[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPL-licensed software linked against libssl on buildds!

On 20/01/10 at 00:48 -0800, Steve Langasek wrote:
> On Wed, Jan 20, 2010 at 02:22:33PM +1300, Lucas Nussbaum wrote:
> > Why spend a lot of time on tasks that provide little benefit, and also
> > some disadvantages (in some cases, the fixes might be non-obvious, and
> > requires changes to the packaging that tend to obscure it, for example
> > by using --disable-foo for each and every option we don't want)?
> I'm not asking anyone to spend time on this task, but I still consider
> missing build-conflicts a bug.  Ignoring these bugs by insisting on clean
> chroot environments for all official package builds is no solution - what if
> one of your build-dependencies pulls in one of these other packages,
> resulting in an undistributable (license-incompatible) misbuild?  If the
> build-conflicts had been declared, or if the --without-foo option had been
> passed, we would not have to worry about such a misbuild.

If the chroot env is clean, the build process is likely to be very
similar on your system and on the buildds. So even without
build-conflicts, it is likely that no additional build-deps will be
pulled. It's true that that isn't a full guarantee (differences between
archs, binNMUs done later in the package lifecycle), but clean chroot
environments offer much more guarantee than the current situation, which
is based only on the maintainer disabling all unused options or adding
all the proper build-conflict. That is hard and error-prone:: among the
packages you maintain, for example, sqsh picks up an additional dep on
tcl8.4 if tcl-dev is installed.
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |

Reply to: