On Tuesday, July 23, 2013 11:23:27 PM Greg Troxel wrote:
> I find it interesting that this is a "linux packaging letter".  How much
> of this applies to pkgsrc, FreeBSD ports, OpenBSD ports, and other
> non-Linux packaging systems (pkgsrc supports Linux as on of 20 operating
> systems, but is not a "Linux packaging system")?

It was written with bitcoind/Bitcoin-Qt in mind, which don't work on BSD. :p

> Is the repeatable build infrastructure portable (to any reasonable
> mostly-POSIX-compliant system, with gcc or clang)?  I have the vague
> impression it's Ubuntu only, but I am very unclear on this point.  How
> does this repeatableness interact with building for multiple operating
> systems and cpu types (say 20 OS, with typically 3 versions of the OS
> for each, with 1-20 cpu types per OS, for a cross-product of perhaps 200
> combinations)?

It should be portable to other systems, though hasn't been done yet.
Would be nice if the concepts it uses could be integrated into the package-
building systems.

> Requiring precise library depdendencies is quite awkward.  Certainly
> requiring new enough to avoid known bugs is understandable, but that
> should be caught at configure time and fail.

The problem is that we require bugs. That is, if your library has those bugs 
fixed, you have introduced a security vulnerability.

> It seems like a bug that the package will build on BE systems and then
> fail tests.   If it's known not to be ok, it seems that absent some
> configure-time flag the build should fail.

There is no configure-time for this node software yet. The autoconf-based one 
in the works *does* make this check, however.

> Asking people not to patch should mean willingnesss to make accomodation
> in the master sources for build issues for multiple packaging systems.
> I haven't gotten around to packaging this for pkgsrc - so far I only
> have the energy to lurk (due to too many things on the todo list).  But
> I often find that some changes are needed.  If you're willing (in
> theory) to add in configure flags to control build behavior (in a way
> that you can audit and decide is safe), that's great, and of course we
> can discuss an actual situation when one gets figured out.

The review process is very slow and strict, but that is because of the same 
reasons it isn't safe to distribute patched versions in general. Merging your 
patches to mainline is not only a good idea, but it helps to ensure they get 
the necessary testing needed to be safe.

Luke