objects in their packages (with a very >> few exceptions). >> >> For CentOS, we don't have that restriction. Please correct me, if I'm >> wrong. > > That is right, we dont enforce from source builds, but we do need the > content to be open source ideally, or you to have demonstrate-able > rights to redistribute unconditionally, any content imported via that route. > > What would this reproduceable builds chain look like if we were to start > looking at Maven/MEAD ? Also, how would we verify the content that goes > through ? It's inherently unpredictable. While many of the standard Maven repository packages have good license, it's not a pre-requisite to provide buildable or open source or free software licenses for packages accepted by various public Maven repositories. The only way to prevent loading of an unexpectedly mislicensed package in doing a normal maven build is to turn off all public repositories and use a well defined local one. And makiong sure of *that* basically means turning off DNS or all networking in your build environment. See http://stackoverflow.com/questions/2493507/maven-report-on-licenses-your-project-depends-on for some notes on publishing license dependencies, but remember that Maven suffers from some of the same issues of CPAN and PyPI. The package you build on Tuesday may not match the package, and all the dependencies, of a package you build on Thursday unless you go to incredible amounts of work to lock down *all* the dependencies. And the one you fail to lock down may develop a conflict with the one you *do* lock down. It's one of my pet peeves about the "just install it from scratch" approach to software deployment. It's also why I spend so much time writing RPM's for internal projects, so we do have well defined modules.