Help us flush out the permissible source requirements for the Unified Build project. #4045
Replies: 8 comments 16 replies
-
I applaud the goal of having a unified build from the same source for all distributions of .NET – including Microsoft's own. 👏🏼 This is a large step in the right direction and something that is going to improve the source build significantly going forward, as Microsoft will be dogfooding their own developer experience. I assume that the binaries in question are only required for Microsoft themselves to build the mentioned Microsoft technologies: WPF, Winforms, etc. If so, how about having these in a Git submodule that can just be ignored by every other build system but Microsoft's? The arguments for excluding binaries by default are many; from the size and duration of the Git clone, to the number of distributions not needing it vs. the single one that does (Microsoft's own). With a Git submodule, the only difference in Microsoft's build would be to clone the submodule. By its existence on disk, the build scripts could identify that "yes, we should build Microsoft components" and pull those binaries in as needed. Otherwise, the binaries could just be ignored. With this setup, the Git submodule could even be behind authentication that would be inaccessible to non-Microsoft distributions. |
Beta Was this translation helpful? Give feedback.
-
Hey! Thanks for bringing this up. This is a fantastic goal that Red Hat has been hoping for too. I would love to have everyone (Microsoft, partners, distro owners, packagers and anyone else) build .NET out of the same source tree/archive, as much as possible. I would love to have Microsoft release a single thing (eg release tarball) that they have signed and everyone can consume directly, ensuring that everyone is using the same thing and minimizing chances for a compromised developer to ship a trojan'ed version of .NET. On the other hand, Fedora's policies state:
They also say:
In other words, Fedora (and so RHEL and CentOS Stream) cares more about the licenses of files. If appropriately open-source licensed binaries are included in a source archive, that source archive is acceptable, with the distro maintainer responsible for deleting binaries to make sure everything is built from source. But if non-open source code/binaries are included in a release, I will have no choice but to pre-process them to produce a modified source-archive and lose many benefits that I mentioned above. |
Beta Was this translation helpful? Give feedback.
-
Friendly ping for source build customers/@dotnet/distro-maintainers to please share your input. |
Beta Was this translation helpful? Give feedback.
-
Some folks may want more on the licenses we use. https://github.com/dotnet/core/blob/main/license-information.md |
Beta Was this translation helpful? Give feedback.
-
On the Canonical side, we currently do some pre-processing on our end to package every .NET release. From a .NET 8 standpoint, among other things, the pre-process git clones the source code, gathers repo info for later use by the Adding the execution of a script shipped in the VMR to strip binaries and non-OSS licenses should be easy enough. However, ideally, as @omajid said, having a signed tarball that everyone can build from not only removes any needs for pre-processing -- which, in turn, removes human error risks, as this is currently a somewhat manual process -- but also minimizes the risk of shipping a dirty build. So, if we end up not having that at first, we'd love to see an effort towards this goal. |
Beta Was this translation helpful? Give feedback.
-
Cross posting from a separate conversation with @omajid. Sharing the Debian policy on source-only tarball: https://wiki.debian.org/UpstreamGuide#Source_only_tarball "If you distribute precompiled binaries with your source code, then the |
Beta Was this translation helpful? Give feedback.
-
I expect we will need to do pre-processing on the content of the full VMR git repo to produce source drop suitable for Linux distros. I think it would be best to completely delete large Windows-specific components like WPF from the source drop for Linux distros, so that they are not a concern. The question is whether it is better for this pre-processing to execute in Microsoft eng infrastructure and the result published in some form, or whether it is easier for this pre-processing to be done as part of inserting a new .NET build into the Linux distro. |
Beta Was this translation helpful? Give feedback.
-
Thanks for all the input on this topic. #4088 tracks the implementation of what was discussed here. |
Beta Was this translation helpful? Give feedback.
-
First off, if you are unfamiliar with the Unified Build project please read the Overview.
A result of this work is that Microsoft will be building its version of .NET using the source-build infrastructure. The Microsoft builds will be including windows only components like WPF, winforms etc. which may have some non-OSS licenses. The Microsoft builds will also require some checked in binary files.
Up until this point, the source-build source (VMR and source tarballs) had always been prepped to remove binaries as well as subsections of the product repos that didn't have OSS licenses. A goal is for both the Microsoft and source-build products to build from the same source. How should we think about checked in binary files and non-oss source in this Unified Build context? Would it be acceptable for example to have checked in script that would strip out these non-permissible components for distro-maintainer scenarios that have strict requirements (e.g. no binaries, no non-OSS licences)? The idea is that distro-maintainers would run this script as one of the first steps in their build process.
TIA for your input
cc @dotnet/distro-maintainers, @mmitche, @premun, @ViktorHofer, @jkotas
Beta Was this translation helpful? Give feedback.
All reactions