The Packaging Guidelines require that all binary programs and libraries be
built from source code. How should this requirement be interpreted when some
of the "source code" is itself automatically generated from other sources?
GTKada is an Ada binding to GTK+. In the latest version, some of the Ada files
in the source tarball have been generated by a program that is included in the
tarball. Future versions will have even more generated code. The input to the
code generator is a GIR file, which as far as I understand is some kind of XML
representation of the GTK+ API. The GIR file has in turn been generated from
the C source code of GTK+. The GIR file is included in the GTKada tarball, but
the GTK+ source is not.
Now I'm trying to figure out whether I can build the GTKada package from the
distributed generated Ada code, or whether I have to run the code generation
as a part of the build, possibly using the GIR file from the GTK+ package
instead of the one in the GTKada tarball.
There are two reasons for the requirement listed in the guidelines:
· "Security: Pre-packaged program binaries and program libraries not built
from the source code could contain parts that are malicious, dangerous, or
just broken. Also, these are functionally impossible to patch."
The generated Ada code is nicely formatted and legible, and no harder to
review than hand-written source code. It would be possible to patch it,
although such a patch would of course not be upstreamable.
· "Compiler Flags: Pre-packaged program binaries and program libraries not
built from the source code were probably not compiled with standard Fedora
compiler flags for security and optimization."
This obviously doesn't apply to generated code that hasn't yet been through a
compiler.
Thus, none of the stated reasons seem to be relevant to this case, and I can
see only one thing that could mean that I have to run the code generation as a
part of the build, namely the term "source code". My question is: Is it
required that all the steps in the process from the actual source code to
binary code take place on Fedora's build servers, or is it sufficient that
binaries are built from human-readable code even if that code isn't the actual
source code?
In other words: Should I read "source code" literally, as "the ultimate source
code written by human programmers", or is it OK, for the purpose of this
requirement, to read it as "human-readable code in a textual programming
language"?
Björn Persson