[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reproducible, precompiled .o files: what say policy+gpl?

On Mon, Oct 18, 2004 at 08:11:24PM -0700, John H. Robinson, IV wrote:
> > If you build with different tools, you have a different package.  "X
> > built with gcc" and "X built with icc" are very different things (just
> > as "X" and "X with x.patch and x2.patch applied" are different things).
> I see your point, but I disagree entirely. If I build openssh on Solaris
> with gcc, or if I use Solaris' SUNWspro, is it a different openssh? Not
> at all. The source is still the same. The only exception I will grant
> you is code that determines the compiler being used and changes its
> actual functionality (not work around bugs or other compiler features).
> This is far different from applying patches to the source.
> If what you say is true, then using gcc-3.3 would produce a different
> package than from gcc-3.2. I think few people would agree with you,
> modulo bugs in the code/compiler/bugs/feature-set.

Consider a major, practical reason we require that packages be buildable
with free tools: so people--both Debian and users--can make fixes to the
software in the future.

For example, suppose OpenSSL is built with ecc (Expensive C Compiler),
because it produces faster binaries, the Debian package is created with
it, and ends up in a stable release.  A security bug is found, and the
maintainer isn't available.  Can another developer fix this bug?  No:
you can't possibly make a stable update with a completely different
compiler, halving the speed and possibly introducing new bugs.  (Debian
is very conservative and cautious with stable updates; this is one of
the reasons many people use it.)

On the same token, users are similarly unable to exercise the level of
caution needed when making security updates on critical systems, unless
they subject themselves to whatever non-free license the compiler uses.

This is a fundamental reason it's required that packages be buildable
using free tools, and why I don't think "you can build a kind-of similar
package using free tools, but the one we're giving you can only be built
with non-free tools" is acceptable.

Glenn Maynard

Reply to: