[Trustable-distros] Provenance, git and freedesktop-sdk
Ben Brewer
ben.brewer at codethink.co.uk
Wed Sep 26 13:53:55 BST 2018
Nobody has an opinion on this?
On 21/09/18 14:27, Ben Brewer wrote:
> Hey All,
>
> Recently we've been moving to have minimal-distro source elements from
> freedesktop-sdk using BuildStream junctions.
>
> As far as was practically possible we attempted to build
> minimal-distro from git, while freedesktop-sdk uses tarballs for most
> packages.
>
> We're currently working on the assumption that provenance is provided
> by building from git source, and that this is a worthy goal to work
> towards, however the practicality of this approach has become more
> questionable as we've tried to implement it.
>
> Here are the issues we've run into:
>
> * Many projects don't have any repository, or don't have a git
> repository:
> o bzip2 has no repository at all
> o mpfr (a gcc dependency) only has an SVN repository
> o gmp (a gcc dependency) only has a Mercurial repository
> * In many cases, the process of building from git source to produce
> a release is undocumented. In these cases a fair amount of reverse
> engineering effort is required to gain parity with a tarball release.
> * Many projects require patches applied on-top of git in-order to build.
> o These patches require maintenance
> o These patches may be incorrect especially when changing versions
> * Many projects required different versions of autotools in order to
> build the configure file
> o GCC requires a specific version of autoconf (2.64) to build
> from git
> o ucl (a dependency of SYSLINUX) requires a version of autoconf
> so old, I've not been able to build it.
> o Many git repositories contain a configure file that can't
> easily be generated from the source for these reasons, and in
> those cases pose the same issues for provenance that a tar
> file does.
> * Some projects require closed source binaries to build a tar
> release from git.
> o SYSLINUX requires upx to build, and upx requires closed source
> binaries to build properly. When building upx from git using
> ucl, it prints a warning stating that it's a beta and not to
> be used in production. I don't believe it's easy to trust such
> a build.
> * The dependency list for the git build is much larger (and usually
> undocumented) than the dependency list for the tarball
> o When updating "file" to git, I discovered that it has
> undocumented dependencies
> o In many cases the increased dependencies would also be
> required as part of the bootstrap, which would inflate the
> bootstrap size by an impractically large amount.
>
> The Mercurial and SVN issues can be resolved either by developing
> these plugins for BuildStream or using a trove style approach where we
> create a git mirror for Mercurial/SVN repositories.
>
> The remaining issues I believe are a little more tricky to resolve.
>
> Any thoughts or ideas are welcome.
>
> Regards,
> Ben
>
>
> _______________________________________________
> Trustable-distros mailing list
> Trustable-distros at lists.trustable.io
> https://lists.trustable.io/cgi-bin/mailman/listinfo/trustable-distros
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.trustable.io/pipermail/trustable-distros/attachments/20180926/b7067cdc/attachment.html>
More information about the Trustable-distros
mailing list