Well said. On Tue, Aug 10, 2004 at 05:55:40PM -0700, Shaun Jackman wrote: > On Tue August 10, 2004 13h14, Martin Schulze wrote: > > Roland Stigge wrote: > > > > Hence, please don't do that, but compile it from the provided source, > > always. > > > > Regards, > > > > Joey > > > > The build system can function much like automake does. Makefile.in is > not usually regenerated from Makefile.am. If Makefile.in is removed it > will be regenerated. Likewise, the build system could typically > redistribute upstream's derivative form. If the security team finds it > necessary to patch the source, simply removing upstream's binary will > cause it to be rebuilt. This allows both redistribution of a pristine > upstream binary as well as potential modification by the security > team. In summary, Debian must provide a way to easily regenerate from "source" (aka preferred form). This might be in the form of a debian/rules target. Once that's done, I think distribution of upstreams binaries aka derivitive forms is okay. Indeed, in the case of java, I don't think it will matter 0.02 worth who compiles it. Java is reverse compilable, so I think the bytecode will be the same either way. Can someone confirm this? Then, it'd be nice if we could allow for upstream binaries to be left alone, as long as developers have confirmed that their bytecode is the same as upstream's. Then, the regenerate-bytecode: target doesn't need to get called during a debuild session (because the "source" is usually unchanged). But it must work, such that easy modifications are possible, in the case of eg. a security hole. Justin
Attachment:
signature.asc
Description: Digital signature